Security researchers monitoring darknet-adjacent forums and Telegram channels identified a coordinated phishing campaign in January 2025 that specifically targeted users searching for the Nexus URL. The operation was notable for its sophistication, using compromised accounts of trusted community members to distribute URLs that appeared to originate from legitimate sources.
The fake Nexus Link addresses were designed to look visually similar to the genuine ones — differing by only one or two characters in the 56-character v3 onion address. The phishing sites themselves were pixel-perfect replicas of the real Nexus Marketplace interface, complete with functional CAPTCHA and login pages that collected credentials before displaying an 'incorrect password' error.
More dangerously, the sites generated modified XMR and BTC deposit addresses — identical in format to legitimate addresses but controlled by the attackers. Any cryptocurrency deposited to these addresses was irrecoverable.
The best defense remains PGP verification. The Nexus Marketplace team signs all official URL announcements with their PGP key. No legitimate Nexus URL should be trusted without this verification. See our complete Phishing Warning guide and verified entry page for protected access.