Skip to content
Online · April 2026
Verified · PGP-authenticated · Updated April 23, 2026

WeTheNorth onion links
both mirrors

Both verified wethenorth market .onion addresses for April 2026. Copy a link, paste into Tor Browser. Do not type it manually — one wrong character leads to a phishing clone that looks identical to the real interface.

2 verified mirrors PGP-authenticated Last checked April 23, 2026 96.4% uptime, 12-month rolling

Copy a verified address

Both mirrors provide identical access. Pick either one — if the first feels slow or returns an error, the second resolves the same marketplace state. Account data, orders, and escrow balances are synced server-side.

Primary node Online
Verified April 23, 2026 · 96.4% uptime
Loading...
Mirror node Online
Verified April 22, 2026 · 95.1% uptime
Loading...

New to Tor? Head to the access guide before using these links. Tor Browser requires a specific configuration before .onion addresses resolve. The guide walks through the full setup in eight steps — including security level, captcha, invitation system, and crypto wallet.

Mirror comparison

Status at a glance

Both mirrors use independent server infrastructure. A DDoS attack on one does not affect the other. Uptime figures are 12-month rolling averages from connectivity logs and Dread status thread cross-references.

Mirror Status Uptime (12 mo) Last checked Infrastructure PGP-signed
Primary node Online 96.4% April 23, 2026 Node A — independent Yes
Mirror node Online 95.1% April 22, 2026 Node B — independent Yes

The market publicly committed to two mirrors in its July 2022 operational update on Dread. No third "mirror" has been officially announced. Any .onion address beyond these two is a phishing clone. Verify before you deposit.

Security notice

Canadian buyers are specifically targeted

Phishing sites targeting wethenorth market users operate on a different model than generic darknet scams. They do not spray thousands of random users — they target the predictable, concentrated Canadian user base with pages custom-designed to pass visual inspection at a glance. The logo is correct. The layout matches. The captcha screen looks identical. The only difference is a single character substituted somewhere in the 56-character .onion address.

This works because Canadian buyers searching for WTN onion links on clearnet search engines like Bing or DuckDuckGo sometimes click the first result rather than a bookmarked source. Phishing operators run clearnet SEO campaigns targeting Canadian-specific search terms like "wethenorth onion link 2026" or "wtn market canada address". Their pages outrank legitimate sources for several hours before moderation catches them.

The attack model: You paste a phishing address into Tor Browser. The page loads exactly like WeTheNorth — captcha, login form, market interface. You deposit BTC or XMR to the wallet address provided. The funds go directly to the phishing operator. You see a "pending" transaction that never clears. By the time you investigate, the site has moved to a new address.

Three habits that stop this attack:

Use the copy button. Clipboard transfer copies the exact bytes from our page — no character transposition possible. Typing 56 characters correctly every time is not a realistic operational standard.

Check the address bar in Tor Browser before entering credentials or depositing. Verify the first six and last six characters against the addresses on this page. If either block differs by a single character, close the tab immediately.

Bookmark this page (wtnmarket.top/urls/) in your regular browser, not the .onion address in Tor Browser. A stale Tor bookmark becomes dangerous if the address ever rotates. A bookmark to this clearnet directory always gives you a current, verified address.

The EFF's Surveillance Self-Defense guide covers the broader category of phishing attacks on privacy-focused users. Access Now documents the targeting patterns used against concentrated digital communities. Both resources are worth a read before making your first WTN deposit.

Verify yourself

How to authenticate the WTN address via PGP

This page cross-references every address against the WTN admin PGP key published on Dread. If you want to perform this check yourself — and you should — here is the exact procedure. It takes ten minutes the first time, two minutes each subsequent session.

  1. Install GnuPG

    Download GnuPG from gnupg.org. On Windows, Gpg4win includes the Kleopatra GUI. On macOS, GPG Suite adds a system menu integration. On Linux, GnuPG is typically pre-installed — verify with gpg --version in a terminal.

  2. Locate the WTN admin PGP key on Dread

    Log into Dread via its .onion address. Navigate to /d/WeTheNorth. Look in the pinned posts for the admin's PGP public key block — it begins with -----BEGIN PGP PUBLIC KEY BLOCK-----. The admin username has a gold moderator badge. Do not import a key posted by an account without that badge.

  3. Import the public key

    Copy the full key block including the header and footer lines. Run: gpg --import and paste the block when prompted. Or save it as wtn-admin.asc and run gpg --import wtn-admin.asc. Confirm the import shows the expected key fingerprint — cross-check against any fingerprint posted in the pinned announcement thread.

  4. Find the signed address announcement

    The WTN admin posts PGP-signed mirror announcements when addresses are confirmed or updated. These posts contain a -----BEGIN PGP SIGNED MESSAGE----- block wrapping the current .onion addresses. Copy the entire block including headers, footer, and signature.

  5. Verify the signature

    Save the signed message as wtn-mirrors.txt. Run: gpg --verify wtn-mirrors.txt. GnuPG will confirm whether the signature is valid and which key it was signed with. A valid result shows "Good signature from [WTN admin username]". Cross-check the key ID against what you imported in step 3. The .onion addresses in the verified message are the ones to use.

  6. Compare against this page

    The addresses in the verified Dread announcement should match the addresses displayed on this page character for character. If they differ, the announcement date matters — use whichever source reflects the more recent PGP-signed post. Report discrepancies via the contact route listed in the Dread thread pinned notice.

The EFF Surveillance Self-Defense guide has a dedicated PGP section with step-by-step instructions for each operating system. Whonix OS includes GnuPG pre-installed and routes all traffic through Tor — the recommended environment for any operational verification work.

Links, mirrors, and verification

Nine questions about wethenorth onion addresses

These cover the questions that appear in Dread threads whenever a new user asks about mirror availability, verification, or address rotation. Short answers with enough detail to act on.

What are WeTheNorth mirrors?

WeTheNorth mirrors are separate .onion addresses that connect to the same backend marketplace. Both carry identical user accounts, vendor listings, messages, active orders, and escrow balances. Running two mirrors means the market stays reachable when one node faces DDoS pressure or temporary network disruption.

Both addresses are authenticated via PGP-signed announcements from the WTN admin key published on Dread. This authentication is what separates a real mirror from a phishing clone — the signature cannot be forged without the private key. See the verification guide above for the full process.

Why does WeTheNorth maintain two .onion addresses?

Redundancy. Darknet markets face regular denial-of-service attacks from competitors, researchers, and occasionally law enforcement probing infrastructure. A single-mirror market goes completely dark under that pressure. Two mirrors on independent infrastructure mean one node absorbing an attack does not block access — buyers and vendors switch to the second address and continue without interruption.

WTN adopted the two-mirror architecture in mid-2022 after a sustained DDoS event caused several days of downtime on the original single-node setup. The Dread community documented the outage in real time. The admin posted the rationale for adding a second mirror in the thread that followed. Both addresses have been stable since then, maintained under the same PGP-signed announcement protocol. More on this is documented on Archive.org from Dread thread snapshots.

How do I verify a WeTheNorth link is authentic?

Three methods. Most reliable: compare character by character against the PGP-signed announcement from the WTN admin key on Dread's /d/WeTheNorth subdread. The signature covers the full .onion address string. Any modification — even one character — breaks the signature and shows an error in GnuPG.

Second-most reliable: use the links on this page, cross-referenced against that same signed announcement. We check addresses against the Dread thread each time we update this page. Third: look at the Dread thread history for any admin-posted updates or corrections. Never trust an address posted in a comment, a DM, or a search engine result you did not intentionally seek out from a known source.

What happens if a mirror goes down?

Switch to the second mirror. Backend state — your account, active orders, escrow balances, messages with vendors — is synced server-side across both mirrors. Nothing is lost. The switch takes under a minute: copy the alternate address from this page, paste into Tor Browser, log in with your usual credentials.

If both mirrors are unreachable simultaneously, the most common cause is a large-scale DDoS event or planned maintenance. Check the Dread /d/WeTheNorth board for admin status updates — these events typically resolve within a few hours. Do not attempt to find alternative addresses through search engines during an outage. This is exactly when phishing sites spike in search visibility, because high-urgency users are less cautious. Wait for an official update.

How often do WeTheNorth .onion addresses change?

Rarely. The two current mirror addresses have been stable for over two years without change. Address rotations happen when an operator migrates to new hardware, following a security event, or proactively as a precautionary measure after extended operation.

When addresses do change, the WTN admin posts a PGP-signed announcement on Dread before the old addresses go dark — typically 48 to 72 hours in advance. This gives users time to update any saved references. Bookmark this page and check before each session during any period when you've heard the market is rotating infrastructure. The page updates within hours of any official announcement.

Is it safe to bookmark WeTheNorth in Tor Browser?

Saving a .onion address as a Tor Browser bookmark is safer than retyping 56 characters each session. But it carries two risks. First: anyone with physical or forensic access to the device can see the bookmark in the Tor Browser profile directory. Second: the bookmark goes stale if the .onion address rotates while you are away.

The better operational habit: bookmark this clearnet directory (wtnmarket.top/urls/) in your normal browser, then copy a fresh .onion address each session before opening Tor Browser. That approach keeps no Tor-identifiable bookmarks on the device and always pulls a current, verified address. Tails OS and Whonix both handle bookmark persistence in a way that reduces this exposure for users with higher threat models.

What does the uptime percentage in the table mean?

The uptime percentage is the share of time a mirror was reachable during the previous 12 rolling months, based on periodic connectivity checks against the .onion address. A reading of 96.4% means roughly 13 days of cumulative downtime across the year — almost all attributable to DDoS events rather than infrastructure failure.

For a darknet market, anything above 95% sustained over 12 months is considered stable. Markets that fall below 90% typically face questions from the Dread community about operational reliability. Both WTN mirrors have stayed above 95% since the two-mirror architecture was adopted in 2022, confirming that the redundancy design achieved its intended effect on availability. Compare this to the single-node period before 2022, when downtime peaked at several days per incident.

Why do .onion addresses look so different from regular URLs?

A .onion v3 address is a 56-character base32 encoding derived from the hidden service's Ed25519 public key. There is no DNS lookup involved, no domain registrar, and no certificate authority. The address is the cryptographic identity of the service. Tor Browser verifies this identity automatically on connection — no SSL warning, no certificate to inspect.

This design means the address cannot be subject to law enforcement action by targeting a registrar or a DNS record. It also means phishing operators generate convincing near-matches by brute-forcing strings with matching first and last character blocks. The middle 46 characters get substituted. To the eye at normal reading speed, the address looks correct. Always verify the full 56 characters systematically, not just the beginning and end.

Why do phishing sites target Canadian buyers specifically?

Three compounding factors. WeTheNorth is the only significant Canadian-focused darknet market — the buyer base is geographically concentrated and uses predictable search patterns, making targeting more cost-effective than targeting the dispersed users of a global market. Canadian buyers share a narrow set of search terms in Bing and DuckDuckGo, making search-engine-optimized phishing pages straightforward to deploy.

Second, the WTN deposit flow creates a compact, high-value exploitation window. A buyer who deposits BTC or XMR to a phishing clone's wallet loses the full deposit amount before realizing the address was wrong — typically within an hour of landing. The attacker collects and the phishing site rotates to a new address before reports reach any moderation channel.

Third, first-time buyers account for a disproportionate share of phishing victims. Experienced users have verified addresses and established copy habits. Newcomers searching for an onion link for the first time are at highest risk. The EFF's privacy guide and Access Now both document the targeting patterns used against concentrated digital communities. The copy-button approach on this page defeats character-substitution attacks outright — no user intervention required beyond a single click.

Ready to connect

Copy and paste into Tor Browser

One click. Paste in Tor. Solve the captcha. You are inside the only Canadian-focused darknet marketplace with domestic shipping and 4+ years of continuous operation.

Loading...

Updated April 2026. Not affiliated with the market operators. This directory exists so Canadian users can verify the address without relying on search engine results. Return to home page or read the full access guide.

PGP-authenticated April 2026 2 verified mirrors 96.4% uptime, 12-month rolling 4+ years of WTN operations