xmr.club search + submit independent · curated · graded
← all guides

How to verify an onion mirror

Phishing on Tor is rampant: typo-squatted onions, expired keys, mirror takeovers. xmr.club runs a daily probe that compares operator-published Onion-Location headers against what we list — but you should also know how to verify on your own. Three independent methods, ranked by signal strength.

Method 1 — Onion-Location header (easiest)

Modern Tor Browser reads the Onion-Location response header from a service's clearnet site and shows a ".onion available" prompt. If you visit https://provider.com in Tor Browser and the prompt offers the same onion the directory lists — that's first-party attestation. The operator literally signed off on it by setting the header on the clearnet origin they control.

  1. Open the provider's clearnet URL in Tor Browser.
  2. Look for the purple ".onion available" pill in the address bar.
  3. Compare the onion it offers against the one listed at /onion-audit.

Our daily probe automates this from the VPS: result lands in /onion-audit. Mismatches get flagged for curator review within 24 hours.

Method 2 — Verify the signed key fingerprint

Long-running services publish their onion service key fingerprint on their canonical clearnet site (or via PGP-signed Git commits). The address you visit on Tor is derived from that public key — so the prefix of the onion is the key fingerprint.

  1. On the clearnet site, look for a "Tor mirror" / "Onion" page that lists the v3 onion address.
  2. Compare that string char-for-char with what your browser is connected to.
  3. Bonus: if it's been signed with PGP (some providers do), verify the signature with the operator's published key.

Method 3 — Cross-reference independent directories

xmr.club, monerica, kycnot.me, Privacy Guides and Awesome Onion lists are independent maintainers. If three of them list the same onion for the same provider, the chance of all three being phished is low. We publish the dataset at /data.json (CC-BY-4.0) specifically to make this kind of cross-check cheap.

Red flags

  • Address you found doesn't match what /onion-audit + /data.json list. Possible takeover or typo — don't sign in.
  • Onion redirects to clearnet on signup. Operator broke their own Tor flow — usable for browse, but not for login until they fix it.
  • Self-signed clearnet TLS, prompting you to add an exception. Real operators on v3 onions don't need TLS, but the clearnet site should still have valid certs — bad cert is a phishing signal.
  • Address you got from someone in DMs. Always cross-check against published sources before trusting.

Picks for verifying mirrors

  • Tor Browser → /tools/tor-browser

    Reads Onion-Location header automatically. Free, official.

More guides

How to buy Monero without KYC

Step-by-step: swap any coin into native Monero without ID, email or signup. No-KYC routes vetted against the xmr.club rubric.
Best no-KYC VPN — anonymous signup, crypto pay

Short list of VPNs that take crypto, accept anonymous signup, and don't make you flash ID. Picks from the xmr.club rubric.
Pick a Monero wallet

Mobile, desktop, or hardware? Hot vs cold, view-key vs full custody. The decision tree + xmr.club picks for each path.

Spotted a gap? submit a listing · @xmr_club · @xbtoshi.