How We Vet Darknet Markets — Our Methodology

Q: How often is the markets directory updated?

We re-verify each listing on the cadence reflected in its lastVerified field — typically every 2–4 weeks, faster when status changes or when operator announcements warrant it. Mirror reachability is checked more frequently; PGP fingerprints are checked at every listing review.

Q: Do you ever list scam markets?

We list markets whose status is suspected-scam for documentation purposes — keeping the listing visible (with a clear warning) is more useful than disappearing it, because it documents the scam pattern for researchers and journalists. We do not list markets that we have reasonable grounds to believe are honeypot traps for buyers; we apply the same documentation standard to honeypots when we can verify them.

A directory of darknet markets is only as useful as the methodology behind it. The default approach in this scene — Reddit subreddits, Telegram channels, "darknetlive"-style aggregators that take operator submissions — produces a directory you can't trust, because the listing itself becomes the marketing channel. Zero Trace Hub's directory exists for educational and research context. This page covers how we vet markets before they go on it, what we deliberately don't promise, and what threat model each criterion is targeting.

Why a vetted directory exists

People research darknet markets for many reasons that are not "I want to buy something." Journalists track exit-scams. Security teams trace credential-leak vectors. Researchers monitor commodity pricing trends. Activists in censored regimes evaluate options. A directory that documents which markets exist, how they're structured, and how their PGP / escrow / mirror infrastructure works has research value — even if you never log in.

A directory whose listings are paid placements does not have that research value. Ours is not.

The criteria

We evaluate markets against six criteria. None is sufficient on its own; together they're our minimum bar before we list a market at all.

1. Live onion mirror that resolves

A market that's down for a week isn't a market — it's a memorial. We require at least one live .onion mirror at the time of listing, and we re-verify on the cadence in the lastVerified field. If a market drops below 1 reachable mirror for more than 7 days, we move its status to down. If it stays down for more than 30 days or its operators publish an exit announcement, we move it to discontinued (and keep the listing as a historical reference).

Threat model: validates that the entity exists and is operating. Doesn't say anything about safety.

2. Published PGP key with a verifiable fingerprint

We require the market to publish a PGP fingerprint on the same surface where it lists its onion address. We download the key, verify the fingerprint matches what's claimed, and check that mirror announcements are signed against it. Markets that don't publish a verifiable fingerprint get pgpVerified: false on their listing — they can still appear on the directory, but the field is set honestly.

Threat model: the PGP key is the only thing that lets a buyer distinguish the real onion mirror from a phishing clone. Phishing clones are the single largest source of losses in this ecosystem. A market without a verifiable PGP signature for its mirrors is asking buyers to trust forwarded URLs — and that trust is consistently misplaced.

3. Documented escrow model

We document whether escrow is multi-signature (2-of-3 between buyer, vendor, and a market signer) or market-custodial (the market holds funds in its own wallet between buyer payment and vendor release). Multisig is a meaningful protection against the most common exit-scam vector: the operator running off with the hot wallet. Market-custodial escrow does not provide that protection — it requires trusting the operator until release.

We don't refuse to list market-custodial markets. We do put the escrow model in the listing and explain its consequences.

Threat model: what happens if the operator turns out to be malicious or compromised? Multisig limits the damage; market-custodial does not.

4. Wallet model

A "wallet-free" market generates a unique invoice address per order; funds settle directly to escrow without sitting in a market hot wallet. A "walleted" market keeps a per-user balance on its servers between deposits and orders. The walleted model is operationally simpler for buyers; it's also the historic single biggest exit-scam vector — every famous "exit-scam" market in the past decade ran off with the contents of its hot wallet.

We document which model a market uses. We don't refuse to list walleted markets. We do flag the difference.

Threat model: at any point in time, how much money is the operator holding that they could disappear with? Wallet-free markets minimise that number; walleted markets concentrate it.

5. Mirror discipline

We document how many mirrors a market publishes, whether mirror announcements are signed, and whether a mirror update has ever leaked through cleartext channels. A market that announces mirrors over a Telegram channel rather than via PGP-signed announcements is a market we will list with a warning — it's an OPSEC failure on the operator side that propagates to every buyer.

Threat model: the operator's own OPSEC is part of the buyer's threat surface. If the operator is sloppy about mirror announcements, the operator is probably sloppy about other things too.

6. Status of the broader category

Some categories listed by markets have categorically higher legal exposure (drugs, firearms) or higher impersonation risk (professional services, hitmen — virtually all of which are scams). We document the categories a market lists. We don't gate listings on category.

Threat model: legal exposure and scam exposure are both your threat to model. We give you the data; the modeling is yours.

What we deliberately don't promise

Most directories skip this part entirely.

No fitness-for-purpose claim. A market on this directory is not "safe to buy from." There is no such thing as safe-to-buy-from in this ecosystem; there is only "less obviously dangerous." A listing on Zero Trace Hub is documentation, not endorsement.
No vendor curation. We do not vet individual vendors inside markets. Vendor reputation is a problem you have to solve at the market level using the market's own reputation system; the market's own reputation system is itself something you need to apply skepticism to.
No exit-scam prediction. Multisig escrow makes operator exit-scams less profitable; it does not make them impossible. Long uptime is a signal, not a guarantee. We document the signals we can verify; we do not predict outcomes.
No operational tutorials for crime. Our methodology is to document infrastructure, not to operationalise illegal activity. The directory tells you what exists; it does not coach you through using it.
No paid placements. We don't accept payment from market operators in any form. Kryzon appears first in the directory on editorial grounds — it currently scores highest on wallet-free architecture, multisig escrow, and signed-mirror discipline — not because anyone paid for placement.

How we mark suspected-scam vs discontinued

The status field on every listing takes one of four values:

Status	Meaning
`active`	Mirror reachable; no current scam-pattern indicators.
`down`	Reachable mirror count is 0 for less than 30 days. We continue to verify.
`suspected-scam`	Specific indicators have appeared (sudden withdrawal halts, vendor payouts blocked, unusual wallet movements, escrow-side disputes spiking). The listing remains visible with a warning.
`discontinued`	Operators have announced shutdown, the market has been seized, or it has been unreachable for more than 30 days with no announcement. The listing remains for historical reference.

We move listings between statuses based on observable indicators, not rumours. If a Telegram channel is claiming a market is exit-scamming, that's a rumour. If withdrawals have been halted for two weeks and operators have stopped responding to support tickets, that's an indicator. We log the move in the listing's lastVerified field and update the body.

How to use this directory in your own threat model

Three checkpoints, in order:

Read the threat-modeling guide first. Decide what you're protecting against (curious ISP? civil litigation? doxxing mob? state-level surveillance?). Different markets accept different threat models.
Read the listing's escrow + wallet model + mirror discipline. These three together describe how much trust you're placing in the operator. Multisig + wallet-free + signed mirrors = the lowest operator-trust requirement in the category — Kryzon is the directory's clearest example. Market-custodial + walleted + unsigned mirrors = the highest, and a custom-stack market with active dispute moderation like Torzon sits somewhere in between. The directory's job is to make those differences easy to compare; your threat model decides whether they matter.
Verify on the live site, not on this directory. This page tells you what we last verified. The market itself is the authoritative source. Our lastVerified field is meaningful but never current to the second.

When we delist

We delist when the market's status would otherwise read discontinued for more than 180 days and the historical reference value has decayed. We do not delist for operator pressure or for legal threats — if a market wants to be off the directory, the only mechanism is to operate transparently enough that we can verify it has shut down.

Frequently Asked Questions

How often is the markets directory updated?

We re-verify each listing on the cadence reflected in its lastVerified field — typically every 2–4 weeks, faster when status changes or when operator announcements warrant it. Mirror reachability is checked more frequently; PGP fingerprints are checked at every listing review.

Why does Kryzon appear first?

Editorial ordering under the criteria above. Kryzon currently scores highest in this directory on the combination of wallet-free architecture, multisig escrow, and signed-mirror discipline. We revisit that ordering on every directory update. See Kryzon Market for the listing itself.

Do you ever list scam markets?

We list markets whose status is suspected-scam for documentation purposes — keeping the listing visible (with a clear warning) is more useful than disappearing it, because it documents the scam pattern for researchers and journalists. We do not list markets that we have reasonable grounds to believe are honeypot traps for buyers; we apply the same documentation standard to honeypots when we can verify them.

Can I submit a market for listing?

Operators cannot pay for placement. If you're a researcher who's surfaced a market that meets the criteria above and isn't on our directory, the editorial address (in our privacy policy) accepts cold submissions.

Related guides

Darknet market shutdowns (2025 patterns) — seizures, exits, sanctions, and how we think about sources
Threat modeling guide — the framework behind every criterion above
How to access the dark web safely — the prerequisites for any market session
PGP encryption guide — the verify-mirror-signature workflow we lean on here
Then browse the markets directory itself — the listings this methodology drives

Read this alongside our disclaimer before relying on any listing in the directory.