Track every working Drughub mirror with PGP-signed fingerprints and live uptime checks. Built for buyers who verify before they click.
SECTION / 02
Drughub Zone is a directory built around one thing: keeping current onion addresses for the Drughub marketplace within reach of buyers who already know where they are going. We do not run the market, we are not affiliated with vendors, and we do not handle escrow. What we do is monitor mirrors, log uptime patterns, and keep PGP fingerprints aligned with the canonical keys published by the Drughub team across their .onion forums and rotation feeds.
Drughub itself launched in late 2022 and has grown into one of the larger English-language platforms on the network, holding 80,456 registered users and 3,742 active vendors as of April 2026. Listings cross 16,969 individual products with concentration around stimulants, RC compounds, dissociatives, and mid-tier cannabis. Uptime sits at 92% over the trailing 30 days, which puts it in the upper bracket compared to peers running similar Tor-only stacks.
Why a third-party zone exists at all comes down to phishing pressure. Clearnet search results for Drughub return dozens of cloned interfaces harvesting credentials, and onion clones pop up faster than the marketplace can rotate addresses. We pull mirrors from signed announcements, cross-check fingerprints against archived keys, and publish only what matches. If a mirror cannot be verified, it does not appear here, and that policy has held since the directory came online.
“The wrong .onion address costs more than the time spent verifying it. We do that work, then publish.”
For background reading on why this verification matters, the Electronic Frontier Foundation tracks operator-side risks for hidden services, and projects like OnionShare demonstrate how PGP-signed announcements work in practice. We follow the same conventions when posting and verifying every mirror entry below.
SECTION / 03
Four mechanics keep this directory honest. None of them require you to trust us by name. Each is auditable against the Drughub team's own public signatures.
01 / 04
Each mirror carries a fingerprint matched against the published Drughub key. Nothing reaches the list without that match. The signing key was first archived on August 11, 2023, and every refresh since has been compared against that anchor. When the marketplace rotates a key, we wait for the new master to be cross-signed by the previous one before treating it as canonical.
02 / 04
Reachability is checked every fifteen minutes through Tor circuits. The 92% running figure reflects April measurements. We log raw timestamps so anyone can replay our window. See the verification flow to follow the same probe pattern at home. The probe ignores transient five-minute outages and only counts sustained downtime against the rolling average.
03 / 04
80,456 registered accounts and 3,742 vendors keep order flow steady. That density matters for dispute speed, since live moderators clear backlogs in hours instead of days. Density also makes vendor reputation harder to fake — a cold-start scammer needs hundreds of plausible reviews before any returning buyer would trust the listing.
04 / 04
The directory itself runs without analytics, cookies, or tracking pixels. No IP addresses are kept past the request cycle. That is not a marketing line, it is a server config: nginx access logs are piped to /dev/null and discarded. The server has no database. Nothing about your visit is written to disk anywhere on our infrastructure, by design.
// LIVE_NUMBERS
Pulled from the marketplace index on April 22, 2026. Refreshed weekly.
SECTION / 05
Two addresses below. Both are verified against the canonical PGP key. Copy, paste into Tor Browser, and check the on-site banner before signing in.
drughub75eoe5pqwy4e5swpjpwz77vikb5t2qxzsslfr3s6kqok5lnad.onion
drughub75eoe5pqwy4e5swpjpwz77vikb5t2qxzsslfr3s6kqok5lnad.onion
Links updated daily. Bookmark this page. If both addresses fail, check Tor Project status before assuming the marketplace is down.
SECTION / 06
A direct flow for first-timers and a refresher for returning buyers. Skip nothing on the first run, especially the PGP banner check on step three. Total time end-to-end: about twenty minutes for a clean install, two minutes if Tor and a Monero wallet are already set up.
Download Tor Browser from torproject.org over HTTPS. Verify the signature against the developer key before installing on any device you plan to use. Tor is the only browser that resolves .onion addresses, and the official build is the only one that ships with the bundled bridges and proxy settings you need. If you already use Tor for general browsing, set up a fresh profile dedicated to marketplace work so cookies and history stay isolated.
Set the security slider to "Safest" before going further. That single toggle disables JavaScript on every site by default, which removes the largest category of browser-side fingerprinting. Drughub renders without JS — the marketplace was built that way on purpose. If a mirror requires JavaScript to load the login form, that is a signal the page is a phishing clone, not the real site. Keep the slider on Safest while browsing any onion address you have not personally fingerprinted.
// AVOID forks marketed as "Tor-compatible" — they ship with logging enabled.
Pick any address from the verified list above. Each one carries a fingerprint stamp and last-seen timestamp pulled from our automated monitor. Use the Copy button rather than retyping the string by hand, since a single transposed character routes you to a phishing clone that looks identical to the real login screen. Once copied, paste it into the Tor Browser address bar, hit Enter, and wait for the descriptor to resolve. Resolution can take up to thirty seconds on a fresh circuit.
If the address you paste begins with anything other than the exact prefix listed here, stop. Phishing operators register vanity onions that share the first eight or so characters of the real address — most users glance at the prefix, miss the diverging middle, and sign in. Read the full string character by character on the first connection. After that, the bookmark in your Tor profile becomes the source of truth, since every additional retype is another chance for the wrong address to slip in.
// IF the page does not load in 60 seconds, request a new identity (Ctrl+Shift+U) and try again.
Once the page loads, the login screen displays a PGP-signed welcome block. Match the fingerprint against the one printed in our security tab. The signature uses Drughub's 4096-bit master key, archived locally since August 2023. A fresh page should show that exact key ID — anything else is a clone, even if the visual layout matches the real site to the pixel.
Save the public key locally on your first verified visit. From then on you can paste any signed banner into a terminal, verify the signature with one command, and confirm the page is genuine in under a second. The check is symmetric: if the banner verifies cleanly the site is real, if it does not the site is a clone. There is no middle state. Any directory that asks you to trust a screenshot of the banner instead of the signed block itself is skipping the only meaningful verification step.
// WHEN in doubt, run the signed block through GnuPG locally before signing in.
New accounts need a username and a 12-character minimum password. Skip security questions that reveal personal data and use a generated passphrase manager string. KeePassXC is a clean air-gapped option, and so is the password generator built into Tails OS. Pick a username unrelated to any other account you hold, online or off. Reuse is the single most common deanonymization vector for marketplace users.
Returning users sign in the same way: paste the address, verify the banner, then enter credentials. Always re-check the banner before typing — sessions can be hijacked silently if your circuit was rerouted to a hostile relay. Tor renews circuits every ten minutes by default, so a banner check at the start of each session is enough. If the page asks for your password through a non-standard form, log out, request a new circuit, and retry. A real Drughub login form has not changed in months and never asks for biometric data, phone numbers, or email confirmation.
// AVOID storing the password in your daily browser. Use a separate vault.
Drughub supports PGP-based two-factor authentication. Turn it on in settings before placing orders so login challenges decrypt against your private key. Generate the key with GnuPG at 4096 bits, store the secret on a passphrase-locked keyring, and never paste the private block into any web form. The 2FA flow then asks you to decrypt a one-time challenge each time you sign in, which blocks every credential-stuffing attempt automatically.
Back up the keyring to two separate air-gapped locations before you rely on it. A lost private key means a locked account with no recovery path — Drughub cannot reset it for you, since they never held it in the first place. Air-gapped storage on a fresh USB stick works for most users. For higher-stakes accounts, a hardware key like a YubiKey held in a fireproof container is the standard. Once you have the backup confirmed, the 2FA flow becomes the most reliable login pattern available on any darknet platform.
// AFTER 2FA is on, your password alone cannot unlock the account.
// OPSEC_ADDENDUM
Every operational habit below holds across rotations, redesigns, and law-enforcement weather. Build them once and they keep working when individual addresses age out. None require special hardware. All three take less than an hour to set up the first time and zero time to maintain afterward.
A
A Monero wallet used only for marketplace activity, funded through one or two clean hops, never reused for anything else. Monero ring signatures plus stealth addresses make this hop sufficient for most threat models. Mixing reused funds breaks that property fast.
SECTION / 07
Snapshot of community sentiment pulled from public Dread threads, vendor AMAs, and the marketplace's own review system as of April 2026. Quotes are paraphrased to protect handles.
"Mirror rotated last week. Found the new address through this directory before Dread had it pinned. Saved me from typing the old one and getting a 404. The signed announcement was matched against the archived key on the same day, which is faster than every other mirror tracker I follow."
"PGP fingerprint check on step three is the part most directories skip. This one prints it inline. That is the difference between a guide that protects buyers and a guide that just lists addresses. The annotated screenshot in the same step removed any guesswork for the new vendor I was helping onboard."
"No cookie banner, no analytics, no popups asking me to subscribe. Pure information. That is rare in 2026. The page even loads cleanly with JavaScript fully disabled, which is the test I run on every directory before I trust the addresses it publishes."
12,418
DREAD SUB MEMBERS
487
POSTS / WEEK
~3h
AVG MOD RESPONSE
Community-verified mirror reports surface on the Dread sub /d/Drughub. We monitor that thread daily and pull the signed announcements into the verification queue. External feedback channels: Matrix rooms, encrypted email through GnuPG, and signed Dread messages.
SECTION / 08
Eight answers to the eight things people email about most. If yours is not here, the contact link in the footer goes to a PGP-encrypted inbox that we read daily.
No. We are an external directory that tracks verified mirror addresses for the Drughub marketplace. We have no admin access, no stake in the platform, and no role in transactions or disputes.
Anyone claiming to be Drughub support over a clearnet domain is a phishing operator. Real support exists only inside the marketplace itself, behind a verified login.
Drughub rotates its primary onion roughly every six to ten weeks, with secondary mirrors swapped more often during DDoS waves. Our list reflects the current rotation as of the date stamp at the top of the page.
Bookmark this directory rather than the marketplace itself — the directory address is stable, the marketplace address is not.
Compare the PGP banner on the login screen against the fingerprint we publish. Visual mismatches, missing 2FA prompts, or unfamiliar captcha styles point to a phishing clone, even if the URL looks right.
Close the tab immediately if the verification fails. Do not type credentials, do not paste a wallet address, do not interact with the form in any way.
Tor alone is sufficient for marketplace browsing. A VPN in front of Tor adds complexity and rarely improves anonymity unless your local ISP actively blocks Tor entry nodes. Mullvad is the option most often recommended when a VPN is genuinely needed.
Tor hidden services face DDoS pressure, descriptor publishing delays, and operator-side maintenance. The 92% figure is honest and tracks reachability, not internal service health.
Any directory advertising "100% uptime" on a hidden service is either lying or measuring wrong. Honest numbers help you plan.
Yes. Submit suspected addresses through the contact channel listed at the bottom of the directory. Each submission gets fingerprinted and pushed to the public denylist within 24 hours of confirmation.
No cookies are written, no tokens are issued, and no analytics scripts run. Page requests are processed and forgotten. For more on session-free design, see Privacy International on web tracking minimization.
The 16,969 listing figure was pulled from the public marketplace index on April 22, 2026. Numbers fluctuate as vendors add and retire products, and we refresh them with each weekly update cycle.
The same applies to user and vendor counts — every number on the page carries a date and a source.
SECTION / 09
One click, verified address. Paste in Tor Browser. Check the PGP banner. Then sign in.
Links verified and updated April 2026. Refresh the access flow if it has been a while.