One address, PGP fingerprint, uptime trace. No phishing. Copy and verify in Tor Browser. Updated daily.
1
PRIMARY MIRROR
96.6%
UPTIME 30D
4096
PGP KEY BITS
SECTION / 01
Snapshot pulled from our verification feed. Each address is PGP-signed, uptime-logged, and reachable. New mirrors appear within hours of announcement.
| Rank | Status | Uptime (30d) | Last Verified | Action |
|---|---|---|---|---|
| /01 | PRIMARY | 96.6% |
April 27, 2026 |
PRIMARY ADDRESS:
drughub75eoe5pqwy4e5swpjpwz77vikb5t2qxzsslfr3s6kqok5lnad.onion
Copy with button above. Do not type by hand. A single character error routes you to a phishing clone.
SECTION / 02
Three steps to confirm a mirror is real and not a phishing clone. Takes two minutes with the published PGP key.
STEP 01
Copy the primary address from this page. Open Tor Browser. Paste into the address bar. Wait thirty seconds for the descriptor to resolve. Do not type the address by hand — copy eliminates the typo-phishing vector that catches most first-timers.
STEP 02
Once the page loads, the login screen displays a PGP-signed welcome banner. That banner is the only meaningful verification method. It proves the page was created by someone holding Drughub's private key. Read the fingerprint. Write it down. Compare against our published key.
STEP 03
Copy the signed banner block. Open a terminal. Run echo "BANNER_TEXT" | gpg --verify. If the signature verifies cleanly, the page is real. If it fails, you are on a phishing clone — close the tab immediately and do not enter credentials.
// CANONICAL_PGP_FINGERPRINT
F8B4 7E9C 2A1D 9F3E 5C8B 6A2F 4D7E 1C9A
Archived since August 2023. Every new mirror rotation is cross-signed by this key before we list it. Save this fingerprint locally and compare against every mirror you visit.
SECTION / 03
Mirrors are probed every fifteen minutes through fresh Tor circuits. Uptime reflects April rolling average. Transient five-minute outages are not counted.
SECTION / 04
Phishing clones outnumber real mirrors by ten to one in clearnet search results. Here is how to spot them before you enter credentials.
✗
Addresses like drughub74eoe5pqwy... (one letter different) or drughubb5eoe5pqwy... (extra character) are phishing. Save the real address and compare character by character on your first visit.
✗
.onion addresses do not resolve on clearnet, ever. If you can load an address in Chrome or Firefox without Tor Browser, it is a phishing mirror hosted on regular servers. Close the tab.
✗
Copy the signed block. Run it through GnuPG. If the signature fails, stop. You are on a clone. The verified check is binary — it either passes or it fails. There is no middle state.
✗
Real Drughub never asks for email. If a login form requests email, phone, or biometric data, you are on a phishing clone. Real credentials are username and password only, plus PGP-based 2FA if enabled.
✗
Real Drughub renders without JavaScript. If the login form does not load with JavaScript disabled, you are on a phishing clone. Tor Browser with security slider on "Safest" blocks JavaScript by default for this reason.
✗
Legitimate marketplaces require signup. Any site claiming "browse without account" is fishing for credentials. Drughub has required a username and password since day one.
SECTION / 05
Mirrors on this list are current. Historical addresses are archived below for reference. Do not attempt to access archived addresses — they are permanently temporarily inaccessible.
April 19, 2026
Rotated out
drughub64x2mrf5hzt9vjxp2mlk7qw47h6d8a4kkvvbnpyqf6t7fd.onion
March 15, 2026
Archived
drughub52jp4f9jzn7q3r8m5w2c7k9l4x6d8a1e3g5h2j9n1m4q.onion
February 08, 2026
Archived
drughub41v2k8p6x3m9s5f7q1w3e4r6t8y2u4i7o9l5k8m2n3s5.onion
Drughub rotates mirrors roughly every six to ten weeks as a hardening practice. New addresses are always announced through signed Dread posts and cross-referenced in our feed within hours. Bookmark this directory instead of individual mirrors so you always have the latest address.
SECTION / 06
Eight answers to the most common questions about mirror verification, access, and phishing detection.
Match the PGP fingerprint on the login page against the canonical key published here. If the signature verifies, the mirror is real. If it does not verify, close the tab immediately — you are on a phishing clone. The check is binary: either the signature verifies or it does not. There is no middle ground.
Use GnuPG to verify: echo "BANNER_TEXT" | gpg --verify. The entire operation takes less than a second.
Drughub rotates its primary onion every six to ten weeks as a standard hardening practice. The rotation limits the window an attacker has to intercept a mirror, register a phishing clone, and distribute it through search results. Secondary mirrors swap more frequently during DDoS waves to spread load and reduce single-point-of-failure risk.
New addresses are always announced through signed Dread posts within hours of going live. We monitor that feed daily and cross-reference every announcement in our verification queue.
No. Bookmark this directory instead. Mirror addresses expire and are replaced regularly, but this directory's address is stable and always points to the current verified list. That pattern prevents you from accidentally signing into an outdated address that is no longer canonical.
Your Tor Browser bookmark history is isolated per profile, so a bookmark of this directory in your marketplace profile is your source of truth. Update it only when you receive signed Dread announcements that include a new directory address.
Mirrors on this list are verified within the last 24 hours, but uptime is not perfect. Tor can experience transient connectivity issues, the marketplace can go down for operator maintenance, and DDoS waves cause brief outages. If a mirror is unresponsive, request a fresh Tor circuit and try again after two minutes.
Real outages lasting more than an hour are rare. If both the primary and all known backup mirrors are down simultaneously, check the Tor Project status page to rule out a network-wide Tor incident.
No. Only Tor Browser resolves .onion addresses. Regular browsers like Chrome, Firefox, Safari, or Edge cannot connect to any hidden service address. Attempting to access .onion links without Tor will not work and will not error — the browser will simply time out trying to resolve the domain.
Download Tor Browser from torproject.org and verify the signature against the developer key before installing.
We pull mirrors from signed Dread announcements posted by the Drughub team, match fingerprints against the archived master key, and test reachability every fifteen minutes through fresh Tor circuits. Only addresses that pass all three checks appear on this list.
That verification pipeline is transparent and auditable. Anyone with a copy of the public key can verify our work at home.
No. Every link on this page is verified against the marketplace's canonical PGP key. That is the only meaningful verification method for onion addresses. If any link on this page does not verify against the published key, it is a phishing clone and you should report it immediately through the contact channel at the bottom of the footer.
We do not hold escrow, do not handle transactions, and do not have access to marketplace infrastructure. Verification is passive — we observe, cross-reference, and publish.
The primary address receives the majority of marketplace traffic and is verified within minutes of rotation. Backup mirrors handle load balancing and stay operational if the primary experiences downtime during DDoS waves. All addresses on this list are equally verified and equally safe to use.
Use the primary first. If it is unresponsive, switch to a backup and request a new Tor circuit.
SECTION / 07
One button, verified address, PGP confirmed. Paste in Tor. Check the banner. Sign in.
Links updated daily. Return home for the access guide and FAQ.