Vortex market mirror list — 3 verified addresses

A Vortex mirror is an independent Tor hidden service endpoint that runs an authenticated connection to Vortex's shared backend. Three mirrors exist for two reasons: redundancy against DDoS attacks targeting individual endpoints, and load distribution during peak traffic windows. When one node is under pressure, the queue on the other two stays shorter.

All three share state in real time. Your registered account, active orders, cart contents, wallet balance, and vendor message history are identical across all three addresses. Switching mirrors mid-session is seamless — there is no re-authentication, no data loss, and no need to log back in. The only thing that changes is which entry point you hit first.

The three-mirror structure has been Vortex's published configuration since the market launched in October 2023. It has not expanded to four or five endpoints. If a page claims to show you additional Vortex mirrors, those are either fabricated addresses that point to phishing servers, or stale data from a directory that has not been updated. Both are dangerous. Three is the canonical number.

The verification process above covers this in detail, but the short version is: find Vortex's PGP-signed announcement on Dread (/d/vortex), verify the signature with GnuPG against the canonical fingerprint, and extract the addresses from the verified document. Compare those against what this page shows. If they match, the addresses are authenticated.

The visual design of Vortex — the deep purple and cyan cyberpunk interface — is entirely copyable with HTML and CSS. Phishing sites replicate it routinely. The purple background and Space Grotesk font are not authentication. The 56-character ed25519 address is. Once you have verified it once and cached the fingerprint locally, future checks take about 15 seconds: open the platform footer, compare the fingerprint displayed there to your cached value.

Never get Vortex links from Telegram groups, Reddit threads, or Discord servers without PGP verification. Those sources have no accountability, and phishing links posted there are often the first thing that appears in search results targeting new users.

Version 3 .onion addresses use ed25519 elliptic curve cryptography and are 56 characters long (the older v2 format was 16 characters). The critical property: the address itself is derived directly from the server's public key. This means the address is not just a label — it is a cryptographic commitment to the server's identity. Any server that responds to a v3 .onion address must hold the corresponding private key.

For users, this matters because it makes address spoofing computationally infeasible with current technology. A phishing operator cannot generate an ed25519 key whose public key hashes to the same address as Vortex's real address. They have to use a different address — which means even one character difference exposes the fraud. The Tor Project deprecated v2 addresses in 2021 specifically because v2 had weaker cryptographic guarantees. All three Vortex mirrors use v3 addressing.

The practical implication: typing a v3 address manually is extremely risky. At 56 characters, a single transposition lands you on a completely different server. The character set (lowercase letters plus digits 2–7) also creates confusable pairs: i and l, 0 and o at a glance in some fonts. Copy buttons exist precisely because no human reliably types 56 characters with zero errors.

Start with NODE-01 (primary). It carries the highest traffic because it is the most frequently cited reference address, which means it also has the most comprehensive uptime monitoring. If NODE-01 is queuing longer than 45 seconds, try NODE-02. If NODE-02 is also slow, try NODE-03. The queue times vary independently because each endpoint has a different distribution of incoming Tor circuits.

There is no login advantage to using one mirror over another. Your session state is replicated across all three backends. If you start a purchase flow on NODE-01 and switch to NODE-02, the cart is there. If you receive a vendor message on NODE-03 and later open NODE-01, the message is there. The mirrors are not separate platforms — they are separate doors into the same room.

One practical tip: the address you paste into Tor Browser does not have to match the address you used last session. Each session, copy a fresh address from this page, paste it, and verify. Starting fresh each session with a new clipboard paste is a habit that prevents the clipboard-hijacking malware category of attack — where an extension or process swaps your copied .onion with a phishing address between your copy and your paste.

Simultaneous slowness across all three endpoints has three likely causes in order of probability: a DDoS event targeting the Tor hidden service layer, a Tor network congestion event affecting the onion routing paths, or a scheduled maintenance window. In all three cases, the correct response is to wait — not to look for additional addresses.

Vortex uses a queue-based DDoS mitigation system rather than CAPTCHA challenges. Under heavy load, the platform queues incoming connections and processes them in order. Pages load slowly but completely. This system was specifically designed to keep the platform functional under attack conditions — if you can connect at all, even a slow connection eventually resolves. Typical queue durations during peak attack windows run 30–40 minutes before load normalizes.

If all three mirrors are genuinely unreachable for more than 90 minutes, check the Dread /d/vortex thread for a status update from the market operators. All official communications about downtime, maintenance, or infrastructure changes are published there with PGP signatures. Do not look to Telegram, Twitter, or any clearnet source for platform status — none of those channels are verified and attackers use unplanned outages to push phishing links into the information vacuum.

Only inside Tor Browser, and only if that browser is not syncing bookmarks to any cloud service. Tor Browser's bookmarks are stored locally inside the browser profile directory. As long as that profile is not backed up to or synced with an external service, the bookmark stays on-device.

Never bookmark a .onion address in Chrome, Firefox, Safari, or Edge on your normal profile. Modern browsers sync bookmarks automatically to your Google, Apple, or Mozilla account — which means your .onion URL ends up on someone else's server, timestamped with the date you bookmarked it. Even if the service is encrypted in transit, you have created a record linking your identity (the account) to the address at a specific time.

The safer habit is not bookmarking at all. Copy the address fresh from this page each session. It takes three seconds. The advantage of copying fresh is that you detect a clipboard-hijacking attack immediately — if the first eight characters of the pasted address don't match what you see on the page, something intercepted your clipboard. A bookmark would have taken you to the same address without the comparison step.

v3 .onion addresses are permanent by design. The address is derived from the ed25519 keypair generated when the hidden service is first configured. Changing the address would require generating a new keypair and announcing a new address through authenticated channels — a process that typically involves a PGP-signed announcement on Dread with at least 72 hours of advance notice to allow users to update their records.

Vortex has not rotated its canonical addresses since the market launched in October 2023. The three addresses on this page are the same addresses that were published in the market's original announcement. This is normal and expected — legitimate markets only rotate addresses in response to infrastructure compromise or law enforcement seizure of server hardware, which would be accompanied by a public statement.

Illegitimate actors sometimes claim a market has "rotated" or "updated" its addresses as a pretext to post phishing links. Any claim of an address change should be verified against the PGP-signed announcement on Dread before you use the new addresses. If the announcement is unsigned, treat it as untrusted. If the signature does not verify against the canonical fingerprint, treat the addresses as hostile.

A PGP canary is a short, dated, digitally signed statement published by the market operators. It typically says something like: "As of [date], Vortex Market has not been served with a law enforcement order, the addresses remain unchanged, and the platform is operating normally." It is signed with the market's canonical private key. Vortex publishes a canary at least every 72 hours.

To check the canary: after connecting to any Vortex mirror, find the canary in the platform footer or a dedicated canary page. Copy the full signed block. Run gpg --verify. Check two things: the signature is valid (produced by the canonical key you have already imported), and the date is within the past 72 hours. If both check out, the platform is attesting to normal operations.

A missing canary — or a canary older than 72 hours — is a signal to pause. It does not necessarily mean the platform has been compromised. It might mean the signing process was delayed due to an operational issue. The correct response is to wait a few hours and check again on a different mirror. If the canary is stale across all three mirrors for more than 12 hours, check Dread for operator communications before logging in or initiating any transactions.

A valid canary is a positive signal. Its absence is only a negative signal if it persists. Don't panic over a single stale canary check — but don't ignore it either. One check, three hours later, resolves most ambiguity.

The interface is copied first. Vortex's distinctive deep-purple background, cyan accents, terminal typography, and neon card borders are all replicable in a few hundred lines of CSS. Sophisticated phishing operators produce pixel-accurate clones that pass casual visual inspection. The login form renders. The "forgot password" flow works — long enough to capture credentials. Even the market statistics and vendor listings can be populated with scraped or fabricated data to make the platform feel live.

The attack vector is the address. Since phishing operators cannot generate a v3 .onion address that matches Vortex's canonical key, they rely on users either typing an address with an error, copying from an unverified source that includes a phishing address, or having a clipboard-hijacking extension swap the address between copy and paste. The platform cannot be spoofed — only the path to it can be manipulated.

Specific attack patterns to know:

Typo-squatting: a 56-character address with one character changed. Character substitutions typically happen in positions 10–50 where users rarely check, and use visually similar characters — i→l, 0→o, 2→z in some fonts.

Directory poisoning: posting phishing links in forums, Telegram groups, or "trusted" directories that lack PGP verification. These sources account for the majority of phishing victims.

Clipboard hijacking: a browser extension or malicious process that monitors the clipboard and swaps any .onion address it detects with a phishing address. The copy button press succeeds, but what gets pasted is different. Checking the first and last six characters after pasting catches this.

The defense against all three is identical: verify the PGP signature on any address you use, copy rather than type, and check characters after paste. No shortcuts. No exceptions for "trusted sources."