Security & OpSec Guide

Operational Security (OpSec) is not optional. This guide outlines the mandatory cryptographic and behavioral protocols required to navigate the DrugHub infrastructure safely. Failure to adhere to these standards compromises network integrity and user anonymity.

Verification Level: MANDATORY

1 PGP Encryption (The Golden Rule)

Pretty Good Privacy (PGP) is the backbone of darknet security. If you do not encrypt, you do not care about your safety. DrugHub employs a strict policy regarding communication: all sensitive data must be encrypted before it ever leaves your device (Client-Side Encryption).

✅ DO: Client-Side Encryption

Always encrypt messages using software on your own computer (Kleopatra, GPG4Win, or GPG Suite) before pasting the ciphertext into the website.

❌ DON'T: "Auto-Encrypt"

Never check a box that says "Encrypt this message for me" on a market. This relies on server-side encryption. If the server is compromised, so is your message.

Implementation Steps:

  1. Download and install Kleopatra (Windows) or GPG Suite (macOS).
  2. Generate a 4096-bit RSA Key Pair.
  3. Import the market's public key (found on the /about page).
  4. Write your message in a text editor, copy it, and encrypt it using the recipient's public key.
  5. Paste the resulting "BEGIN PGP MESSAGE" block into the DrugHub communication field.

2 Phishing Defense & Link Verification

Phishing is the #1 cause of account loss. Attackers create exact clones of DrugHub to steal credentials. The only way to mathematically prove you are on the real site is by verifying the PGP signature of the onion address or the signed message provided by the server.

How to Verify Verification

DrugHub provides a cryptographically signed message at the login page. You must verify this signature against the official DrugHub public key you have stored offline.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This is DrugHub. The time is 2025-02-04 14:00 UTC. Your session ID is: XYZ-123-ABC The onion address is: drughub33kngovqzkhf6gqjyudzak44gcnfrrh4ukllicsuduraw3did.onion -----BEGIN PGP SIGNATURE----- ... -----END PGP SIGNATURE-----
  • NEVER use links from Wikipedia, Reddit, or random forums.
  • NEVER trust "Hidden Wiki" sites; they are often link farms for phishing sites.
  • ALWAYS use the links provided on verified aggregators like Daunt or Tor.Taxi, and verify them manually.

3 Tor Browser Hardening

No JavaScript

JavaScript can be weaponized to de-anonymize users. Set your Security Level to "Safest" in Tor Browser settings. This disables JS by default on all sites.

Window Size

NEVER resize your Tor Browser window or maximize it. Keep it at the default launch size to prevent "fingerprinting" based on your screen resolution.

Identity Isolation

Do not use usernames, passwords, or writing styles that you use on the clearnet (Facebook, Reddit, Gmail). Your DrugHub identity must be completely compartmentalized.

4 Financial Hygiene

XMR ONLY

The Monero (XMR) Standard

Bitcoin (BTC) is a transparent ledger; every transaction is traceable. DrugHub operates exclusively on Monero (XMR) due to its ring signatures and stealth addresses / transaction confidentiality.

NEVER
Exchange (Coinbase/Binance) DrugHub Market Wallet
ALWAYS
Exchange Personal GUI Wallet (Cakewallet/Monero GUI) DrugHub Market Wallet

*sending directly from an exchange with KYC (Know Your Customer) links your real identity to the market deposit address. Using a personal intermediary wallet breaks this link when using Monero.