Threat intelligence analysts published a report in March 2025 documenting a significant increase in domains designed to impersonate Nexus Market. The report identified patterns including homoglyph attacks, subdomain abuse, and lookalike TLDs.
Many of these fake domains were found to host credential harvesting pages that closely replicated the visual design of the actual marketplace. Some also distributed malware through fake download prompts.
The report recommends that researchers and journalists exercise extreme caution when investigating such domains and use isolated environments for any analysis.