In January 2025, multiple cybersecurity firms reported a coordinated phishing campaign targeting users searching for Nexus Market. The campaign used typosquatted domains with subtle character substitutions to harvest credentials.
Researchers at several threat intelligence firms documented over a dozen fake domains registered within a two-week period. These domains mimicked the visual appearance of the marketplace but redirected submitted credentials to attacker-controlled servers.
Users are advised to verify any URL through multiple independent sources and to treat all unsolicited links with extreme caution. Credential theft remains one of the most common attack vectors in the darknet ecosystem.