FILE 002 · ACCESS PROTOCOL · UPDATED 21.04.2026

Get into Drughub.
Eight steps.

This guide takes you from a fresh browser to your first verified session inside Drughub market. No prior darknet experience needed. Thirty minutes start to finish. You need three things: Tor Browser, a Monero wallet, and the verified .onion link from this portal.

Guide current as of April 2026 ~30 min to complete 8 steps total
Tor Browser setup for accessing Drughub darknet market
TOR BROWSER · SECURITY: SAFEST
§ 01 · BEFORE YOU START

What you need before step one

Three tools. All free. All open source. None of them take more than ten minutes to set up from scratch. If you already have Tor Browser installed, skip to step four.

Tool Purpose Download Required?
Tor Browser Anonymizes traffic, routes through .onion network torproject.org Yes — mandatory
Monero Wallet Holds XMR for payments (walletless invoice system) getmonero.org Yes — for purchases
GnuPG / Kleopatra Generates your 4096-bit PGP key for login and messaging gnupg.org Yes — account requires it
Password manager Stores your Drughub username and key passphrase keepassxc.org Strongly advised
Tails OS or Whonix Amnesic operating system — leaves zero trace on disk tails.net / whonix.org Optional but recommended
Mullvad VPN Hides Tor usage from your ISP (Tor over VPN) mullvad.net Optional — context-dependent

Tails over regular OS

Tails OS runs from a USB stick and leaves no footprint on your machine. Every session starts clean. If threat modelling matters to you — a journalist, someone in a restrictive country, or simply a person who values a clean separation between sessions — boot from Tails. Tor Browser inside Tails is already pre-configured at Safest level. Skip step three entirely.

If Tails isn't an option, Whonix inside VirtualBox achieves a similar isolation on any desktop.

§ 02 · STEP-BY-STEP PROCEDURE

From zero to your first Drughub session

Follow in order on first setup. Return users: jump to step four to get the latest verified link. This sequence mirrors the Drughub official onboarding flow documented on their Dread subdread.

  1. Download Tor Browser from the official source

    Go to torproject.org/download and download the build for your operating system. The Tor Project publishes builds for Windows, macOS, Linux (32-bit and 64-bit), and Android. There is also a .onion version of the download page if you're already inside Tor.

    Do not download Tor Browser from third-party sites, mirror aggregators, or app stores unless they are the official Tor Project channels. A compromised browser binary is the most common phishing vector in the space — the binary looks identical, behaves identically on the clearnet, but routes your connection through an attacker's nodes when you visit .onion addresses.

    The download page gives you a signature file alongside the binary. You need both. Don't skip the verification in the next step.

    Tor Browser download and installation for darknet market access

  2. Verify the download signature

    The Tor Project signs every release with a GPG key. Verifying it takes two minutes and confirms the binary hasn't been tampered with. Download GnuPG if you don't have it, import the Tor Project's signing key, then run:

    gpg --verify tor-browser-*.asc tor-browser-*.tar.xz

    A valid result reads Good signature from "Tor Browser Developers". A warning about trust level is normal — it means you haven't personally signed their key, not that anything is wrong. If you see BAD signature, delete the download and retry from a different mirror.

    Skipping this step is the single biggest security mistake new users make. It's two commands. Do it once and you'll do it automatically from then on.

    Advanced Tor Browser settings verification screen

  3. Set security level to Safest before anything else

    Open Tor Browser. Before you visit any .onion address, click the Shield icon in the toolbar and select Safest. This disables JavaScript on non-HTTPS sites, which matters because many .onion pages don't serve over HTTPS — they can't, by design. The Safest level forces the browser to operate with a minimal attack surface.

    What Safest disables: JavaScript on non-HTTPS pages, SVG animations, some fonts, and certain media. Most .onion markets are designed to work without JS — Drughub is deliberately JS-free in its core flows for exactly this reason.

    If you're running Tor over a VPN (Mullvad or similar), connect to the VPN first, then open Tor Browser. This hides the fact that you're using Tor from your ISP. Note: Tor Project recommends this only if your ISP is actively hostile to Tor traffic — for most users, Tor alone is sufficient.

    VPN and Tor Browser configuration for secure Drughub access

  4. Get the verified Drughub link from this directory

    Return to the homepage or the mirror list page to copy the current verified .onion address. The link on this portal is PGP-signed by the Drughub team on their Dread subdread and re-verified every six hours.

    Use the Copy verified link button — don't type the address by hand. A .onion address is 56 characters of alphanumeric. One character wrong means a different server. Phishing clones look identical inside the browser because they've copied Drughub's interface exactly. The only thing that differs is the address.

    You can copy either the primary gateway or one of the mirror nodes. They serve the same content from different infrastructure. If one fails to connect, use the other. Mirrors rotate during DDoS events — check the mirror list for the latest.

    Drughub access portal with verified onion link copy button

  5. Connect, verify the address, and solve the captcha

    Paste the copied address into the Tor Browser address bar. First connection takes 20–90 seconds — Tor is routing your traffic through three relays across the globe before it reaches the .onion server. Don't refresh. Don't assume it's broken. Wait.

    When the page loads, Drughub will present a captcha. This is expected. It's a bot-prevention layer, not a sign of a problem. Solve it once per session. The captcha design is simple and text-based — again, because Drughub is designed to work on Safest security level without JavaScript-dependent image delivery.

    After solving the captcha, you're at the login or registration screen. First-time users register here. Return users authenticate with their PGP key (no password — Drughub uses passwordless PGP login).

    Drughub market captcha screen after connecting through Tor Browser

  6. Create your account

    Click Register. You'll choose a username. Pick something with no connection to any clearnet identity — no existing handles, no birthday numbers, no city references. The username becomes permanent; you can't change it later without creating a new account. Think of it as a separate identity, not a screen name.

    Drughub market registration page
    Registration form
    Drughub username selection for new account
    Username selection

    Drughub will show you its registration rules after the username step. Read them. The platform has a zero-tolerance policy on vendor scams, and the rules explain the dispute resolution process you'd rely on if an order goes wrong. Screenshot the rules or save them in your KeePassXC notes.

    Drughub market registration rules and terms

    The final registration step asks for your PGP public key. You need to generate this before you can complete signup. Proceed to step seven, then return here.

  7. Generate a 4096-bit PGP key and upload to Drughub

    Drughub uses passwordless PGP authentication. Your private key is your login credential. Your public key is what the platform stores. This means: if you lose the private key, you lose account access permanently. There is no "forgot password" flow — by design.

    Generate a key with GnuPG:

    gpg --full-generate-key

    Choose RSA, 4096-bit key size. Set an expiry of one to two years — you can extend it before it expires. Use a strong passphrase stored in KeePassXC. The UID (name/email) can be anything — it won't be shown publicly on Drughub. Many users use a pseudonymous handle.

    Export your public key:

    gpg --armor --export YOUR_KEY_ID > drughub_public.asc

    Open drughub_public.asc, copy the entire block (including the -----BEGIN PGP PUBLIC KEY BLOCK----- header), and paste it into the Drughub registration PGP field.

    PGP key generation for Drughub account authentication
    PGP key setup
    Uploading PGP public key to Drughub registration
    Upload public key

    Back up your private key immediately. Export it, encrypt the export, and store it offline — on a USB drive in a separate location, or on paper using the gpg --gen-revoke revocation certificate. Losing the key means losing the account. No recovery path exists.

  8. Fund with Monero and make your first transaction

    Drughub's walletless invoice system means the platform never holds your XMR. When you place an order, Drughub generates a unique payment address specific to that transaction. Funds go directly into a 2-of-3 multisig escrow — one key for the buyer (you), one for the vendor, one for the platform. Any two keys can release the funds. The platform cannot steal from escrow alone.

    To get Monero: buy XMR on an exchange (Kraken, a LocalMonero-style P2P service, or any of the Monero-accepting merchants), withdraw to a self-custody wallet. Monero GUI, Feather Wallet, or Cake Wallet all work well. Never pay directly from an exchange — the exchange has a record of the address and can be subpoenaed.

    Monero wallet setup for Drughub market payments

    Wait for at least ten confirmations on your wallet deposit before funding an order. XMR confirmations take about two minutes each — ten confirmations is roughly twenty minutes. Don't rush this step. Partially-confirmed balances can cause invoice timeouts.

    Drughub order process with Monero multisig escrow payment

    When you find a listing, check the vendor's feedback score and lab verification badge. Gold-badge listings have third-party purity and contaminant testing attached. If something is wrong with an order, open a dispute through the platform's resolution centre — the 2-of-3 multisig means neither the vendor nor the platform can close the escrow without your key. Done. That's the full procedure.

§ 03 · OPERATIONAL SECURITY

Key principles that don't change

The setup above covers the mechanics. These three principles cover the threat model. Read the full breakdown on Privacy Guides.

OPSEC · 01

Separate identity. Always.

No clearnet username, no real email, no phone number tied to anything on Drughub. The account exists in one place: inside Tor Browser on this device or in Tails. Your PGP key ties nothing to your real identity. The moment you reuse a handle from Reddit, Discord, or any clearnet service, you create a linkability vector.

Use Proton Mail with a Tor-created account if you need an email address for any part of the setup. Never use Gmail or any provider that requires phone verification.

Reference: EFF Privacy overview

OPSEC · 02

Verify every link before every session

Drughub's .onion address rotates after DDoS events. Phishing clones appear within hours of any major market news cycle. Bookmark this portal, not the raw .onion address. Come here before each session to confirm the link hasn't changed.

Inside Tor Browser, you can verify a .onion address is correct by checking the padlock icon — it shows the certificate details for the v3 hidden service. A phishing clone will have a different .onion address even if the visual design is identical. One character of drift. That's all it takes.

Phishing sites copy Drughub's interface exactly. Check the address, not the design.

OPSEC · 03

Encrypt everything you send to vendors

Drughub requires PGP on all vendor messages — it's mandatory, not optional. But the platform enforcing it doesn't mean you can skip reading how PGP works. Understand what "end-to-end" means here: the server cannot read your messages. But if you accidentally paste your real address unencrypted in the order notes field, the platform's zero-retention policy doesn't help.

Use GnuPG or Briar for external communication. Keep all Drughub-related communication inside Drughub's messaging system — never use Wickr, Session, or Telegram for order communication. Those can be subpoenaed. Drughub messages go through P2P PGP, server-side zeroed after the escrow window closes.

Reference: GnuPG documentation

§ 04 · QUICK REFERENCE

Platform facts at a glance

Launch date August 2023
Founded by White House Market team
Payment method Monero (XMR) only — no Bitcoin
Login system Passwordless PGP — 4096-bit key required
Escrow model 2-of-3 multisig — platform never holds custody
Lab verification 90% of listings — Gold / Silver / Bronze badges
Data retention Zero — messages purged after escrow window
Registered users 87,007 accounts
Active listings 13,487 as of April 2026
Uptime 98.8% average with DDoS protection

Useful links from this guide

Full mirror list and link verification: Mirror List · Market background: Overview

§ 05 · GET THE LINK

Ready. Copy and open in Tor.

You've read the guide. Tor is open at Safest level. Copy the verified link below and paste it into the address bar. Done.

All mirrors
PRIMARY GATEWAY — VERIFIED 21.04.2026
Loading...

Need more context? Read the market overview · Questions? Check the FAQ on the homepage · External tools: EFF · Signal · OnionShare · Qubes OS · I2P