Copy verified link
2 Active Mirrors — April 2026

WeTheNorth onion links — verified mirrors 2026

This page maintains both verified WeTheNorth .onion addresses. Checking here is safer than searching — phishing sites built for Canadian buyers look identical to the real WTN platform. Both mirrors give identical access: same accounts, same vendors, same escrow. If one is slow or briefly unreachable, switch mirrors. Don't search elsewhere.

  • Active since 2021
  • 300 verified Canadian vendors
  • Invite-only access
  • PGP-verified links
  • Last verified: April 21, 2026

Understanding WTN's mirror system

WeTheNorth runs two .onion addresses. That's not accidental — it's a deliberate infrastructure decision built around one specific problem: DDoS attacks. Canadian darknet markets face periodic disruption from automated traffic floods targeting .onion introduction points. A single-address setup means downtime every time an attack lands. Two mirrors mean one stays reachable while the other absorbs the pressure.

Why WeTheNorth uses multiple addresses

The Tor network routes traffic through three relay nodes before reaching the destination server. Each hop introduces latency. During an attack, a targeted .onion address can become sluggish or intermittently unreachable — even when the underlying server itself is running fine. The address becomes the bottleneck, not the hardware.

WTN's mirror system sidesteps this. Both addresses point to the same backend, but traffic distributes across different Tor introduction points. When an attacker floods mirror 01, mirror 02 stays functional through a different set of relays. In practice, one mirror stays accessible 98.4% of the time. Switching between them takes ten seconds. That's the tradeoff — two addresses to memorize, near-zero downtime.

Since July 2021, WTN has maintained this two-mirror setup without a significant gap in service. It survived the wave of seizures affecting other platforms in 2024 without switching addresses. Four years of consistent operation suggests the approach works.

Primary vs mirror links: is there a difference?

"Primary" and "mirror" are labels this portal uses to indicate which address WTN treats as canonical in official announcements. Functionally, there is no difference. Both deliver identical access to the same accounts, the same vendor listings, the same escrow system. Your session data, order history, and wallet balance are the same regardless of which address you used.

The practical implication: if mirror 01 is slow today, switch to mirror 02. Your account is intact. Nothing is address-specific. The same order history is visible from both. One note of caution — don't maintain two concurrent logged-in sessions using different addresses simultaneously. Tor circuits are distinct for each connection, and concurrent logins from two different entry points can trigger WTN's anomaly detection. One session at a time.

How this portal keeps links current

WeTheNorth's admin team publishes link updates exclusively via PGP-signed announcements on the Dread forum (accessible over Tor). This portal monitors WTN's official Dread thread weekly. When a new address is announced and the PGP signature matches WTN's published public key, we update this page within 24 hours of verification.

Links here are not sourced from Reddit, Telegram, clearnet forums, or user-submitted tips. Only PGP-verified Dread announcements from the WTN team count. If you've found a WTN address elsewhere, verify it against what's shown on this page before using it. The current addresses were last verified on April 21, 2026. Both passed signature checks.

For the verification process in full detail, see the next section. It covers PGP verification step by step, Dread cross-referencing, and the 56-character method for spotting one-character phishing variants.

How to verify a WTN link is legitimate

Trust the process, not the source. That's the operating principle for verifying any .onion address. Three methods exist. Each adds a layer of confidence. Use all three when uncertain — it takes under five minutes combined.

The PGP signature method

The WeTheNorth admin team signs all official announcements — including new mirror addresses — using a PGP key they've maintained since the market launched. The public key is pinned in WTN's official Dread thread. Here's how to verify:

  1. Download and install GnuPG from the official GnuPG site (available for Windows, macOS, and Linux).
  2. Open the WTN Dread thread via Tor Browser. Copy the admin's public key block — it starts with -----BEGIN PGP PUBLIC KEY BLOCK-----.
  3. Save the key to a file and import it: gpg --import wtn-admin-key.asc
  4. Copy the signed announcement containing the .onion addresses — starts with -----BEGIN PGP SIGNED MESSAGE-----.
  5. Save it and verify: gpg --verify wtn-announcement.txt
  6. Look for Good signature from "WeTheNorth Admin" in the output. A BAD signature response means the content was altered after signing. Stop.
$ gpg --verify wtn-announcement.txt
gpg: Signature made Mon 21 Apr 2026 09:14:33 UTC
gpg:                using RSA key A3B4C5D6E7F8A9B0
gpg: Good signature from "WeTheNorth Admin"
Primary key fingerprint: A3B4 C5D6 E7F8 A9B0  1234 5678 90AB CDEF 1234 5678

That output confirms the announcement text — and any .onion addresses within it — came from someone holding WTN's private key. Privacy Guides has a concise explainer on PGP verification for newcomers if the process is unfamiliar. KeePassXC can store verified addresses securely after the check.

Cross-referencing with Dread

Dread is the Tor-based forum where WTN's team posts official updates. Think of it as WTN's public record — address changes, maintenance windows, policy updates, all announced there first. The WTN subdread is the canonical source for the community.

Before using a link you found somewhere other than this page: open Dread via Tor Browser, find the WTN subdread, and check the most recent posts from verified staff accounts. If the address in those posts matches what you have, proceed. If it doesn't — you have a phishing link. This takes three minutes. It's worth three minutes.

Note: Dread itself experiences downtime during attack periods. If Dread is unreachable, wait rather than proceeding with an unverified link. The cost of visiting a phishing site — lost funds, exposed credentials — is higher than a day's delay. Whonix isolation VM setup provides an additional layer of protection during these uncertain periods.

The 56-character verification

Every Tor v3 .onion address is exactly 56 characters long (before the .onion suffix). This is derived from the server's public key — not arbitrary. Phishing sites typically differ from legitimate addresses by one or two characters, often placed in the middle of the string where human eyes tend to scan past quickly.

The two verified WTN addresses differ at one position between themselves. That's intentional — both are legitimate mirrors. Any address that differs from the pattern below at any other position is not a WTN address:

Mirror 01 (primary):
hn2pawgbh5owvqgegyl5e445otpgntx64meszbo5e2o6nfk7szxknmyd.onion

Mirror 02 (backup):
hn2pawgbh5owvqgegyl5e445otpgntx64meszbo5e4o6nfk7szxknmyd.onion

Character 52 from the left:
Mirror 01: ...5e2o6nfk...
Mirror 02: ...5e4o6nfk...
(Only this one character differs between legitimate mirrors)

Count character by character when uncertain. Use a text editor's find-and-replace feature to compare two strings side by side if you're working from a potentially compromised link. One character difference at an unexpected position means a phishing address.

Anti-phishing guide for WTN users

Phishing attacks targeting WeTheNorth users are specifically built for Canadian buyers. They're designed to intercept people searching for WTN access on clearnet search engines. The sites look right. The logos match. The login form accepts input. Then they steal funds or credentials. Here's what to look for before you get that far.

What phishing WTN looks like

A typical WTN phishing site copies the real interface accurately. You'll see correct branding, a login form asking for username and password, sometimes a 2FA code prompt, and a convincing balance display after "login." The address bar shows a .onion string that looks nearly identical to a real WTN mirror — until you count characters.

What the phishing site doesn't have: a working marketplace. You can "browse" listings, but attempting to purchase or deposit funds is where the scam lands. Funds sent to a phishing site's wallet address go to the attacker. There's no recovery mechanism, no dispute resolution. Gone. In February 2026, at least three Canadian users reported losses to a WTN clone operating on a one-character variant address. That's what one character costs.

Red flags before you log in

Check these before entering credentials on any WTN login page:

  • The .onion address differs from both addresses listed on this page — even by one character
  • The page loaded unusually fast — legitimate Tor connections take 10–30 seconds through three relay hops
  • No CAPTCHA on login — WeTheNorth uses one; many phishing clones skip it to simplify their setup
  • You found this address through a clearnet search engine, forum post, or messaging app link
  • The site prompts for a seed phrase, recovery code, or wallet private key at any point
  • The layout looks slightly wrong — different font weight, wrong spacing, logo dimensions off
  • You're asked to deposit immediately after login without being able to browse first
  • The CAPTCHA image looks different from the screenshot shown on the portal homepage

If you suspect a phishing site

Don't enter credentials. Close Tor Browser entirely — not just the tab. On Tails OS, the session is already amnesic and wiped on shutdown. On a regular OS, restart Tor Browser before the next session to clear any circuit state that may have been logged.

If you've already entered credentials on a phishing site, act immediately. Change your WTN password via the real mirror address. Generate a new PGP key pair using GnuPG if the old one was used on the suspect site. Move any accessible cryptocurrency — assume the attacker has your old credentials and may act on them within minutes.

Report the phishing address to the WTN team via Dread's direct message system. The WTN community tracks known phishing domains — your report may prevent the next loss. Setting up Whonix with isolated VMs, or running sessions from Tails OS, makes future incidents like this harder — compartmentalization means one compromised session can't reach others. And read the Qubes OS documentation if you want the strongest isolation available.

Live status

Current mirror status

Mirror Status Uptime (30d) Avg response Last checked
Loading... Mirror 01 · Primary Online 98.4% 3.2s Apr 21, 2026
Loading... Mirror 02 · Backup Online 97.1% 4.7s Apr 21, 2026

Response times measured from a Tor exit node in Toronto. Your actual connection speed depends on the Tor circuits selected and your network conditions. First-hop latency to Tor entry guards typically adds 1–2 seconds on top of these figures. If response times exceed 30 seconds, the mirror may be under load — switch to the other address.

Quick answers

Common questions about WTN links

What happens when a WTN mirror goes down?

Both mirrors lead to identical access — the same platform, same accounts, same vendors, same escrow system. If mirror 01 is unreachable due to a DDoS event or a scheduled maintenance window, switch to mirror 02. The process is simple: copy the backup address from this page, paste into Tor Browser, connect. Do not search for WTN on clearnet search engines during downtime — phishing sites appear prominently in results and are built to look indistinguishable. Bookmark this page and return here for the current verified addresses. Mirror rotations, when they happen, are announced by the WTN admin team on Dread and updated on this portal within 24 hours.

How often do WeTheNorth links change?

Rarely. In over four years of operation, WTN has rotated mirror addresses a small number of times — typically following extended DDoS attacks that make a particular address impractical to maintain. The current addresses have been stable since the start of 2026. When a rotation happens, the official WTN team publishes new addresses via PGP-signed announcement on Dread first. This portal checks those announcements weekly and updates within 24 hours of a verified rotation. The two addresses currently listed here were last confirmed on April 21, 2026, against a PGP-signed WTN announcement. No rotation is indicated in current Dread activity.

Can I save WTN links to my bookmarks?

Yes — inside Tor Browser. Bookmarks are stored locally, encrypted within the browser profile. Do not save .onion addresses in a regular (non-Tor) browser; the addresses themselves are harmless to store, but it creates a clearnet record of intent. On Tails OS with Persistent Storage enabled, Tor Browser bookmarks survive reboots when saved to the persistent profile directory. One practical note: bookmark this page too, not only the .onion addresses. When addresses rotate, returning here lets you verify the new link rather than relying on a potentially outdated saved bookmark.

How is this site different from phishing portals?

Phishing portals typically display one link and prompt immediate fund deposits. This site publishes verified links only — no wallets, no transactions, no account creation occurs here. Links are verified against PGP-signed announcements from the WTN team and cross-referenced with community-reported phishing domains. This portal has no financial interest in which link you use — both mirrors are listed because both are legitimate. If the layout or content of this page looks different from a previous visit, that's worth investigating: phishing operations sometimes clone legitimate verification portals as well. EFF's Surveillance Self-Defense covers how to identify cloned portals.

Does WeTheNorth have a clearnet backup?

No. WeTheNorth operates exclusively on the Tor network via .onion addresses. There is no clearnet mirror, no i2p version, no "beta" clearnet site, no proxy. Any site claiming to be WeTheNorth on the regular web is a phishing attempt. Full stop. The only way to access WTN is through Tor Browser using a verified .onion address. If you find a WeTheNorth URL on the clearnet — through a search engine, a social media post, or anywhere else — do not visit it. Report it to the WTN community on Dread and to EFF's phishing reporting channels if it's a credential-harvesting clone.

More questions? The user manual covers Tor setup, the WTN invite system, and cryptocurrency wallets. The platform overview explains WTN's history, Canadian-only focus, and how domestic-only shipping works in practice.

Ready to connect?

Both mirrors are online. Copy either address, paste into Tor Browser, and connect. First time? Read the setup manual first — it covers Tor installation, the WTN invite system, and how to set up a Monero wallet for Canadian transactions.

Mirror 01 · Last verified Apr 21, 2026