Moomin Market Safety Library

Community-sourced security guides, scam history, and practical checklists

This is the safety reference for anyone using Moomin Market. It covers the realistic threat landscape — phishing, bad vendors, deposit scams, opsec failures — and gives you concrete things to do about each of them. Not theoretical. Practical.

The Threat Landscape — What Actually Goes Wrong

Before getting into checklists, it helps to understand where money actually gets lost. Based on community reports and market history, the main failure modes are:

Phishing clones: Fake market sites with near-identical onion addresses. Deposit goes in, never comes out. This is the most common way newcomers lose money.
Compromised accounts: Weak passwords, no 2FA, credentials stored in cloud apps. Someone else gains access, drains the balance.
Expired deposit addresses: User generates address, waits too long, address expires. Funds sent to expired address may be lost.
Bad vendors: Vendors who take payment and never ship. Usually filtered out by reputation over time, but newer vendors carry more risk.
Opsec failures: Using a real email, real username, same password as clearnet accounts. Correlation attacks become possible.

"The weakest point in any darknet transaction is usually the human, not the technology." — widely shared opsec principle

Security Checklist — Account Setup

Before Your First Session

Browser:: Tor Browser from torproject.org only
Password:: Unique, long, random. Never reused.
Username:: No personal info. New identity.
Storage:: Offline only (paper or encrypted USB)
2FA:: PGP key — set up before first deposit
Recovery:: PGP key only. No PGP = no recovery.

Action	Why	Priority
Verify onion address character-by-character	Prevent phishing clone access	CRITICAL
Set up PGP 2FA before depositing	Required for withdrawals, extra security	CRITICAL
Verify deposit address PGP signature	Confirms you're on the real market	CRITICAL
Keep deposit PGP signature copy	Required for dispute resolution	CRITICAL
Use unique credentials	Prevents correlation attacks	HIGH
Check vendor reviews before ordering	Filter out scam vendors	HIGH
Encrypt delivery messages to vendor PGP key	E2EE for dead-drop addresses	HIGH

Scam Types — History and Examples

Phishing Sites

The most persistent scam in the darknet market space. A phishing site will have an onion address that looks nearly identical to the real one — perhaps one character swapped, or using visually similar characters (like 0 instead of o, or 1 instead of l). The site looks exactly like the real market. You deposit. The "deposit" goes to the scammer's wallet. You never see it again.

The defense is simple but must be executed every single time: verify the onion address against a known-good source (like this page, or the market's official PGP-signed announcement) before loading the site. Don't bookmark a URL a stranger gave you.

The official Moomin Market onion always begins with moominkrkr. Check this prefix every time you access the market. Phishing sites typically change characters in the middle or end of the address where users are less likely to check carefully.

Fake "Support" Contacts

Scammers impersonate market staff on Telegram, Reddit, and forums. They offer to "help" with stuck orders, deposit issues, or account problems — and then ask for your account credentials or PGP private key. Real Moomin Market staff will never contact you outside the market, and will never ask for your password or private key.

Moomin Market's rules explicitly forbid referring users to external communication tools. Any message claiming to be from market support that comes through an external channel should be treated as a scam attempt.

Vendor Exit Scams

A vendor builds reputation over weeks or months, then takes multiple large orders without shipping. The escrow system mitigates this but doesn't eliminate it — particularly when buyers use early finalization (FE). Minimize risk by: not using FE with vendors you haven't used before, keeping orders within the escrow window, and checking vendor review history carefully.

PGP Guide — Practical Minimum

You don't need to be a cryptography expert to use PGP on Moomin Market. The minimum you need to know:

Key pair: You have a public key (share freely) and a private key (never share, never lose).
2FA setup: Import or generate your keypair, then activate it in Account & Security. You need no active deposit addresses and under €10 balance at time of activation.
Withdrawal authorization: Withdrawals are authorized with your authentication (private) key. Lose the key, lose withdrawal access.
Deposit verification: When you generate a deposit address, it comes with a PGP signature from the market. Verify this against the market's public key before sending funds.
Message encryption: For dead-drop deliveries, encrypt your delivery address message to the vendor's PGP public key before sending.

Community Tips — Collected from Forum

Tips on choosing vendors safely +

Tips on handling deposits safely +

Tips on operational security (opsec) +

Glossary

Term	Definition
Onion address	A .onion domain accessible only via Tor. Cryptographically tied to the server's key pair — harder to fake than regular domains, but phishing clones exist.
Escrow	Funds held by the market until buyer confirms delivery. Protects both parties. The escrow period is the window during which disputes can be raised.
Early finalization (FE)	Buyer releases funds to vendor before delivery is confirmed. Higher risk. Only available to buyers with PGP 2FA for listings with short lock times.
Lock time	Period after order confirmation during which the buyer cannot dispute or approve the order.
PGP 2FA	Two-factor authentication using a PGP key pair. Required for withdrawals. Adds significant security to accounts.
Dead drop	Delivery method where the vendor hides the product at a location and sends coordinates to the buyer, rather than mailing directly.