Matrix Reprogrammed sigil MATRIX REPROGRAMMED
You are here

Site route

This page is part of the wider reporting system. Start with the summary, then open the evidence route or research tools for deeper source work.

SummaryEvidenceResearchSearch
Matrix ReprogrammedReports, records, people, institutions, money routes and missing files.
Lawful Tor access · official onions · hostile-environment safety

DARK WEB SAFETY & LAWFUL ONION RESOURCES.

A defensive field guide for using Tor without confusing privacy with invisibility. It explains identity separation, verified downloads, browser security levels, phishing-resistant onion discovery, hostile-file handling, emergency response and the limited set of onion services that can be verified from authoritative public sources.

Hard boundary: This guide supports lawful privacy, censorship resistance, journalism, whistleblowing, defensive research and access to verified public-interest onion services. It does not provide links, mirrors, invitations, vendor information or operational guidance for illicit markets, stolen data, malware services, weapons, drugs, exploitation material or other criminal activity.

Know what you are using

SURFACE, DEEP AND DARK WEB.

Surface web

Public pages reachable through ordinary browsers and commonly indexed by search engines.

Deep web

Content not indexed publicly, such as private email, banking, medical portals and authenticated databases. Most of the deep web is ordinary and lawful.

Dark web

Services intentionally reachable through anonymity networks such as Tor. A Tor onion service uses a 56-character v3 address ending in .onion.

Tor Browser

A hardened browser that routes traffic through the Tor network and reduces tracking and fingerprinting when used with its defaults.

Onion service

A service reachable only through Tor. Traffic remains inside Tor and is end-to-end encrypted between Tor Browser and the onion service.

THE SAFEST DEFAULT.

For ordinary lawful reading, use the current Tor Browser downloaded from the Tor Project, keep its defaults, obtain onion addresses from an organisation's official clearnet website, avoid downloads and never mix a personal identity with a separated research identity. Tails is appropriate when a temporary amnesic environment is needed; Qubes OS with Whonix is an advanced persistent compartmentation system, not a beginner shortcut.

Twelve-stage operating discipline

STEP-BY-STEP SAFE TOR WORKFLOW.

Read the complete sequence before opening an onion address. The strongest network tool cannot compensate for personal logins, reused identifiers, malicious files or a compromised endpoint.

1

Define the lawful purpose and threat model

Write down why Tor is needed, what identity or information must be protected, who could observe the activity, how long separation must last and what consequences a failure would have. Ordinary privacy, whistleblowing and high-risk targeted research require different systems.

2

Choose the correct environment

Use Tor Browser on a fully updated everyday computer for low-risk private reading. Use Tails from a verified USB for an amnesic session. Use Qubes OS with Whonix for persistent high-risk compartmentation. Do not assume a virtual machine automatically hides activity from a compromised host.

3

Download only from the official project

Obtain Tor Browser from torproject.org or Tails from tails.net. Verify the download signature or verification result before installation. Never install a repackaged browser from a forum, file host, torrent, advertisement or onion directory.

4

Separate the research identity

Do not log into personal email, social media, cloud storage or accounts previously used outside Tor. Do not reuse usernames, profile images, phone numbers, writing signatures, recovery addresses or schedules. Identity separation is more important than adding another network layer.

5

Connect safely

Connect Tor Browser directly in most ordinary environments. Use official Tor bridges or Snowflake only where Tor is blocked or where revealing Tor use creates risk. A VPN is not required for Tor and merely moves trust to another provider; no free VPN is recommended.

6

Set the security level before browsing

For unknown onion services, use Tor Browser's Safer or Safest security level. Safest disables more active web features but can break sites. Do not add extensions, change about:config settings, resize the window unusually or install plugins because customisation can make the browser fingerprint more unique.

7

Obtain onion addresses from an authoritative clearnet source

Prefer a service's official clearnet page, SecureDrop Directory or Tor Browser's Onion-Location prompt. Confirm the full 56-character v3 address. Never trust a Hidden Wiki, random paste, social-media reply, search advertisement, URL shortener or unsolicited message.

8

Verify the address before every sensitive visit

Compare the entire onion address with the official source, not only the first few memorable characters. Bookmark the verified address inside the isolated profile. Phishing clones can copy branding, login forms and PGP text while using a different onion key.

9

Browse without creating identifying links

Do not enter personal details, reuse passwords, make payments, connect wallets, upload identity documents or allow notification prompts. Do not use Tor for ordinary personal accounts in the same compartment used for anonymous research.

10

Treat every download as hostile

Avoid downloading files. When a lawful public-interest document is necessary, record the source and hash, keep the original unopened, convert a copy through Dangerzone or open it in a disposable offline compartment. Never enable macros, scripts, external content or embedded media.

11

Use purpose-built submission and transfer tools

Use the official SecureDrop Directory to locate news organisations and OnionShare for controlled Tor-based file transfer. Read the recipient's instructions first. Remove metadata with MAT2 or ExifTool when appropriate, but preserve an untouched original separately when evidential integrity matters.

12

End the session deliberately

Close Tor Browser and shut down Tails rather than leaving the environment suspended. Remove temporary notes, disconnect removable media and keep any lawful evidence in an encrypted, documented archive outside the browsing compartment. Review what personal or behavioural information may have been revealed.

Recommended defensive stack

BEST FREE TOOLS FOR DARK-WEB SAFETY.

Defensive tool

Tor Browser

Default browser for lawful onion services and private web access.

Best for: Low-to-moderate risk reading and censorship resistance.

Limit: Cannot protect an infected device, unsafe login, identifying behaviour or files opened outside Tor.

Open official project ↗
Defensive tool

Tails

Amnesic operating system routing internet activity through Tor.

Best for: Temporary high-separation sessions from a verified USB.

Limit: Not magic; firmware, hardware, behaviour, persistent storage and unsafe files can still expose a user.

Open official project ↗
Defensive tool

Qubes OS

Compartmentalises tasks into isolated virtual machines.

Best for: Persistent advanced research with separate identities and disposable file handling.

Limit: Requires compatible hardware and disciplined use; it is not anonymous without an anonymity compartment.

Open official project ↗
Defensive tool

Whonix

Separates Tor routing into a gateway and workstation.

Best for: Persistent Tor applications, especially inside Qubes OS.

Limit: Host compromise, identity reuse and simultaneous Tor/non-Tor activity can defeat separation.

Open official project ↗
Defensive tool

OnionShare

Tor-based file transfer, receive mode, temporary site hosting and chat.

Best for: Controlled direct transfer without conventional cloud hosting.

Limit: Protect the generated address; a recipient can copy or redistribute anything received.

Open official project ↗
Defensive tool

Dangerzone

Converts potentially malicious documents into safer PDFs inside isolated containers.

Best for: Reading lawful documents received from unknown or sensitive sources.

Limit: Conversion may change formatting and cannot make an already compromised host safe.

Open official project ↗
Defensive tool

MAT2

Removes metadata from common files.

Best for: Preparing copies for lawful publication or transfer.

Limit: Metadata removal does not remove visible clues, cloud logs, file hashes or all proprietary data.

Open official project ↗
Defensive tool

KeePassXC

Local encrypted credentials and unique research-identity passwords.

Best for: Keeping compartment-specific credentials offline from hosted password services.

Limit: The user must protect and back up the encrypted database without mixing identity compartments.

Open official project ↗
Authoritative discovery only

VERIFIED OFFICIAL ONION SERVICES.

Every address below is paired with an official clearnet verification source. Compare the full 56-character address before sensitive use. Do not rely on memory, search adverts, random directories or shortened links.

SearchVerified official service

DuckDuckGo Onion Service

A basic onion-service connection test and privacy-oriented search interface.

duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion

Verification: Published by the Tor Project in its onion-service troubleshooting documentation.

Warning: Search results are not endorsements. Do not use results to discover illicit markets or trust unknown onion addresses.

WhistleblowingVerified official service

SecureDrop Directory

Official directory of active SecureDrop instances operated by news and public-interest organisations.

sdolvtfhatvsysc6l34d65ymdwxcujausv7k5jk4cy5ttzhjoi6fzvyd.onion

Verification: The onion address is published in the footer of the official SecureDrop Directory.

Warning: Choose the organisation deliberately and follow its source instructions. SecureDrop protects a channel, not careless identity disclosure.

File transferVerified official service

OnionShare Official Site

Official OnionShare project site and download information over Tor.

lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion

Verification: The project publishes the address and proof on its official clearnet website.

Warning: Download software only after verifying the official source and published signatures.

Government informationVerified official service

CIA Official Onion Site

Official CIA public site and reporting-information route over Tor.

ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion

Verification: The exact address is published by the CIA on its official website.

Warning: Contacting any government organisation has serious consequences. Read the official reporting instructions and obtain independent legal advice where appropriate.

NEVER USE A “HIDDEN WIKI” AS A TRUST DIRECTORY.

General onion directories are easy to clone, poison and redirect. A convincing title or logo does not prove ownership. Use an organisation's official public website, its Onion-Location prompt or a recognised project directory such as SecureDrop. This guide deliberately excludes illicit market addresses, ransomware portals, stolen-data shops and criminal-service forums.

Non-clickable illicit-market and hostile-site risk tracker

DANGEROUS CATEGORIES NOT TO VISIT.

This watch explains risk patterns without publishing addresses, mirrors, access instructions, vendor names or invitations.

9 danger categories shown
Non-clickable danger watchCritical

Hidden Wiki and random onion directories

  • Phishing clones can replace legitimate addresses with attacker-controlled lookalikes.
  • Directories frequently mix lawful resources with scams, malware and illegal content.
  • Operators and mirrors can change without notice and may be compromised.

Safety rule: Do not use general onion directories. Obtain addresses from the organisation's official clearnet page or a recognised project directory.

Non-clickable danger watchCritical

Illicit drug, weapon and counterfeit markets

  • Participation can be criminal and transactions create financial, postal and device evidence.
  • Markets are frequently exit scams, law-enforcement operations or compromised services.
  • Listings can contain fentanyl, fraud, malware, coercion and false escrow claims.

Safety rule: Do not visit, register, transact, contact vendors or seek mirrors. This page intentionally publishes no market addresses.

Non-clickable danger watchCritical

Stolen credentials, carding and identity-data shops

  • Possession or use of stolen data can cause direct harm and criminal liability.
  • Downloads commonly contain malware, fake datasets or material designed to identify buyers.
  • Payment and account activity can link a user to a criminal service.

Safety rule: Use breach-notification services only to protect accounts you own. Never acquire or test third-party credentials.

Non-clickable danger watchCritical

Malware, exploit and cybercrime-as-a-service forums

  • Tools and samples may infect the visitor rather than the stated target.
  • Forums can be monitored, seized or operated by law enforcement.
  • Requests for services, targets or access can create evidence of intent.

Safety rule: Use legal training labs, CTFs and defensive repositories. Do not access criminal service forums or download unknown samples.

Non-clickable danger watchCritical

Unknown leak dumps and file archives

  • Archives can contain malware, personal data, exploitation material or illegal content.
  • Opening files may reveal the real IP address, device information or document-reader vulnerabilities.
  • Downloading or redistributing data can harm victims and destroy evidential context.

Safety rule: Use established public-interest publishers and verified evidence archives. Never download random dumps.

Non-clickable danger watchCritical

Fake hitman, hacking and recovery services

  • Many are extortion scams designed to collect payment and identifying information.
  • Contact can create legal risk even when the claimed service is fake.
  • Operators may threaten to expose messages or demand further payment.

Safety rule: Do not contact or test these services. Threats or extortion should be documented safely and reported to appropriate authorities.

Non-clickable danger watchHigh

Crypto investment, mixing and escrow offers

  • Fake escrow and investment schemes frequently steal deposits.
  • Transactions are permanently observable and can trigger sanctions, anti-money-laundering or criminal investigations.
  • Wallet software and QR codes may redirect funds or install malware.

Safety rule: Do not connect wallets, sign transactions or send funds to unknown onion services.

Non-clickable danger watchHigh

Ransomware leak sites

  • They distribute stolen victim data and may host weaponised downloads.
  • Visiting or downloading can expose victims further and create legal or ethical problems.
  • Sites may fingerprint visitors or redirect to malicious infrastructure.

Safety rule: Use trusted cybersecurity reporting and official incident notices instead of visiting leak portals.

Non-clickable danger watchExtreme

Illegal exploitation material

  • Possession, viewing, saving or sharing may be criminal and causes direct harm to victims.
  • Services can be scams, malware traps or law-enforcement operations.
  • Accidental exposure can be psychologically traumatic.

Safety rule: Close the page immediately. Do not save, screenshot, forward or investigate the content. Report through an official national channel such as the IWF or NCMEC CyberTipline where applicable.

Public enforcement lessons

ILLICIT-MARKET ENFORCEMENT WATCH.

These are historical public-record examples, not access routes. The recurring lesson is that longevity, ratings, Tor and cryptocurrency do not prevent seizure, covert control, exit scams, malware or identification through operational mistakes and financial evidence.

DateCaseStatusSafety lessonSource
2025-06Archetyp Market
Illicit drug market
DismantledA long-running market with a large user base was taken offline through coordinated action across multiple countries. Longevity and reputation did not create safety.Public record ↗
2024-03Nemesis Market
Drugs, stolen data and cybercrime services
Infrastructure seizedAuthorities reported seizing servers and cryptocurrency and retaining platform data for investigations of sellers and users.Public record ↗
2022-04Hydra Market
Russian-language illicit marketplace and financial services
Servers and assets seizedA large established ecosystem can be disrupted through infrastructure seizure, cryptocurrency analysis and international cooperation.Public record ↗
2021-01DarkMarket
Illicit marketplace
Taken offlineInfrastructure investigations can expose administrators and produce evidence for follow-on cases against vendors and users.Public record ↗
2017-07AlphaBay and Hansa
Large illicit marketplaces
Shut down after coordinated operationHansa was covertly controlled by law enforcement while users migrated to it after AlphaBay disappeared. A functioning site can be an active evidence-collection environment.Public record ↗
2013-10Silk Road
Illicit marketplace
SeizedPseudonyms, Tor and cryptocurrency did not prevent identification through operational mistakes, financial evidence and conventional investigation.Public record ↗
Immediate response

IF SOMETHING GOES WRONG.

You clicked an unknown onion link

Do not interact, download, log in or grant permissions. Close the tab. If Tor Browser behaved unexpectedly, close the browser and restart the isolated session.

A file downloaded automatically

Do not open it. Disconnect the research environment, record the filename and hash if lawful to retain, and delete or quarantine it using an authorised defensive workflow.

You entered a reused password

From a known-clean non-Tor device, change that password anywhere it was reused, enable MFA and review active sessions. Do not revisit the onion site.

You sent cryptocurrency

Stop further contact and preserve transaction records. Do not pay recovery services or extortion demands. Seek legal and law-enforcement guidance appropriate to the jurisdiction.

You saw illegal exploitation material

Close it immediately. Do not save or redistribute it. Report the URL through an official national reporting channel. In the UK use the Internet Watch Foundation; in the US use NCMEC CyberTipline.

You suspect device compromise

Disconnect the device from networks, avoid logging into important accounts, preserve volatile evidence only if trained, and seek qualified incident-response help from a separate clean device.

PRE-SESSION CHECKLIST.

  • The device and Tor Browser are fully updated and came from official sources.
  • The lawful purpose, threat model and identity boundary are written down.
  • No personal accounts, reused usernames, phone numbers or recovery addresses will be used.
  • The onion address was verified against an authoritative clearnet source.
  • Security level is chosen before visiting an unknown onion service.
  • Downloads are avoided; any necessary file has a quarantine and hashing plan.
  • There is an exit plan for accidental illegal content, malware, extortion or suspected compromise.

Figures & Sources

Figures on this page

Checked: 1 July 2026

Numbers on this page are public-record leads. Crime, migration, sexual-offence, payout, death, and crisis figures must be tied to named official, court, police, parliamentary, regulator, or reputable source records before they are presented as settled.

Evidence standard

What counts as a usable figure?

Official statistics, court records, ministry releases, police datasets, parliamentary material, regulator data, or clearly named public reports. Nationality, foreign-born status, asylum status, immigration status, charge, suspect, conviction, and victim categories must not be mixed.

Document trail

Open the underlying record

When the figure matters, follow the document link, source file, court record, official release, PDF, book, or video. The visible page should help readers reach the underlying evidence fast.

Source Review

Records before conclusions

Use the evidence route, search and missing-record queue before treating any pattern as settled.