ra.pe's PGP Tool: Verify your safetyReturn to ra.pe

Always PGP verify .onion and Bitcoin addresses before interacting with them. To verify a URL's authenticity, load /mirrors.txt on its .onion and paste the signature here.

What is phishing?

Verify a PGP-signed message

View our mirrors.txt as an example of what a signed message looks like.

Don't get phished.

Phishing is a method used by thieves to steal Bitcoin. Some researchers estimate that over 5 BTC per day is stolen from people who do not PGP verify .onion URLs before using them.

How does phishing work?

Phishers widely distribute fake URLs to popular Tor websites. These fake URLs are called "phishing proxies": sites which sit between you and the site you think you are visiting. They log every form you submit including usernames, passwords, Bitcoin addresses, and PINs.

Phishing sites swap out all Bitcoin addresses on a page with addresses owned by the hacker and can also swap out other text to make their site feel official.

Someone phishing ra.pe, for example, would convince you to click a link like "the-real-ra.pe.com". That link would forward all page loads through to the real ra.pe, replacing all instances of "ra.pe" on the page with their fake URL in realtime, and also swapping out all Bitcoin addresses with addresses the phisher owns in order to steal your generous donations.

Does 2FA authentication protect someone from phishing?

No. All expected site functionality works fine through a phishing proxy because they are forwarding your requests to the real site's server, modifying the server's response in realtime. 2FA authentication, secret phrases, and other security measures all work as expected on these fake sites. They have become very advanced.

How can I know a URL is accurate?

The only way to know if a site is authentic is to PGP verify its signed URL proof, which is typically hosted at /mirrors.txt if a site follows ra.pe's Onion Mirror Guidelines.

You should learn how to PGP verify signed messages yourself by following one of the many guides on the internet. In the meantime while you learn, ra.pe has released this PGP Tool to assist you.

If you are a cryptocurrency researcher, you could lose your entire budget by not verifying that the URL you are visiting is official before transferring funds. Always, always verify PGP signed messages.

All content on ra.pe is intended for researchers only.