A market that opened quietly
Anubis Market opened in January 2024, in the middle of a Tor market shuffle that had absorbed the usual seasonal round of exit scams and law-enforcement takedowns. The launch announcement was one paragraph on a Dread thread and one PGP-signed post attached to it. The signing key on that first post has not changed since, which is the single most useful thing a reader can know about the storefront.
Everything the reader trusts about Anubis flows from that one anchor. When the operator rotates a mirror, the announcement is signed by the same key. When a signed message shows up that verifies against the same fingerprint, the address inside is real. When one does not verify, it is worthless. This is the entire mechanism.
The signing key on the first post has not changed since. It is the single most useful thing a reader can know about this storefront.
Three doors into the same room
At the time of writing, the storefront publishes three onion addresses in a single signed rotation. Every one of them resolves to the same backend. If you log in on the first mirror and open your wallet, then log out and open the second mirror, your account balance and order history are identical. Nothing about the choice of mirror changes what you see on the other side of the login page.
Why three and not one. Three is the smallest set that survives one takedown of a mirror plus one bad guard node on your Tor circuit. Two is fragile. Anything above three is over-provisioning that costs the operator nothing and buys the reader nothing on top of the reliability three already delivers.
Every reader benefits from the extra count in exactly one way: when the primary is stalling on the anti-DDoS queue at eight in the evening in Europe, the reader can try the second, and the third, and the fourth, until one loads inside a minute. The whole point of the pool is that this decision is boring rather than dramatic.
How the reader knows which mirrors are real
Every mirror address on the list at the bottom of this essay was verified against a specific signed rotation from the operator, on a specific date, with a specific PGP fingerprint. There is no other way an address gets on the list. If a mirror address you have from a chat message or a search-engine result is not on that list, treat it as untrusted until you can verify it yourself.
The check that costs one minute
Verification is what turns a random 56-character string into a trustworthy address. The check takes four commands and roughly one minute. You do it once per rotation.
gpg --import anubis.asc # once per keyring
gpg --verify rotation.txt # exit 0 means Good signature
# then read the onion inside rotation.txt
# match it against the current list you already trust
Success looks like a line that reads Good signature from "Anubis". A trust-level warning almost always appears too. That is normal. It only means you have not personally signed the operator key, which is expected. What matters is the phrase Good signature.
If the verification fails with BAD signature or No public key, do not use the address in the message. In the first case somebody altered the envelope after signing. In the second, the operator key is not on your keyring yet, in which case you fetch it (from at least two independent sources), compare fingerprints, import it, then try again.
The captcha secondary check
The one-per-rotation PGP check has a per-session partner: the captcha URL match. Every Anubis login page renders a captcha with the current onion address printed in the small text at the bottom of the image. You compare that string to what is in your address bar. Match wins. Mismatch means a phishing clone. The check takes five seconds and it is the reason phishing clones do not last long enough to matter.
Two of three keys, and why that number
Every deposit on Anubis Market sits behind a 2 of 3 multisig contract. Three private keys are generated for the order: one for the buyer, one for the vendor, one for the market platform. Any two of the three, in combination, can release the coin. The third is not needed.
The happy path
The buyer deposits into the multisig address. The vendor ships. The buyer marks the order received. The buyer and the vendor together sign the release. The coin moves to the vendor. The platform key never moves.
The dispute path
Either party opens a dispute. A moderator reads both sides of the message thread, looks at the vendor dispute history, decides. The moderator cosigns with whichever side they judged correct. That is the second signature. The coin releases based on the two signatures that agreed.
Why 2 of 3 and not 2 of 2
A pure 2 of 2 multisig between buyer and vendor sounds cleaner because there is no market involved in the settlement. In practice, if either side goes offline or refuses to cooperate, the coin is stuck forever. Somebody has to be a tiebreaker in the deadlock. The market key is that tiebreaker, and because it takes two keys to move any coin, the market cannot walk with your deposit even in principle.
The market cannot walk with your deposit even in principle. Not because the operator is honest, but because the mathematics does not allow it.
The coin the storefront prefers
Anubis Market accepts Monero and Bitcoin. The Wallet panel defaults to Monero for new buyer accounts, and the operator has never made a secret of preferring Monero for reasons of chain privacy.
Monero transactions hide the sender, the receiver and the amount, by default and without opting in. The operator sees only that a deposit landed at your account, not where the coin came from. The chain observer sees the transfer happened but nothing about who or how much. This is the whole reason the storefront defaults to Monero.
Bitcoin is accepted for existing balances and for the small percentage of vendors who price in BTC for category reasons. Bitcoin deposits leave a permanent, public, forever-visible trace from your source wallet to the market deposit address. Route through a fresh wallet or a Monero swap first, or accept the trace exists.
What a reader actually does
The full workflow for a reader who has never used the storefront before, from zero to first order:
- Install Tor Browser from torproject.org and verify the download signature.
- Set the security slider to Safest.
- Copy any address from the mirror list at the bottom of this essay.
- Paste into Tor Browser. Wait for the anti-DDoS queue.
- Read the captcha string. Compare to the URL bar. Match.
- Register an account with a fresh username, a strong password, and write the mnemonic seed on paper.
- Fund the wallet with Monero from a non-KYC source (RoboSats, Bisq, or a Cake Wallet swap).
- Find a vendor with a low dispute ratio and a high finalisation ratio.
- Place an order. Wait for the escrow to settle.
- When the item arrives, mark the order received. Sign the release.
Each of these steps is roughly a five-minute operation. The whole workflow, first time through, takes an evening. Subsequent orders take fifteen minutes each.
The boring headline
Anubis Market has not done anything dramatic since it opened in January 2024. That is the headline. In an ecosystem where the median storefront lifespan is measured in months, running a stable, boring, PGP-signed rotation for over two years is the difference between a market that works and a market that does not.
The mechanism that makes it boring is on this page. Three mirrors under one key. Every rotation signed. Every deposit multisig. The reader verifies twice, once per rotation with PGP, once per session with the captcha check, and the rest of the workflow takes care of itself.