Drughub getting started

Tails OS is a live operating system you boot from a USB stick. It routes all network traffic through Tor by default, leaves zero traces on the host machine, and resets to a clean state on every shutdown. No session data, no browser history, no downloaded files survive a reboot unless you explicitly save them to an encrypted persistent volume.

This is the correct choice for any use case where a compromised host machine would be catastrophic. Tails requires an 8GB USB stick and roughly forty-five minutes to set up the first time. After that, booting takes under two minutes.

Whonix runs as two virtual machines: a Gateway that routes all traffic through Tor, and a Workstation where you browse. The Workstation cannot reach the internet without going through the Gateway first. If the Workstation is compromised, the attacker cannot learn your real IP because the Workstation simply does not have routing access to the network layer.

Whonix is the best choice for a persistent setup where you need to save files across sessions. It runs on top of Qubes OS for the strongest combination, or as standalone VMs using VirtualBox on any host operating system.

If neither Tails nor Whonix is practical for your situation, Tor Browser on your normal operating system provides the baseline protection. The Safest security setting disables JavaScript globally, which removes the largest attack surface. The risk with this approach is that your host machine and its history exist alongside your Tor session, creating potential for correlation through timing attacks, malware, or metadata leakage.

If you go this route: use a dedicated browser profile, never switch between Tor Browser and a regular browser in the same session, and close Tor Browser completely before opening any clearnet-linked application.

Go to torproject.org and download the installer for your operating system. There is exactly one legitimate source. Every "Tor Browser mirror" you find through a search engine has distributed malware at some point in the last ten years. Direct download, direct installation.

On Linux, verify the GPG signature of the tarball before extracting:

# Verify signature (Linux/macOS)
gpg --verify tor-browser-linux64-13.x_en-US.tar.xz.asc \
    tor-browser-linux64-13.x_en-US.tar.xz

# Expected: "Good signature from The Tor Project, Inc."
# If you get a warning about untrusted key, import Tor Project's signing key first:
gpg --keyserver keys.openpgp.org --recv-keys 0x4E2C6E8793298290

Windows and macOS installers verify themselves on launch — you do not need to run a separate check.

After installation, do not connect yet. Open the Security Settings first. Click the Shield icon in the toolbar → Advanced Security Settings → set the slider to Safest. This disables JavaScript globally. Drughub renders completely without JavaScript — this is a feature of the market's design, not a limitation. Safest also disables certain fonts and media that could be used for fingerprinting.

Now connect to Tor. The initial circuit build takes fifteen to thirty seconds. Once connected, the Tor circuit display shows three nodes — the guard relay, middle relay, and exit relay. You do not control which relays are used, and you do not need to.

Tor Browser prompts you when an update is available. Apply it before connecting to any .onion site. Security patches in Tor Browser releases are not optional maintenance — they frequently close vulnerabilities that actively affect darknet users. An outdated Tor Browser on the Safest setting is still safer than a current one on Standard, but current + Safest is the correct baseline.

GnuPG is the tool for generating and managing PGP keys. Install it via your package manager on Linux, via Homebrew on macOS, or via the Gpg4win installer on Windows. KeePassXC is the password and secret manager you will use to store the private key passphrase. Both are free, open source, and widely audited.

Open a terminal. This key pair is for drughub only — do not reuse an existing key from another identity.

# Generate a 4096-bit RSA key pair
gpg --full-generate-key

# At each prompt:
# Key type: (1) RSA and RSA
# Key size: 4096
# Expiration: 0 (does not expire)
# Real name: any pseudonym — use one you will not reuse elsewhere
# Email: leave blank, or use a Proton alias not linked to your real email
# Passphrase: 25+ characters, generated randomly, stored in KeePassXC

After generation, export the public key block. You will paste this into Drughub during registration:

# Export your public key (this is safe to share)
gpg --armor --export your-username@pseudonym > drughub-pubkey.asc

Before registration, run a self-test. Encrypt a message with your public key and decrypt it with the private key. If this works, your key pair is functional and the passphrase is stored correctly in KeePassXC.

# Encrypt a test message to yourself
echo "test message" | gpg --encrypt --armor --recipient your-key-id > test.asc

# Decrypt it
gpg --decrypt test.asc
# Enter passphrase from KeePassXC
# Expected output: "test message"

Bitcoin sits on a public ledger. Every transaction — sender address, receiver address, and amount — is permanently visible to anyone who looks. Blockchain analysis companies run the lookups commercially. Monero hides all three by default: ring signatures obscure the sender, stealth addresses make the receiver unlinkable, and RingCT hides the amount. There is no practical way to trace a Monero transaction using only the blockchain.

The risk is at the edges — buying Monero from an exchange that verified your identity and then immediately withdrawing to drughub creates a short chain. Let the XMR sit in your self-custody wallet for some time and optionally swap it through another wallet before use. Each additional hop increases the analytical cost for anyone trying to trace the flow.

Two reliable options for self-custody Monero:

• Feather Wallet — desktop (Linux, macOS, Windows). Open source, actively maintained, connects through Tor by default. Best for desktop use with full node synchronization.
• Cake Wallet — mobile (iOS, Android). Good for smaller amounts and convenience. Also open source.

Download from the official project sites only. Create a new wallet inside the app. When prompted for a seed phrase, you will receive twenty-five words. Write these on paper. This is your wallet backup — it allows full recovery from any device. Store the paper somewhere physically secure. Do not photograph it, type it into any device, or store it in any cloud service.

Acquire Monero from Kraken (supports Monero in most jurisdictions as of April 2026), a peer-to-peer exchange, or a non-KYC venue like LocalMonero. After purchase, withdraw to the receive address from your Feather or Cake Wallet — do not use the exchange address as a payment source for drughub.

Wait for the transaction to confirm on the Monero blockchain before attempting to place an order. Monero transactions have one confirmation requirement and confirmation takes roughly two minutes. Drughub generates a unique Monero invoice per order — you pay from your self-custody wallet directly to that invoice address. The payment routes into a 2-of-3 multisig escrow immediately.

The drughub verified urls page contains the current PGP-confirmed onion address. Click the "Copy verified drughub link" button. Do not transcribe the address by hand — a drughub onion address is fifty-six characters long and a single error silently routes you to a phishing server. The copy function is there specifically to prevent that mistake.

Alternatively: find the most recent mirror announcement on the Drughub Dread subforum, verify the PGP signature using GnuPG and the team's public key, and extract the address from the verified message. Both paths reach the same address — this directory simply automates the Dread monitoring step for you.

Open Tor Browser. Paste the drughub market link into the URL bar. Before pressing enter, visually compare the first six and last six characters of the pasted address against the one displayed on the urls page. Phishing operators build vanity addresses that match the beginning of the real address. The last six characters are a cryptographic checksum — they are the thing you are really checking. Both ends must match.

Once the Drughub front page loads, scroll to the bottom of the page. The footer includes a short PGP fingerprint that matches the Drughub team's long-lived signing key. Compare this fingerprint against the one included in the most recent Dread announcement. If the fingerprints match, the server you are on holds the private key associated with the team's public key — which only the real Drughub team has access to.

A phishing server cannot replicate this fingerprint correctly. It would require compromising the Drughub team's actual signing key. If the footer fingerprint is absent, visually different, or illegible in any way, close the tab and use the other address listed on the verified urls page.

On the Drughub front page, click Register. You will see a short form. Enter the username you generated for this persona — the one that is not linked to your identity anywhere else. The username is permanent. It cannot be changed after registration.

Open the drughub-pubkey.asc file you exported in step 3.2. Copy the entire contents — everything from -----BEGIN PGP PUBLIC KEY BLOCK----- through the final -----END PGP PUBLIC KEY BLOCK----- line. Paste this into the PGP key field in the registration form.

The platform validates that the key is a valid 4096-bit RSA public key. If validation fails, check that you did not accidentally copy a private key block instead. The public key header reads BEGIN PGP PUBLIC KEY BLOCK. The private key header reads BEGIN PGP PRIVATE KEY BLOCK. If you see the latter, stop — do not paste your private key anywhere.

Drughub uses a light visual captcha — designed to work on Tor Browser with JavaScript disabled. Complete it and submit the registration form. On success, you will see a confirmation and a prompt to log in.

Log out immediately. Then log in again. The login process will present you with an encrypted challenge — a block of ciphertext encrypted to your public key. Decrypt it using your private key in GnuPG, copy the decrypted text, and paste it back into the challenge field. This is passwordless PGP login in action.

# Decrypt the login challenge from drughub
# Copy the full ciphertext block, save it as challenge.asc, then:
gpg --decrypt challenge.asc
# Enter your key passphrase from KeePassXC
# Copy the decrypted output and paste it back into drughub's login form

Filter listings by Lab Verification badge. Gold means the full test battery passed — purity, contaminants, and weight accuracy all independently confirmed. Silver means standard verification passed. Bronze means basic purity only. For a first order, pick Gold or Silver exclusively. The badge is displayed on the product listing and on the vendor profile. The underlying lab report is linked as a public PDF from the product page — open it and read the numbers before you buy.

Check vendor feedback separately from the badge. A Gold badge vendor with four-hundred fifty-two completed orders and a 4.8 average is more informative than one with a badge and nine orders. Drughub weights feedback by order count and recency — the rating you see reflects recent performance, not just lifetime average.

Add the item to cart. Proceed to checkout. Drughub generates a unique Monero invoice for this specific order — a payment address and an exact XMR amount including a small randomization to prevent amount-based blockchain analysis. Copy the invoice address and the exact amount. Open Feather Wallet or Cake Wallet. Send that exact amount to that address. Do not round the amount — the invoice expects an exact figure.

Wait for ten Monero confirmations before the order status advances. At typical Monero block times, ten confirmations takes roughly twenty minutes. During this window, do not close Tor Browser. The order status page shows confirmation count in real time.

When the order arrives and you are satisfied with it, return to the order page in Drughub and release escrow. This is the action that triggers the vendor's payout and finalises the transaction. It also adds a data point to both the vendor's rating and yours as a buyer. Do this for every order — vendors who hold their ratings on completed escrow releases are the most reliable ones.

Do not auto-release by leaving the order alone past the escrow deadline. Drughub auto-releases after the configured period if you take no action — but if something is wrong with the order, that window is your protection. Check every order before it reaches the auto-release deadline.

This is the most important rule in the dispute process. Releasing escrow is final. Once you release, the transaction is complete and the dispute window closes. If you receive nothing, something incorrect, or something that does not match the lab-verified quality level, do not release. Stay in escrow and open a dispute from the order page.

The dispute thread is encrypted — only you, the vendor, and Drughub moderators can see it. Submit whatever evidence is relevant: photos of what arrived, the vendor's original lab report compared to your independent test results if you ran one, tracking information showing non-delivery. Write clearly and factually — the moderators read both sides before deciding.

Remove EXIF metadata from any photos before uploading. Images taken on phones contain GPS coordinates, device model, and timestamp data. Strip this with ExifTool or a dedicated metadata cleaner before attaching the file to the dispute thread.

Drughub moderators typically respond within seventy-two hours. They review the evidence from both sides and use their multisig key to settle the escrow. Because the escrow is a 2-of-3 multisig — you, the vendor, Drughub — a moderator decision combined with either the buyer or vendor key is sufficient to release funds in either direction. The resolution is final and on-chain.

Drughub's dispute record is one of the better ones in this market segment, partly because the walletless escrow means moderators are deciding only the current transaction — not managing a platform balance that could influence incentives. Read the marketplace's public dispute statistics on their Dread page if you want historical data before placing a first order.