Wethenorth verified mirror links
Two active WeTheNorth .onion addresses. Both confirmed against PGP-signed announcements from the WTN administration. Use the copy buttons — do not type these addresses. One wrong character in the 62-character string sends you to a phishing site that looks identical to the real WTN interface.
Loading...
Loading...
Both addresses reach the same WeTheNorth platform. Accounts, orders, and balances are identical through either mirror. Paste the address into Tor Browser only — standard browsers cannot resolve .onion domains. For full access instructions, see the step-by-step guide.
How we verify these addresses
Every address on this page passes three steps before publication. First, we check for an official announcement on the WeTheNorth Dread sub — from an account with established history, not a new account. Second, we verify the PGP signature against the WTN admin public key. A valid signature means only the person with the corresponding private key wrote the post. Third, we connect through Tor Browser with JavaScript disabled and confirm the address resolves to the expected WTN interface without redirects.
The "Last verified" date next to each address is the last time all three steps completed successfully. Links sit in a pending queue if any step fails. We do not publish addresses that are unsigned or that fail the connection test.
Why PGP verification matters
Phishing operators post fake "new mirror" announcements constantly — especially when the real WTN primary is experiencing a DDoS event and buyers are actively searching for alternatives. A fake announcement without a valid PGP signature looks exactly like a real one to someone who isn't checking. Signed announcements are verifiable. Unsigned ones are not.
To verify a WTN announcement yourself: install GnuPG, import the WTN admin public key (available in the WTN Dread sub header), and check any announcement with a signature block. The process takes about two minutes. Privacy Guides has a clear explainer on PGP verification if you need a starting point.
Phishing warning — one wrong character
WeTheNorth has a large and active phishing ecosystem targeting Canadian buyers. The phishing sites are sophisticated: same layout, same fonts, same logo. They differ only in the .onion address, usually by one character in the middle of the string. When you land on a phishing site and enter your credentials, they go to the attacker. When you reach the checkout screen and send Monero, it goes to the attacker's wallet.
After pasting a WTN address into Tor Browser, spend 15 seconds verifying: compare the first 8 and last 8 characters of the address in the browser bar against what you copied. That check eliminates this entire category of attack. The EFF's Surveillance Self-Defense guide covers broader phishing threat models if you want context beyond WTN specifically.
Using WTN mirrors safely
Always use Tor Browser
Download from torproject.org. Set Security Level to Safest. Do not use any other browser — standard browsers cannot resolve .onion addresses.
Copy, never type
Use the copy button. A 62-character address typed by hand will almost certainly contain an error. One wrong character is all a phishing site needs.
Verify before logging in
Check the first 8 and last 8 characters of the address in Tor Browser's bar match what you copied. Takes 15 seconds. Prevents credential theft.
Bookmark this page, not the .onion
Bookmarking .onion addresses in a standard browser does nothing. Bookmark wtnguide.buzz and wtnonion.today instead — that way you can always find current verified addresses when an address rotates.
Use Monero for payments
Monero (XMR) provides transaction privacy that Bitcoin cannot. Ring signatures hide sender identity; stealth addresses hide recipient; RingCT hides the amount. Get XMR through a self-custody wallet before depositing to WTN.
Consider Tails OS
Tails OS runs from a USB stick, routes all traffic through Tor, and leaves no trace on the host machine. Standard recommendation for buyers who access WTN for anything other than casual browsing.
No VPN required but it helps
Tor provides anonymity. A VPN before Tor hides Tor usage from your ISP. In Canada, Tor usage is not illegal, but Mullvad VPN (cash payment, no email required) adds another separation layer if you prefer.
Use PGP for all sensitive messages
Install GnuPG and generate a key pair. Encrypt all vendor communication containing physical address details. Never send addresses in plaintext through any platform's messaging system.
Store credentials securely
Use KeePassXC for password management and private key storage. Encrypt the database. The database file itself is useless without the master passphrase, so a strong one is mandatory.
Mirror questions
Why does WeTheNorth have two mirrors instead of one?
Single onion services are vulnerable to DDoS attacks that can make them temporarily inaccessible for hours. A second mirror on a separate circuit provides immediate redundancy. When the primary is unreachable, the mirror usually works. Both resolve to the same platform backend.
The link isn't loading. What should I try?
Try the other mirror. Then click the lock icon in Tor Browser and select "New Circuit for this Site" to build a fresh Tor circuit. Then wait — sometimes circuits route through slow relays that resolve within 30 seconds. If both mirrors are consistently unreachable after 5 minutes, the platform may be undergoing maintenance. Check the WTN Dread sub for a signed announcement.
How often do these mirror addresses change?
Infrequently. The current addresses have been stable since late 2025. Changes happen after sustained DDoS events or as a precautionary rotation. When addresses change, WeTheNorth posts PGP-signed announcements on their Dread sub. We update this page within 24 hours of a verified announcement.
I found different WTN links on a Telegram channel. Are they safe?
Likely not. Telegram channels are the primary distribution vector for WTN phishing links. Unless a Telegram post includes a valid PGP signature from the WTN admin key, treat the address as suspect. Verify against this page or against a PGP-signed Dread post directly.