Archetyp Market - How we stop phishers : Archetyp | Torhoo darknet markets

On Archetyp we make use of a polymorph multi-layer approach to protect customer funds, in this post we will briefly explain it, we hope other markets will copy our ways and adjust them for their needs to further reduce phishers from the darknet.

First page load
Easy to solve, you just need to enter the missing characters from the onion you browse, each page load re-generates it randomly, we also show a PGP signed message with YosemiteGhostWrite's PGP key for every mirror. The onion is written in text but obfuscated to make replacing it hard. Just by verifying the signed message, you should be good to go. A function like this is on multiple markets already.

Signup
Before you can signup to Archetyp, you have to solve a simple quiz, this is to ensure you REALLY do know everything important about our market, to not get phished. If you carefully read and understand this page, getting phished should not be possible for you.

1. You will have to compare the onion you browse to, with an onion on an image we generate and select the correct onion in our quiz.
2. You get asked to write down the XMR address on Archetyp, as we make use of integrated addresses, we know that every XMR address on Archetyp always starts the same, so knowing this, you can basically avoid getting phished too.
3. We tell you about archetyp.cc - a site which hosts rotational mirrors in case our onions get ddosed, so you can avoid getting phished when your default mirror is down.

After solving this easy quiz, you can register your account, you will have to complete a polymorph captcha on this page, which also shows you how your onion should start and end, comparing these 12 chars with your onion, should on it's own easily prevent you from getting phished.

Furthermore we make use of display names and login-names, it's smart to pick a different combination here, as it will make it harder for phishers in case you managed to signup on a phishing page. (We explain this later on "Anti-Phishing Jail")

On this page, we also generate random input fields and prefill them with fakedata from a combolist of millions of entries, we randomly generate all names for every input field and switch them around, we hide them from you, but they get sent to the phisher in case you are on a phisher page. This helps the lowest hanging fruits, as the phisher will have to try multiple different combinations, as he can not easily know your username, he will have to try up to 60 times for one login.

After you entered all your credentials and completed the captcha successful, you will meet our Anti-Phishing Jail, which we will explain later. Right afterwards, you will get a quick introduction to Archetyp, you will see YOUR personal XMR deposit Address to the market, it's displayed obfuscated so it's hard for the phisher to change it. Furthermore it's shown inside of an image. We instruct you to write it down and to save it for your future uses, as this will make phishers life suck.

You also have to enter 8 characters of this XMR address as a captcha, this prevents phishers from modification of this image, so you should be alert if the image is different from the address we display. We really suggest you write it down and save it.

The next step is a small introduction, which explains everything about our market, a new user likely wants to know.
- That we encourage to always encrypt everything yourself using PGP, even though we have certain fail-save systems in place.
- That we offer 100% direct payment as well as a traditional wallet
- Our support system (current response time is less than 4h on average)
- That your first deposit should be very small, e.g. 1 cent, to make sure your money gets deposited to the market before you deposit a bigger amount (it should take less than 30 minutes, usually less than 10 minutes)
- That you should always extend your auto-finalize timer before opening a dispute or before the timer runs out
- Every link on our market, which might be interesting for you and WHY you should check out our settings, as you can customize Archetyp a lot, we likely offer the most settings any market ever offered and it's based. Every user gets a private mirror that is PGP signed too.


Login
Similar to the sign up, we generate fake input, this helps us to make phisher life hard, so even if he gets your credentials, he will waste a lot time by comparing every input. The captcha is 100% polymorph too always disputes archetyp.cc, how your current onion SHOULD start and how it SHOULD end, if it does not end or start like on the image, you have to leave the site.

Anti-Phishing Jail
On this page, we display a big image, which is polymorph and displays random texts that are maybe helpful.
- how your mirror should start
- how your mirror should end
- archetyp.cc
AND different user display names, you will now need to click on your own display name, as the user knows it, but the phisher should not know it, he will waste some time here too.

Furthermore we display the mirror you browse once in cleartext and once obfuscated, they all should look like the mirror you currently browse to.


Integrated XMR addresses
Every XMR deposit address of Archetyp starts like this: 4Hx34iV8DiDjReY5mpBUNEL6JFgxC66brXLvAWbVnXW3g4VVzwwKMks881VVmadvy87sMF6ChN9F6SNZtouS78Df6
If you know this, you can 100% make sure, to not get phished. We have it signed here: https://torhoo.cc/go.php?u=TDNCdmMzUXZNak5oWmpRd05XVTVaVFF3WWprMk16WmlZbU09#

As everyone can imagine, knowing this, exchanges could know this too, so as always and this is encouraged on ANY market really, you should always deposit XMR from an exchange to a local wallet you own, before you send it to a marketplace.


Withdrawals blocked for customers?
This only affects buyers, but we block your withdrawals from the market based on this system:

On every withdrawal, you start with the score: 0
-> Changed PIN / Password recently? +1
-> Changed PGP Public Key? +1
-> Cancelled order? +1
-> Recent deposit? +1
-> Suspicious account? +1

If your score is 2 or higher, we block your withdrawal.

If you withdraw to an address you have used before, the withdraw will work without any time block

While all of this is a lot of text and I'm sure many people will get bored, it together really defeats phishers. You can not imagine the salt we farm in our ticket system, from the main phisher, which struggles to keep up with us. He is defeated and a system similar like this, can help you and your market defeat this human piece of trash too.