Kerberos Technical Wiki
Darknet Market Encyclopedia - 2026
Market Architecture
Hidden Service v3
Ed25519 onion keys, 56-char addresses. HSv3 intro auth prevents DDoS. Multiple replicas across Tor consensus weight 0.8%+ nodes.
2-of-3 Multisig Escrow
Monero multisig wallet per order. Buyer/Market/Vendor keys. Atomic swaps via scriptless scripts. 10-confirm threshold.
Vendor Levels
L1: New (0-50 orders)
L2: Established (50-500, $1K bond)
L3: Trusted (500+, $10K bond, PGP verified)
Cryptography Protocols
PGP Key Requirements
RSA-4096 / NIST P-384
SHA512 digest
Subkeys: 1y expiry
Touch policies: sign/encrypt
Message Encryption
All private messages PGP encrypted. Market announcements signed + encrypted. Vendor PGP mandatory for L2+.
Signing Workflow
Detached .asc signatures (.sig files deprecated). Cleartext signing (--clearsign). Timestamp verification required.
Network Security Model
DDoS Protection
Tor HSv3 intro rate limiting (10/min). Cloudflare Magic Transit (Tor compatible). Fail2ban + custom iptables chains.
Circuit Requirements
3-hop minimum. Exit to HSv3 only. Guard rotation 120d. Weighted path selection. NewNYM every 15min idle.
Recommended Stacks
- Whonix Gateway + Workstation
- Qubes + Whonix qubes
- Tails 6.2+ persistent
- Kicksecure 17 (Debian hardened)
Monero Payment System
XMR Privacy Features
- RingCT (confidential amounts)
- Ring size: 16+
- Stealth addresses
- Dandelion++ obfuscation
- Churning enforcement
Wallet Architecture
Primary (view-only, remote node)
Spend (airgapped CLI)
Per-vendor spend wallets
Metal seed backups
Escrow Mechanics
2-of-3 multisig per order
10-block unlock time
Dispute resolution: 7d PGP evidence
Market arbitration binding
Technical Glossary
- OpSec
- Operational Security practices
- HSv3
- Hidden Service version 3 (Ed25519)
- RingCT
- Confidential Transactions
- Dandelion++
- Transaction propagation obfuscation
- NewNYM
- Tor circuit renewal command