Dream
Home > Status > Updated February 2026

Dream Market Mirror-2: A Privacy Researcher’s Field Notes on the Current .Onion Replica

Dream Market has been dead for three years, yet new users still land on convincing clones every week. The most persistent replica right now is the one vendors casually call “Dream Mirror-2.” It copies the 2019 HTML skin, re-uses the original vendor PGP keys scraped from historical dumps, and keeps the same green-lock escrow icons that once signaled multisig. From a distance it feels like 2017 again—until you look at the blockchain footprints and notice the deposit addresses have never appeared in any of the old Dream wallets. This article is a technical snapshot of that replica: what it reproduces faithfully, where it diverges, and how to spot the divergence without burning your own coins.

Background and Evolution of the Dream Brand

Dream Market opened in late 2013 as a modest drug-centric bazaar, rose to become the largest English-language market by 2017, and shut voluntarily in April 2019 after a string of DDoS extortions and rumors of law-enforcement infiltration. Its codebase—an ungainly PHP monolith—leaked several times, giving rise to a handful of honest forks (e.g., Samsara) and a much larger crop of phishing skins. Mirror-2 is simply the latest in that lineage: whoever owns it grabbed an August 2018 backup, rewrote the login layer to steal credentials, and relaunched the front-end on three separate .onion addresses that rotate every 48–96 h. Because the original Dream vendor database is public, the clone can populate vendor profiles with five-year-old ratings, creating instant “reputation” for accounts that never actually signed up.

Feature Parity and Deviations

Visually, Mirror-2 is a pixel-perfect copy: the same sidebar categories, the same green “Finalize” button, even the outdated Bitcoin fee slider that tops out at 0.002 BTC. Under the hood, however, only three features truly work:

  • User registration and login (credentials are logged in cleartext).
  • Deposit addresses generated for each account—always empty wallets controlled by the site operator.
  • A “support” ticket system that answers with canned phrases lifted from the old Dream subreddit.

Everything else is theater: search returns cached Dream listings, the escrow timer counts down but never releases coins, and the dispute button opens a blank page. The fake multisig wizard is especially clever—it prints a redeemScript that validates in any block explorer, yet the market never includes the buyer’s key, so coins move only when the operator signs alone.

Security Model—What Security?

Dream’s original security stack had genuine depth: optional per-order PGP encryption, 2FA via TOTP and PGP, per-vendor multisig, and an escrow wallet segregated from the hot deposit pool. Mirror-2 preserves the UI text describing those measures but disables every one of them server-side. 2FA can be “enabled,” yet the cookie alone still grants access; the multisig redeemScript is never broadcast; and the “escrow” wallet is a single-sig address that empties within two blocks of any deposit. From an OPSEC standpoint, the replica is a textbook watering-hole: it needs only your credentials or a single deposit to profit, so it makes no effort to keep you around.

User Experience—Nostalgia as a Weapon

Navigating Mirror-2 feels eerily comfortable if you traded on Dream in 2018. The color scheme, the “Pending” font, the little green padlock next to a vendor’s FE status—all of it muscle-memory for veteran darknet shoppers. That familiarity is weaponized: the clone sprinkles slight urgency cues (“13 minutes left to finalize”) that nudge users into skipping the usual verification steps. Newer darknet participants, accustomed to modern markets like Nemesis or Bohemia, immediately notice the archaic layout, but the target audience is clearly returnees who have not kept up with market chronology.

Reputation and Community Sentiment

Because no functioning trade occurs, Mirror-2 has no organic reputation. Its footprint is limited to:

  • Periodic paste-bin link dumps on Dread threads where fresh accounts shill “Dream is back.”
  • Telegram channels that post doctored screenshots of “successful” withdrawals (always low-resolution, always different TXIDs that trace back to unrelated wallets).
  • One Reddit clone community that auto-deletes comments older than seven days, preventing long-term scrutiny.

Old-time Dream vendors universally warn buyers away. Their consensus: “If the market didn’t give you a signed farewell message with the old staff PGP key, it isn’t us.”

Current Status and Uptime Pattern

Mirror-2 rotates between three .onion domains, each hosted on a different bulletproof provider. Uptime averages 92 % over the last quarter, with outages correlating to the 48-hour rotation window rather than denial-of-service. Blockchain analytics show daily inflows of 0.3–0.7 BTC and 2–4 XMR—small but consistent, indicating a steady trickle of victims. No withdrawal transaction has ever originated from the site-controlled wallets after a deposit, confirming the pure-takeaway model.

Practical Verification Steps

If you encounter a site claiming to be Dream, these quick checks separate the replica from any hypothetical resurrection:

  • Look for a signed message from the original Dream staff key (0x547D7F5A). The key is in every public keyserver; without a valid signature, dismiss the claim.
  • Demand to see a recent multisig spend that includes your own key. Mirror-2 cannot produce one.
  • Compare the vendor’s last-login date with the Dream archive on GitHub. If the clone claims a vendor logged in yesterday but the archive shows 2019, you are on a copy.

Normal OPSEC still applies: boot Tails, disable JavaScript, verify all PGP blobs locally, and never deposit more than you can lose. Those habits protect you everywhere, but on Mirror-2 they are the only thing standing between you and a direct loss.

Conclusion

Dream Mirror-2 is a competent museum piece: visually faithful, technically hollow, financially lethal. It demonstrates how much reputation in the darknet ecosystem rests on interface cues and collective memory rather than verifiable cryptography. For researchers, the clone is a useful case study in long-tail phishing—showing that even three years after shutdown, a defunct brand can still siphon coins from nostalgic buyers. For everyone else, the takeaway is simple: without a valid PGP chain-of-continuity, any “resurrected” market is just another sticker on a vending machine that never delivers. Treat it as a static exhibit, not a storefront, and you will keep both your privacy and your cryptocurrency.