What historical .onion addresses have been attributed to BriansClub and which were later confirmed as fraudulent?

1. What addresses have been publicly attributed to BriansClub

Open directories and vendor announcements have published both clearnet mirrors (briansclub.at, briansclub.cm and related domains) and long Tor hidden-service addresses; a channel tied to the operation explicitly posted two .onion strings—briansclcfyc5oe34hgxnn3akr4hzshy3edpwxsilvbsojp2gwxr57qd.onion and pmd5wavy5j4vyyzlgth7nbeoojsbevdydcovejjxgydqzusm6jij2jad.onion—alongside a list of reserve clearnet domains for fallback ^[1]. Public-facing aggregator pages and directories also list briansclub.at as a canonical entry point historically associated with the marketplace ^{[3] [4]}.

2. Warnings, mirrors and the ecosystem that breeds fake links

Multiple sources and vendor guidance explicitly advise users to verify onion URLs because impostors and scammers routinely register lookalike domains and publish fake onion addresses to phish credentials, siphon funds, or host identical but malicious mirrors; a “trusted mirrors” advisory on an access/mirror page underscores that point and instructs users to confirm links from trusted forums and directories ^[2]. The marketplace’s own channels warned visitors to “beware of fake” and promoted a small set of reserve domains, which signals both an attempt at brand control and an implicit admission that counterfeits proliferate in its ecosystem ^[1].

3. Which addresses have been confirmed fraudulent — what the reporting actually says

Investigative reporting about BriansClub has focused on the site’s inventory, a major 2019 data breach, and the economics of the carding market rather than producing a forensic audit of historical .onion strings ^{[5] [6] [7]}. The sources document the breach of BriansClub’s database and the existence of many mirrors and impostor domains, but none of the provided material contains a definitive, source-verified roster of specific .onion addresses that were later proven fraudulent; reporting instead offers general warnings about fake links and documents that third parties reviewed leaked card data which matched records on the site ^{[6] [7]}. Therefore, while directories and operator posts list particular onion addresses, the available reporting does not corroborate which of those specific .onion strings were subsequently exposed as fraudulent.

4. Alternative readings, incentives and reporting gaps

Security journalism (KrebsOnSecurity, Threatpost, Security Affairs) focused its verification energy on the scale of the breach and overlap between leaked data and site inventories, not on compiling a post-hoc blacklist of compromised or spoofed onion addresses, which leaves a gap that specialist darknet monitoring services fill at varying quality ^{[5] [6] [8]}. Commercial mirror sites and “official” access pages have an incentive to present authoritative links (sometimes to monetize or control traffic), while independent directories may copy or perpetuate bad addresses; these mixed incentives mean published lists of .onion links should be treated skeptically unless validated by multiple independent technical observers ^{[2] [1]}.

5. Bottom line for historical attribution vs. confirmed fraud

Public records and operator posts attribute specific .onion addresses to BriansClub—some of which appear in archived postings and directories—yet the reporting provided documents the prevalence of fake/mirror addresses without supplying a verified, itemized list of which historical .onion addresses were later confirmed fraudulent; confirmation would require a forensic tracing or consensus from multiple darknet-monitoring analysts that is not present in these sources ^{[2] [1] [6]}.