Security architecture

This document explains the specific technical measures that protect user funds and data on We the North Market.

Multi-signature cold storage

All deposits are swept to a 3‑of‑5 multi-signature Bitcoin/Monero wallet within 2 confirmations. The five signing keys are held by senior operators in different countries. An outgoing transaction requires physical access to three separate HSMs (Hardware Security Modules). This means that even if our web server is fully compromised, the attacker cannot move funds without a coordinated physical breach.

Mirror rotation algorithm

Onion addresses are generated deterministically from a master seed that is never stored online. Every 9 days, the seed is combined with the current date to produce a new set of addresses. The master seed is kept in a safe deposit box and only accessed during scheduled rotation ceremonies. Old addresses are retired but continue to serve a static warning page for an additional 48 hours to warn latecomers.

Threat model

We assume an attacker with unlimited resources who can compromise any single server or network link. Our defences are layered: encrypted transport between all internal services, frequent key rotation, and no central database that links user identities to transactions. Even the support team cannot associate an account with a specific deposit or withdrawal.

Incident response

If a mirror is found to be serving a modified page (e.g., by a hosting provider compromise), it is immediately taken offline by our automated monitoring. Affected users are notified via a signed message on this directory. We have a pre-arranged procedure with a trusted third party to verify the integrity of the codebase after any incident.