Captcha URL match
A five-second check that catches most phishing clones on the first attempt.
The Anubis login captcha image carries the current onion address printed in the small text at the bottom of the image. Reading that string against your URL bar catches most phishing clones on the first check.
How the check works
The operator paints the current mirror address into every captcha image server-side. A phishing clone that scrapes the login page gets a captcha image with the real address baked in, not their fake one. Match the string against your URL bar, and any mismatch is a clone.
What phishing clones do to fool the check
Sophisticated clones try to regenerate the captcha with their own fake address painted in. This works for the internal consistency check but fails against the signed rotation: the address in a proper clone captcha still cannot be one the operator has never signed.
Do the check every session
Not just the first time. Every session. Bookmarks can be poisoned (rotation happens, old address survives briefly, phisher grabs the string, spins up a lookalike). The captcha check is the last line of defence at the point of login.
If the URL bar and the captcha string disagree, you are on a phishing clone. Close the tab. Do not type the password. Open the reference/mirrors page and copy the address fresh.