Every other social platform hosts a thriving black market for aged accounts with established reputations. Nostr stays empty of one, and the reason traces to the cryptographic shape of the system. Policy and enforcement have nothing to do with it. The original holder of an nsec keeps the option to reappear forever, and any buyer who tries to price around that option arrives at a number too low to interest the seller.

Consider the physical situation of an nsec. The key is a string of bytes, and a string of bytes lives in the seller’s head, in their password manager, on a piece of paper in a drawer, in a backup at their mother’s house, in a screenshot saved to iCloud three years ago and forgotten about. When Alice tells Bob she is “transferring” her account, the operation she performs is reading Bob a string. Bob then knows the string. Alice still knows it. So does anyone who saw any of the places Alice ever wrote it down.

Other identity systems have a registrar to call. Nostr has nobody to call. A database row update with a flipped owner field, a support ticket that confirms the handoff and locks the previous owner out, an authoritative platform record of who currently holds the namespace position: those mechanisms exist in DNS, in Twitter, in Instagram, and in every system Nostr deliberately replaced. The set of people who can sign with the key after a sale is at least two, and the buyer has no way to count it.

The buyer’s problem reduces to one demand: the seller must have forgotten the key, and forgetting admits no proof. Alice can swear she deleted every copy. She can sign a contract. She can record a video destroying the paper backup. Every one of those gestures leaves room for the screenshot in iCloud, the second copy on the USB drive in the kitchen, the entry in the password manager she stopped using in 2024 and assumes is gone. A negative claim about her own knowledge (“I have no other copies”) admits no proof. The seller might be honest. The seller might also be planning to wait six months and then reappear, log in, post something humiliating, and dox the buyer.

Hardware almost solves this in one specific case. An OpenDime-style device generates a key inside a sealed chip and exposes the private key only when the seal is physically broken. You can hand someone the device, and they can verify the seal was intact when they received it, which tells them the key inside stayed unextracted. Such a mechanism works for a single payment. A receiver breaks the seal and sweeps the funds, then abandons the address. Where the mechanism fails is in any identity that has to keep signing notes and replying to friends and accumulating new reputation over years. The moment Bob breaks the seal on a hypothetical sealed-nsec device and starts signing with the key, he runs it on a general-purpose computer where the key sits exposed and copyable like any other secret. The seal protected the key in transit. After active use begins, the seal does nothing.

Look at the systems where account sales function smoothly. A Twitter handle changes hands through the platform’s authentication system: the seller hands over login credentials, the buyer rotates the password and recovery email, and Twitter henceforth treats the buyer as the account. The platform is the source of truth. An Instagram account sale works the same way, with the added wrinkle that Meta will sometimes reclaim handles it considers stolen, which buyers price in as risk. A domain name transfers through the registrar updating records that the entire DNS system treats as authoritative. Each of those sales is enforceable because a third party with operational control of the namespace can lock the previous owner out.

Nostr lacks such a third party by deliberate design. Relays accept signed events from whoever can produce the signature, with no user authentication step. The holder is whoever signs, and the set of people who have ever learned the key only grows. That same property which makes Nostr censorship-resistant, the absence of any party who can revoke your identity, makes the identity unsellable. You can only sell what someone else can take away from you.

The economic consequence falls out directly. Suppose Alice has built an npub with twenty thousand followers over four years and offers it for sale. A rational buyer prices in the probability that Alice kept a backup, multiplied by the cost of Alice reappearing later. The probability runs high. Most people who have used a key for four years have several copies of it scattered across devices and services they have stopped using or remembering. The cost of reappearance runs high too: Alice can post anything she wants from the account, destroying the reputation the buyer paid for. She can publish “I sold this account to a scammer, do not trust posts after date X,” a claim unfalsifiable in the other direction and devastating to the buyer’s plans. A rational buyer who does the math arrives at a price low enough to bore Alice, or refuses to buy at all.

Unforgeable costliness applied to identity is the principle at work. Reputation attached to an npub was built by the person who controlled the key during the building period. That person retains the option to act through the key forever, and the option has positive value to them and negative value to anyone trying to inherit the reputation. Reputation of this kind stays attached to its builder and refuses wholesaling.

The first-order consequence is that a class of fraud common on legacy platforms is missing here. On Instagram, scammers buy aged accounts with real follower histories and use the borrowed credibility to push pump-and-dump tokens, fake giveaways, romance scams, and phishing operations. The buyer gets an account that looks like a normal person with a normal history, which makes the scam land harder. The market for aged Instagram accounts and verified handles supports a substantial criminal industry precisely because the platform can enforce the handoff. Nostr offers no such handoff, so the entire business model collapses at the first step.

The second-order consequence is more interesting. Because reputation cannot be sold, it must be built. The only way to operate an npub with a long history of thoughtful posting is to have been the person doing the thoughtful posting. The shortcut of buying your way into established standing closes off. New entrants must earn attention from scratch, and the cost of earning it is roughly the cost of being interesting for long enough that other people notice. Legacy platforms tried and failed to impose this cost with verification badges and follower-count requirements; Nostr imposes it as a side effect of how keys work.

Edge cases exist. A user could in principle generate a fresh nsec and immediately transfer it to a buyer who then builds the reputation himself. That transaction is a sale of an unused string, with no premium over generating a new one. A user could also hand his key to a co-author or business partner and continue using it jointly, a sharing arrangement that carries all the risks of any shared secret. Both cases leave the core point intact: identities with accumulated reputation cannot be cleanly handed off, because the handoff itself is impossible to verify.

Some will read this and call it a limitation. The opposite reading is closer to the truth. Account marketplaces are vectors for fraud against the followers and the buyers and the platforms that host them. Removing the marketplace removes the fraud. The cost is that legitimate users who genuinely want to retire an identity have to do so by abandoning it, and the people who knew them have to follow them to a new key through some out-of-band signal. That cost is real, paid in inconvenience by a small number of users. The benefit is paid in trust by everyone who reads what an npub posts and can assume the same person who built the reputation is the one writing now.

Identity that resists transfer also resists theft-and-resale. The same property cuts in both directions. The keyholder stays the keyholder, until they either lose the key or hand it to enough people that the signature stops meaning anything specific. Both of those outcomes degrade the identity without transferring it. The protocol carries no rule against selling accounts. The math already refuses.