xmrwallet.com has been stealing Monero private keys since 2016. Fifteen documented victims. $2M+ estimated stolen. Six security vendors on VirusTotal flag it as malicious — including Fortinet ("Phishing"). Three registrars suspended the operator's domains within days.
The fourth registrar — NameSilo — contacted the scammer, accepted his story, and published a public defense calling him "the victim."
This is the technical breakdown of how the theft works, why NameSilo's response is provably false, and why their "abuse review" is either incompetent or complicit.
Full investigation by PhishDestroy Research — Evidence page · GitHub repo · Medium article
NameSilo's Public Response — Verbatim
"Our Abuse team conducted an in-depth review into this case and it seems that domain was compromised a few months ago (during which a copy of the webpage was replaced with a crypto-drainer). Prior to that, we had received no abuse reports related to this domain. After an extensive investigation, our team found evidence of the compromise not involving the registrant, and they immediately took steps to reverse it. The registrant is also working to get the website delisted from VT reports."
Seven claims. All provably false. Let's go through the technical evidence.
Technical Analysis: The Theft is the Application
NameSilo claims the domain was "compromised" — that someone hacked the site and injected a crypto-drainer. This is technically impossible. The theft mechanism is the core architecture of the application.
Private Key Exfiltration via session_key
Every login POSTs credentials to /auth.php:
POST https://www.xmrwallet.com/auth.php
address = 46EkQdF7iQ4i4Ah935SipgXbDSryh5yv76UnhsPXTaUYegCMJPqDN88...
viewkey = efba13ecb8b360660a3dcaafaf7cf99149713d064b9d64997b2454d58ee67800
The server returns a session_key — not a random token, but the victim's credentials in Base64:
session_key = [blob]:[base64(address)]:[base64(viewkey)]
Decode it yourself:
import base64
encoded = "ZWZiYTEzZWNiOGIzNjA2NjBhM2RjYWFmYWY3Y2Y5OTE0OTcxM2QwNjRiOWQ2NDk5N2IyNDU0ZDU4ZWU2NzgwMA=="
print(base64.b64decode(encoded).decode())
# efba13ecb8b360660a3dcaafaf7cf99149713d064b9d64997b2454d58ee67800
# ^^^ real private view key from live capture
This session_key is re-transmitted on every API call — 40+ times per session:
| Endpoint | View key transmissions |
|---|---|
/getheightsync.php |
12 |
/gettransactions.php |
10 |
/getbalance.php |
6 |
/dashboard.html |
4 |
/send.html |
3 |
/receive.html |
3 |
/getsubaddresses.php |
1 |
/getoutputs.php |
1 |
| Total | 40+ |
Full capture data: PhishDestroy evidence page — 109 HTTP requests documented (50 POST, 59 GET).
Transaction Hijacking: raw = 0
raw_tx_and_hash.raw = 0 // client TX discarded — never broadcast
if (type == 'swept') { // custom theft marker — NOT in Monero protocol
txid = 'Unknown transaction id'
}
The client builds a valid Monero transaction, then discards it. The server constructs its own transaction and redirects funds to any address. The swept type does not exist in the Monero protocol — it's a custom flag for server-initiated theft.
Hardcoded Backdoor
POST /support_login.html
session_id = 8de50123dab32
Not user-initiated. Hardcoded session ID. Endpoint not present in the public GitHub repository. Documented in cached Issue #35.
Google Trackers in a "Privacy" Wallet
| Service | Requests/session | Risk |
|---|---|---|
| Google Tag Manager | 12 | Can inject arbitrary JS without code deploy |
| Google Analytics GA4 | 5 | Full session tracking |
Google Analytics UA (UA-116766241-1) |
3 | Page views, user agent |
| DoubleClick (ad network) | 1 | Ad tracker in a financial tool |
No legitimate Monero wallet loads GTM. Not Monero GUI, not Feather Wallet, not Cake Wallet, not Monerujo. Zero trackers across the industry.
A hacker didn't build 8 PHP endpoints, a Base64 key exfiltration protocol, a transaction hijacking mechanism, a hardcoded backdoor, and integrate Google Tag Manager — as part of a "compromise." This is a product built over years.
The 5.3-Year Commit Gap Destroys the "Hack" Narrative
2018-05-10 First release ← looks open-source
2018-11-06 "Bulletproof Update" ← last real commit
5.3 YEARS — ZERO COMMITS
2024-03-15 "2024 updates" ← sanitized dump, PHP backend excluded
The production site uses parameters that do not exist in the public GitHub code: session_key, verification, encrypted data, /support_login.html. The Wayback Machine confirms: no session_key in 2023 archives. Present in 2025.
A "compromise a few months ago" does not create a 5.3-year code divergence.
"No Prior Abuse Reports" — A 5-Second VirusTotal Search Proves Otherwise
NameSilo claims zero reports existed before 2026. Here's what was publicly available:
| Source | Finding | Predates 2026? |
|---|---|---|
| VirusTotal | 6/93 vendors: Fortinet (Phishing), Webroot, ADMINUSLabs, CyRadar, Lionic, Seclookup (all Malicious) | ✅ Automated, continuous |
| URLQuery | Domain flagged in automated analysis | ✅ |
| ScamAdviser | Very low trust score, registrar flagged for fraud | ✅ |
| Trustpilot | Multiple theft reports: $200, 17.44 XMR, funds redirected | ✅ Years of reports |
| Sitejabber | 590 XMR ($177K) stolen, 20 XMR stolen, rating 1.5/5 | ✅ |
| BitcoinTalk | Warning thread: "[WARNING] XMRWallet.com Scams" | ✅ |
| Reddit r/Monero | Operator u/WiseSolution banned | ✅ Since 2018 |
Searching xmrwallet.com on VirusTotal: 5 seconds. Googling "xmrwallet.com scam": first page is all warnings. Checking Trustpilot: one click.
NameSilo's "in-depth review" didn't include any of this. Or it did — and they're lying.
An "Open-Source Client-Side Wallet" on Bulletproof Hosting
Here's what NameSilo's abuse team apparently found normal:
| Component | xmrwallet.com | Legitimate wallets |
|---|---|---|
| Hosting | IQWeb FZ-LLC, Belize — bulletproof, $550/mo | GitHub Pages (free) / Cloudflare |
| CDN | DDoS-Guard, Russia — anti-takedown | Cloudflare / none needed |
| DNS | ns1/ns2.ddos-guard.net | Standard NS |
| Monthly cost | $550+ | $0 |
| Purpose | "Client-side, runs in browser" | Client-side, runs in browser |
If the code runs client-side, the server processes nothing. GitHub Pages costs $0. Why does a "free volunteer project" pay $550/month for offshore bulletproof hosting behind a Russian anti-DDoS service known for hosting criminal infrastructure?
Because the code on GitHub is not the code on the server. The GitHub repository is an alibi.
We sincerely hope NameSilo's legal department is sharper than their abuse department — because legal will be the ones answering questions about this.
Three Registrars Acted. NameSilo Became the Scammer's Lawyer.
Same evidence. Same technical analysis. Same VirusTotal detections. Four registrars. Three results:
| Registrar | Domain | Evidence | Action |
|---|---|---|---|
| PublicDomainRegistry | xmrwallet.cc | Same MX, WOT token 8a5554c915e3c17278a7, 23 VT file hashes |
SUSPENDED |
| WebNic | xmrwallet.biz | Same AS59692, same DNS, same WOT token | SUSPENDED |
| NICENIC International | xmrwallet.net | Same IP as suspended .biz (190.115.31.40) |
DNS DEAD |
| NameSilo | xmrwallet.com | All of the above + 6 VT vendors + 15 victims + full technical audit | "The registrant is the victim" |
Three companies — India, Malaysia, China — independently concluded: fraud. One company — NameSilo, USA — concluded: the scammer is the victim, let's help him remove the warnings.
The Escape Domain Panic
The operator registered 4 escape domains across 4 registrars — before the investigation was published:
Feb 4 xmrwallet.cc registered (8yr prepaid) ← before publication
Feb 9 xmrwallet.biz registered (5yr prepaid) ← before publication
Feb 13 Issue #35 published — TX hijacking exposed
Feb 18 Issue #36 published — 43 viewkey transmissions captured
Feb 23 .cc SUSPENDED · .biz SUSPENDED · operator DELETES Issues #35+#36
Feb 26 xmrwallet.net registered (10yr, same IP as .biz)
xmrwallet.me registered (10yr, same IP as .cc)
Mar 8 xmrwallet.net DNS DEAD
23 years of prepaid registrations burned. 3/4 escape domains neutralized. Same NS (ddos-guard.net), same MX (privateemail.com), same WOT token — one operator, five domains.
Does NameSilo believe "compromised" website owners register escape domains across 4 registrars, prepaid for decades, before the investigation is published?
"The Registrant Is Working to Get Delisted from VT"
The most damning sentence in NameSilo's response.
Fortinet — Fortune 500, $4.4B revenue, 700,000+ protected organizations — classified xmrwallet.com as "Phishing."
The operator's response: not remove the phishing code — but lobby VirusTotal to remove the detection.
And NameSilo presents this as progress.
A legitimate hacked site owner would welcome VT detections — it validates the threat. This operator wants warnings gone while the theft code remains in production. NameSilo is helping a flagged phishing domain suppress security alerts.
The Operator
Nathalie Roy, Canada. GitHub: nathroy (ID: 39167759). Reddit: u/WiseSolution — banned from r/Monero (2018). ProtonMail: royn5094@protonmail.com. Self-identified on xmrwallet.com/support.html.
Full operator profile: PhishDestroy analysis.
Claims "funded by donations" — zero donation wallet exists. Pays $550/mo hosting. 50+ paid SEO articles. DDoS-Guard. Android app. 100+ blog posts in 10 languages. Hired a second developer for a captcha system that was defeated in hours.
The Operator's Own Words — Emails to PhishDestroy
After xmrwallet.com was reported, the operator (royn5094@protonmail.com) emailed PhishDestroy directly. Four emails over 7 days. Zero technical rebuttals. And one sentence that reveals everything about the relationship between the operator and NameSilo.
Feb 16 — "We don't store keys"
"We are an open source crypto wallet that is non-custodial, we don't store seeds or keys, everything is done in your browser locally. Please remove your report on us, thank you. N.R."
The same day, PhishDestroy responded with a full technical breakdown: raw_tx_and_hash.raw = 0 (client transaction discarded), session_key containing the victim's private view key in Base64, type == 'swept' (custom theft marker absent from Monero protocol), production-only parameters not in the public GitHub repository. The operator never addressed a single finding.
Feb 17 — Two emails in one day. Panic.
"This is the data we need to offer the service to users. This is not grounds for a domain suspension."
Yesterday: "we don't store keys." Today: "this is the data we need." Two mutually exclusive statements in 24 hours.
"You are accusing without proof. The way the website was built does not verify anything was stolen, so I'm not sure what you're going to waste your time on. If this is a legal matter, feel free to subpoena the domain registrar for my information to submit a complaint in the courts."
Now read that last sentence again: "Feel free to subpoena the domain registrar."
This was written on Feb 17 — before we contacted NameSilo, before the abuse report was filed, and before NameSilo published their "compromise" cover story. At this point, nobody knew how NameSilo would respond.
And yet the operator is not worried. Not even slightly. A scammer running a phishing operation on bulletproof hosting behind DDoS-Guard should be terrified of a registrar investigation. But this operator actively directs us toward the registrar, as if confident NameSilo will take his side.
No scammer in history has ever said "please involve my registrar" — unless they already know the outcome.
Why was the operator so confident? Does the operator have a relationship with someone at NameSilo — a friend in support, a remote contractor, a connection that guarantees protection? We don't know. But the sequence speaks for itself:
- Feb 17 — operator says "subpoena the registrar" with zero concern.
- Feb 23 — three other registrars suspend his domains immediately.
- NameSilo — the one registrar the operator pointed us toward — not only refuses to act, but publishes a defense calling him "the victim" and helps him remove VirusTotal warnings.
The operator predicted NameSilo's response before it happened. That's either the luckiest guess in the history of cybercrime — or the operator knew something we didn't.
Feb 18 — PhishDestroy responds with evidence and a warning.
Feb 23 — Domains suspended. Operator panics.
The same day xmrwallet.cc and xmrwallet.biz were SUSPENDED:
"I've communicated with my lawyer and you'll hear from them directly soon for harassment, spamming and brand reputation damage. We've hired a private investigator to find your information to file the case."
"You can literally look up Trezor, Ledger or any other major wallet, they all have complaints about stolen funds. Every single one of them. They also get their view keys to service users, that's how it works."
Trezor and Ledger are hardware wallets. They do not collect private view keys server-side. They don't have PHP backends. They don't transmit session_key to a server 40 times per session. The operator either doesn't understand cryptocurrency wallets — or is counting on the reader not understanding them.
Four emails. Zero explanations for session_key, raw = 0, swept, or the 5.3-year GitHub divergence. From "please remove your report" to "my lawyer" in 7 days. The lawyer has not materialized in 4 weeks.
But here's the detail that destroys NameSilo's entire "compromise" narrative:
In all four emails (Feb 16–23), the operator speaks in first person — "we are an open source wallet," "this is how the website is run," "this is the data we need." The operator defends the code, the architecture, the data collection — as their own work.
Not once does the operator mention any hack, compromise, or unauthorized access.
On Feb 16–17, the operator told us: "this is how the website is run." Weeks later, NameSilo told the public: "the domain was compromised." These two statements cannot both be true.
The "compromise" story didn't exist until NameSilo contacted the operator and needed an explanation to close the case. The operator's own emails — written before the cover story was needed — prove the "hack" narrative was fabricated after the fact.
NameSilo received the same evidence — and the same operator emails. They chose the cover story over the evidence. They called this person "the victim."
NameSilo's Liability
Before their response: negligence. After: complicity.
NameSilo contacted the operator, accepted his story, publicly declared him innocent, revealed they're helping him remove VirusTotal detections, and shifted burden of proof to the reporters.
Under ICANN RAA Section 3.18, registrars must investigate and respond appropriately to abuse. Does "appropriately" include writing a public defense of the accused?
Every dollar stolen after NameSilo's statement was stolen by an operator NameSilo publicly cleared. If you vouch for the thief — you share his bill. Victims should contact NameSilo directly: support@namesilo.com / abuse@namesilo.com.
Documented Victims
| Amount | Source | Quote |
|---|---|---|
| 590 XMR (~$177K) | Sitejabber | "I do deposit 590 monero 2 day gone and they steal it!" |
| 17.44 XMR | Trustpilot | "My 17.44 XMR was all gone. I have both the TxID & TX Key." |
| 20 XMR | Sitejabber | "Put 20 xmr next day 0 xmr" |
| $200 | Trustpilot | "They stole $200 from me, leaving me high and dry" |
| Unknown | Trustpilot | "Transferred to some other wallets instead of mine" |
| Unknown | Trustpilot | "UNABLE TO ACCESS MY FUNDS" |
Conservative estimate: $1.5M–$15M+ over 8 years. The operator responds to every victim: "You used a phishing clone."
Take Action
Report xmrwallet.com:
- Google Safe Browsing — blocks in Chrome, Firefox, Safari
- Netcraft — used by ISPs globally
- PhishTank — community blocklist
- Phish.Report — auto-reports to 6+ platforms
- APWG — Anti-Phishing Working Group
File ICANN complaint against NameSilo: icann.org/complaints
Law enforcement (operator: Canada):
Canadian Anti-Fraud Centre · RCMP · FBI IC3 · Europol
Use safe wallets:
Monero GUI · Feather Wallet · Cake Wallet · Monerujo
Full Evidence Archive
| Resource | Link |
|---|---|
| Full investigation | phishdestroy.github.io/DO-NOT-USE-xmrwallet-com |
| Deleted evidence archive | deleted.html |
| Issue #35 cached | cache-issue35 |
| Issue #36 cached | cache-issue36 |
| VirusTotal | virustotal.com |
| URLQuery | urlquery.net |
| ScamAdviser | scamadviser.com |
| BitcoinTalk warning | bitcointalk.org |
| Scam exposure | article |
| Operator profile | article |
| Captcha defeated | article |
| Safe alternatives | article |
| Medium article | phishdestroy.medium.com |
| GitHub repository | github.com/phishdestroy |
| PhishDestroy blocklist | destroylist — 70,000+ domains |
NameSilo didn't ignore the evidence. They read it, contacted the scammer, believed him, declared him innocent, and are helping him suppress VirusTotal warnings. That's not negligence. That's a partnership.
Three registrars protected users. NameSilo protected the scammer — and put it in writing. Their statement will be Exhibit A in every filing from this point forward.
If you vouch for the thief, you share his bill.
PhishDestroy Research · Telegram · Twitter/X · Bot · API
Based on public evidence, live network captures, OSINT, and NameSilo's own verbatim public statement. No unauthorized access. All findings independently reproducible. Originally published on Medium.
Top comments (0)