PhishDestroy — NameSilo Investigation

Evidence

Evidence Archive

Every claim is backed by source material. Every screenshot is SHA-256 fingerprinted. Every external link has at least one immutable archive copy.

View Full Evidence Archive → GTM/gtag.js Attack Analysis → Reddit Suppression Evidence → Full Investigation Dossier →

Theft mechanism — how xmrwallet.com steals Monero via Google gtag.js

Two theft vectors via Google's gtag.js delivery: 1) Transaction hijacking — code delivered via gtag.js reads spend_key from browser memory, constructs a malicious transaction sending full balance to operator's address, signs it locally, UI shows "Success." 2) Seed exfiltration — code reads seed phrase from DOM at wallet creation, sends it to Google's servers disguised as a GA event label (gtag('event','backup',{label:btoa(seed)})). Both vectors exploit the same mechanism: Google's dynamic tagging infrastructure (gtag.js) executing arbitrary code in the wallet's origin with zero CSP restrictions. Full technical analysis with 63 URLScan scans + 5 competitor comparisons →

Evidence Overview — Cards, Screenshots, Victims, Community Reports6 evidence cards + 16 primary screenshots + documented victims + community warnings. Click to browse.

📧

Operator Emails

"N.R." ([email protected]) → [email protected], Feb 16. Defends site, demands removal. Never claims compromise.

Screenshot →

📜

4 Statements vs Evidence

NameSilo's Mar 13 tweet: 4 sentences, 4 contradictions. Each proven false with operator's own emails + code hashes.

Full analysis →

🔍

Code Hashes

SHA-256 before and after "compromise." Code never changed. IP never changed. NameSilo fabricated it.

Proofs →

📊

Technical Breakdown

8 PHP endpoints. session_key = base64(address + viewkey). raw_tx = 0. Server builds its own TX.

View →

📸

61 Evidence Screenshots

16 primary + 19 additional + 26 tweets. Emails, victim reports, DNS maps, VirusTotal, GitHub issues, operator taunts. All SHA-256 fingerprinted. Court-usable.

View all →

🌍

Wayback + GhostArchive

xmrwallet.com, .cc, .biz, .me archived. NameSilo tweet archived. GitHub repos archived. Independent copies.

View all →

Primary Evidence Screenshots — 16 SHA-256 Verified Files16 core exhibits + 19 additional (victims, GitHub, DNS, VT) + 26 tweets. Total: 61 evidence images. Click to browse.

SHA-256 +

#01 Operator "N.R." email
Feb 16 — defends site, demands report removal. SHA-256: 919b5ee4...

View

#01b PhishDestroy reply
Feb 16 — technical evidence of theft. SHA-256: ecced351...

View

#03 NameSilo's statement — 4 contradictions
Mar 13 — the tweet. SHA-256: ad29e1d3...

View

#04a "@NameSilo is lying"
Mar 16 — rebuttal citing operator emails. SHA-256: c556e13f...

View

#04b "Press secretary for $20M+ theft"
Mar 16. SHA-256: c9007cb4...

View

#04c "Who is this operator to you?"
Mar 16. SHA-256: bbb0ecd0...

View

#04d CryptOpus: "$10M+ stolen"
Mar 16 quoting Feb 22. SHA-256: 6ffd3020...

View

#05 Registrar comparison
3 registrars acted. NameSilo protected.

View

#06a X Support: "no violation"
Apr 15 — still locked. SHA-256: 2753d02f...

View

#06b "Account restored" — it hasn't
Apr 15. SHA-256: 482d0ebb...

View

#09 PhishDestroy platform
What they tried to silence. SHA-256: de5b430b...

View

#12 NameSilo tweet — GhostArchive
11K views. Permanent link

View

#13 Full tweet thread
GhostArchive permanent copy

View

#14 Thread: Lies Exposed
Mar 14

View

#15 "Abuse dept is a disgrace"
Mar 14

View

#16 "VT delisting service"
Mar 14 — NameSilo removing security detections for scammer

View

Documented Victims

2,600 XMR

~$780K — Deleted Trustpilot review (screenshot preserved). Evidence

1,200 XMR

~$360K — "Elmo T. Johnson" — deleted Trustpilot review (Wayback proof)

590 XMR

~$177K — Sitejabber

~400 XMR

~$120K — isisB2B, BitcoinTalk Dec 2025

$200K+

Teletype Feb 2024

47 XMR

17 min after deposit — Reddit

30 XMR

5 hrs — bits.media (RU)

$20K

Bitazu Capital — Herald Sheets

28 XMR

Reddit Aug 2020

$3,250

Telegram (CN)

~C$1M

UNVERIFIED — Canadian victim, Ontario

??? XMR

OSINT — A hacking group involved in a major cryptocurrency theft lost Monero through xmrwallet. Documented in their leaked operational infrastructure (~2022). Amount undisclosed.

⚠️

Unverified: ~C$1M Canadian victim. Contacted us claiming a police report filed in Ontario. No case number provided — we cannot verify. If true, Canadian law enforcement already has an open case. OPP / RCMP — check your records.

From documented to estimated: why $100M+. The cases above total ~$500K–$1.5M in publicly documented losses. This represents a tiny fraction of real theft. Why? (1) Monero is private — most victims never know they were robbed, thinking the transaction simply "failed." (2) The site operated for ~8 years with steady traffic. (3) Victims who realize the theft rarely report publicly — shame, jurisdictional confusion, "crypto isn't real money" dismissal. (4) Multiple victims have contacted us directly with losses they chose not to publish. (5) Active EU law enforcement investigations have shared data with us that we cannot disclose. The $100M+ estimate is based on the totality of this information. We use it because we believe it is conservative. If you are an investigator and want the full breakdown, contact us.

Community Reports & Warnings

Reddit Oct 2020 — "PSA: steals your funds" Reddit Nov 2020 — "Do not use xmrwallet.com" Reddit Dec 2020 — "is a scam" Reddit Mar 2021 — "wallet has been robbed" Reddit May 2021 — "xmrwallet.com scam" Reddit Dec 2022 — "is scamming me" Reddit Aug 2022 — "exit scam" BitcoinTalk — "[WARNING] Stay vigilant!" uBlock Origin — Added to blocklist ScamAdviser — Trust score: 1/100 Our tweets — vanlett.com/Phish_Destroy (LOCKED by Gold Checkmark) TweetFeed IoC — xmrwallet logged as threat indicator

"We had received no abuse reports" — the internet disagrees.

NameSilo claims in their March 13, 2026 tweet that they had never received abuse reports about xmrwallet.com prior to our contact. This is verifiably false. Public posts on BitcoinTalk (2021) and Reddit (as early as 2018) explicitly discuss filing reports with NameSilo about this domain. These posts are still indexed. They were not hidden, not encrypted, not on the dark web — they were on the two largest crypto forums on the internet. NameSilo's abuse team would have to be either spectacularly incompetent or deliberately lying. We know which one it is.

For regulators: Is there an authority that can audit a registrar's abuse ticket system? Subpoena NameSilo's internal records. Compare the number of reports they actually received vs. what they claimed publicly. The gap between those numbers is measurable, provable, and potentially criminal. They spent enormous effort scrubbing the internet of evidence against xmrwallet — but they couldn't scrub BitcoinTalk and Reddit.

A note about Monero and the victims you can't identify.

Monero is private. That's the point. It means victims can't trace their stolen funds. But it also means something else: the operator doesn't know who he stole from.

Over nearly a decade and an estimated $100M+, the xmrwallet operator drained wallets indiscriminately. Every user who deposited Monero and clicked "send" had their transaction hijacked. The operator has no idea who those people were. Some were retail crypto users. Some were investors. Some were researchers. And some were people with the resources and motivation to pursue justice.

We are researchers. We publish evidence and move on. But not everyone who lost money on xmrwallet.com will respond by writing a report. The operator should consider this. NameSilo should consider this. You helped protect a thief who stole from people he cannot identify, in amounts he cannot calculate, in a currency he cannot trace. Some of those people may pursue legal remedies the operator has not anticipated.

Social Media

Freedom of Speech — or Freedom of Scam?

View full bot analysis — 68+ live bot posts vs ~100+ deleted victim warnings → Reddit suppression — 60% removal rate, 38 posts silenced, 3-person sock puppet network →

Victim Suppression Campaign — 93 posts, 38 removed, 60% r/Monero removal rate

93 Reddit posts analyzed. 60% removal rate in r/Monero. 4 Reddit legal/DMCA takedowns filed by operator against victims. 38 posts silenced. $1.19M+ confirmed stolen from 40+ named victims. Full Reddit evidence →

Operator Identity Network — sock puppets, emails, GitHub accounts

3 Philippines-based sock puppets coordinating in same Reddit threads. Subreddit takeover after Reddit banned r/xmrwallet as spam. Darknet targeting (16+ posts in r/darknet, r/onions). Fake law firm GitHub account for intimidation. Sock puppet proof →

New Evidence — Deleted Reddit Posts & Victim Silencing (May 2026)

Full PullPush API archive analysis revealed 38 removed victim posts across Reddit. The operator filed DMCA/legal takedown requests with Reddit to silence victims who reported theft — including a $170,000 victim (1060 XMR) and a $500,000 victim whose post body was destroyed before archival. 20% of victim accounts are now [deleted]. The operator ran a 3-person sock puppet network from the Philippines that actively promoted the scam in darknet subreddits (r/darknet, r/onions, r/AbacusMarketAccess) — targeting users who can't report to police. Server infrastructure is co-hosted with bclubs.to (BriansClub carding marketplace — stolen credit cards) and kinogo.ec (Russian pirate streaming). ALL server neighbors are Russian-language sites on DDOS-Guard (Rostov-on-Don, Russia).

Warning tweets about xmrwallet — check which survived:

@Considered_ @cryptohako @BitBeacon_xyz @alferg1 @JamesAlphaXYZ @singhsoro ($20K victim)

SEO spam bots from 2018 — all still alive:

@venturecanvas (2018) — STILL LIVE — hundreds of social bookmarking bots with xmrwallet backlinks, all indexed.

We estimate 100–200 tweets total have been deleted across all accounts that ever mentioned xmrwallet.com truthfully — our reports from @Phish_Destroy, independent researchers, victim complaints, security warnings. All gone. Meanwhile, the operator purchased a Kwork service: "social media link blast — Twitter 50 posts, 500 rubles" (~$5 USD). He bought multiple packages. Hundreds of spam bot posts promoting xmrwallet.com from 2018 — every single one still live. Not one removed.

How Kwork SEO spam + PR Newswire press releases poisoned AI training data — ChatGPT and Grok now recommend the scam wallet

X/Twitter's actions demonstrate a clear double standard: bot spam purchased for 500 rubles on a Russian freelance marketplace remains untouched, while victim reports about a $100M+ theft and researchers with SHA-256 verified evidence get locked. X/Twitter should investigate which employees are processing these reports and why.

And to be clear: on April 3, 2026, we paid $200 for X Gold verification. The ban came immediately. X stated the payment would be refunded — neither the ban was lifted nor the refund issued. $200 for a Gold Checkmark we never got to use — but NameSilo's Gold Checkmark works just fine for filing reports against us. We submitted 5+ data export requests across 3-4 accounts — all denied or ignored. Those accounts contain approximately 200,000 tweets combined, each of which is potential evidence of someone's crime — a phishing site, a registrar's negligence, a victim's report. X is not just silencing us. X is withholding evidence of mass cybercrime and charging us for the privilege.

But NameSilo also managed to get some of our most inconvenient posts removed. For investigators: this is not a problem — request the deletion logs, verify who filed the reports, check the timestamps. Every removal is traceable. Every moderator action has a paper trail. The posts NameSilo wanted gone the most are exactly the ones that matter.

In our assessment, NameSilo's conduct is consistent with either direct operation of or financial partnership in the xmrwallet.com theft. No alternative explanation we identified accounts for this pattern of behavior.

After everything that happened — after the public exposé with 11K views, after 4 statements vs evidence with the operator's own emails, after ICANN filing, after law enforcement referral, after 3 other registrars suspending the same domains on the same evidence — the site is still live.

Ask yourself: what legitimate registrar would endure this level of public humiliation and regulatory risk for one client? What company would publicly commit to removing VirusTotal detections for a known drainer? What abuse department would fabricate a "compromise" story that contradicts the operator's own emails?

None — unless they own it or profit from it directly.

NameSilo, LLC (IANA #1479) is either the owner of xmrwallet.com, or a direct financial partner in a $100M+ theft operation. In our assessment, no other explanation accounts for their behavior. A client-registrar relationship does not produce this level of protection.

And there is a Russian intelligence trail here.

The infrastructure patterns, the operational security methodology, the CIS-marketplace freelance orders, the DDoS-Guard hosting, the suppression playbook — this is not a solo Canadian "volunteer" running a hobby project. This is an operation with institutional backing. The Russian connection is obvious to anyone who has worked in CIS cybercrime investigation. We have evidence. Investigators will receive it upon request.

🇷🇺 NameSilo is “American” — staffed by Russian cybercrime veterans click to collapse

NameSilo LLC is registered in Phoenix, Arizona. NameSilo Technologies Corp is listed on the Canadian Securities Exchange. But the actual engineering team is a Russian/CIS outsourcing operation spread across Russia, Belarus, Ukraine, Serbia, Argentina, and Latvia. At least 13+ Russian-speaking employees identified in the current and recent team:

🚨 Mikhail Chudinov — DevOps (full infrastructure access)

Location: Argentina (crypto-haven relocation)

Previous: Head of IT at SuperKopilka (Russian financial pyramid, collapsed 2017) for ~10 years. Also: COO at AtomX.online (crypto project), Poker Club Manager at Red Rock. Self-described “crypto enthusiast.”

This person holds DevOps keys to all NameSilo infrastructure. His resume: financial pyramid + poker + crypto.

🇷🇺 Ivan Borzenkov — PHP Backend Developer

Location: Bryansk, Russia. Phone: +7 920 602-0... (RU)

Previous: TrafficStars (adult/affiliate ad network, Latvia, grey adtech), Skyeng, AdMe.ru

GitHub: ivan1986 (Russia, Bryansk)

🇷🇺 Vladimir Voskov — Project Development Manager

Location: Moscow, Russia

Previous: Zyfra Company (Russian industrial automation, state contracts), «АНО Ассоциация участников технологических кружков». Education: Нетология (2021-2022)

Project manager sitting in Moscow, managing a US domain registrar.

🇷🇸 Tatiana Labutina — Senior Project Manager

Location: Belgrade, Serbia (post-2022 Russian relocation hub)

Previous: ForexClub Libertex (Russian forex broker, regulatory scandals), Social Quantum (Russian gamedev, St. Petersburg), Avatarico (Russian 3D startup)

🇧🇾 Aleksey Podashevskiy — Frontend Developer

Location: Belarus (sanctioned jurisdiction)

Working for a US registrar from Belarus raises serious compliance questions.

🇷🇺 Konstantin Gorokhov — Backend Developer

Location: Miami, FL (relocated from Russia)

Previously CS Specialist at NameSilo (2019-2021), promoted to backend

🇺🇦 Volodymyr Pohodaiev — Software Engineer

Location: New York (relocated)

Previous: Adsimilate Marketing (affiliate marketing, grey area), FinditQuick.com

The pattern: An “American” company whose DevOps engineer built IT infrastructure for a Russian financial pyramid. Whose PHP developer came from an adult ad network. Whose project managers sit in Moscow and Belgrade. Whose frontend developer works from sanctioned Belarus. Managed by a CEO in Miami (Kristaps Ronka) and owned by a Canadian shell (Brisio Innovations, CSE:BZI).

This is not an American technology company. This is a CIS outsourcing operation with a US mailing address. And it explains everything: why abuse reports are ignored (the team doing the ignoring shares the operator’s language and culture), why the suppression playbook matches Russian cybercrime patterns, why a DMCA request about xmrwallet was filed from Russia, and why 20+ complaints from international victims and security researchers produced zero action.

When you staff your “American registrar” with people whose previous jobs include financial pyramids, adult ad networks, and Russian state-connected companies — you get exactly the kind of registrar that protects a $100M+ phishing operation and calls it “customer service.”

A note to NameSilo — we are not playing your games

We see the xmrwallet.com domain transfer away from NameSilo. Do they think another registrar will inherit their problems? That moving the domain erases 10 years of complicity? We already know how NameSilo operates — they spend 85% of their Google Ads budget bidding on competitors’ names (GoDaddy, Namecheap), and their staff replies to tweets where users tag other registrars. Poaching customers by name while hiding behind a Russian outsourcing team — this is how they do business.

Transferring xmrwallet.com will not work. Every file in this archive is SHA-256 signed with timestamps. Every domain snapshot, every WHOIS record, every abuse report response, every dead domain count — captured and hashed before they started moving. Their actions now are not cleanup — they are additional evidence of consciousness of guilt.

Even if they transfer xmrwallet.com to another registrar. Even if they give away every laundering domain for free. Even if they activate every dead domain with a parking page. Our questions remain the same. Our files remain the same. Our hashes remain the same.

Who bought 1.67 million domains that were never used? Where did the money come from? Why did you publicly defend a $100M+ theft operation? Why does your DevOps engineer have a financial pyramid on his resume? These questions don’t go away because you moved a domain. They get louder.

🔐 How we know about the FSB connection — the full story click to expand

We've known xmrwallet.com was a phishing operation for a long time. An acquaintance of ours lost money there. We tried to get the site taken down — multiple times, over several years. You now know their methods because we've demonstrated them on ourselves and documented every step.

During this period, we wrote to websites that hosted paid promotional articles about xmrwallet — the Kwork-ordered SEO spam. We asked them to verify the claims in the articles, or at minimum remove the false information so people would stop falling for the scam. Most ignored us. One replied.

The reply came from a personal email address. The kind you can look up. We did. Not through any sophisticated OSINT — through a basic Telegram bot. The kind anyone can use. The result was unambiguous: the person's name, position, and employer came back instantly. The employer was the FSB.

The response was in Russian. It was rude. He threatened to "take our servers" and asked where we keep "the backups." We told him: under his mother's pillow. He didn't reply after that. We don't know what backups he was referring to. We found it funny. The article is still live on that site.

That's the FSB connection. Not speculation. Not pattern analysis. A direct response from a person whose employment at a Russian intelligence agency is publicly verifiable through their own operational security failure — using a personal email tied to their real identity. Classic. They suppress researchers and threaten server seizures, but can't be bothered to use a clean email address.

And if the FSB needs a backup of this archive too — it's on IPFS now. Immutable. Decentralized. No pillow required.

We will not name the website, the person, or provide the email address publicly. This information is available to law enforcement upon request. Contact [email protected].

A message to every moderator, every trust & safety employee, every platform admin who deleted a victim's post, locked an account, or removed a warning about xmrwallet.com:

We ask you to publicly explain why you did it. What rule was broken? What policy was violated? You deleted truth, silenced victims, aided $100M+ theft. That is not moderation — that is complicity. Every deletion is logged. Every removed review is traceable. Every locked account has a paper trail. Investigators can and will request those records.

To ICANN Contractual Compliance:
We submitted the full case file on March 18, 2026. Every screenshot. Every email. Every hash. Every lie debunked. Every victim documented. Every suppression attempt logged. You have it all. NameSilo, LLC (IANA #1479) — your accredited registrar — is actively protecting a Russian-linked scam operation that stole $100M+. The site is still live. The domain is still active. The operator posted a farewell letter and the site is STILL UP. Are you comfortable with this? Is this what ICANN accreditation means? A registrar can publicly lie, help a scammer remove security detections, use paid platform access to silence researchers — and keep their accreditation? We are waiting for your answer. The victims are waiting. The evidence is public. The world is watching.

A message from a victim — and a question about ICANN accreditation:
One of the victims contacted NameSilo and was told something along the lines of their "ICANN license" protecting them. Let's be absolutely clear about what ICANN accreditation is and what it is not:

ICANN accreditation is a license to register domain names. It is not a license to commit fraud. It is not a license to cover up money laundering. It is not a license to protect scam operators. It is not a shield against criminal prosecution. It is not a supreme court ruling that permits NameSilo to help a thief steal $100 million. It does not grant immunity from law enforcement, civil lawsuits, or regulatory action.

An ICANN-accredited registrar is more accountable, not less. The RAA (Registrar Accreditation Agreement) explicitly requires abuse handling. NameSilo signed this agreement. NameSilo violates it every day that xmrwallet.com remains active.

To victims: do not let anyone tell you that "ICANN accreditation" protects a registrar from consequences. It doesn't. Sue them. File criminal complaints. Report to your national cybercrime unit. Report to the Arizona Attorney General. NameSilo is a US company in Phoenix, AZ. They are subject to US law, regardless of what ICANN accreditation they hold. A driver's license doesn't protect you from a murder charge.

The ICANN Accreditation Theater

Here is something that genuinely baffles us. In every single abuse response, in every reply to every complaint, NameSilo cites their ICANN accreditation. Every time. Like a mantra. Like a prayer. Like a magic spell that makes abuse reports disappear.

"As an ICANN-accredited registrar..." — yes, and? Do you understand how absurd this sounds to anyone who works in this industry? Let us translate this into terms everyone can understand:

"We are ICANN-accredited" = "We have an SSL certificate"

"We are ICANN-accredited" = "We have a Cloudflare account"

"We are ICANN-accredited" = "We paid a deposit and filled out a form"

"We are ICANN-accredited" ≠ "We are above the law"

"We are ICANN-accredited" ≠ "We cannot be sued"

"We are ICANN-accredited" ≠ "Our crimes are sanctioned"

ICANN accreditation is a commercial license. You pay a deposit. You fill out paperwork. You agree to follow the RAA (Registrar Accreditation Agreement). That's it. It does not make you a regulator. It does not make you untouchable. It is not a fund that covers the actions of fraudsters you protect. It is not a judicial shield. An SSL certificate on a phishing site doesn't make it legitimate — phishers buy SSL certificates every day, including the expensive EV ones. A Cloudflare account doesn't make you safe — every malware distributor has one. And ICANN accreditation doesn't make you honest — it just means you paid the fee.

And it gets better. NameSilo doesn't just cite ICANN accreditation in abuse responses — they put it in their financial filings. In the Q3 2025 earnings release filed on SEDAR+ (November 28, 2025), the company describes itself as: "As an accredited ICANN registrar, Namesilo is one of the fastest-growing domain registrars in the world." This is in an earnings report. For investors. On a securities filing platform. Instead of disclosing that 81.5% of their "domains under management" are phantom registrations with zero traffic, they lead with ICANN accreditation. It's not just a reflex at this point — it's a securities disclosure strategy. Wrap the phantom numbers in the ICANN badge and hope nobody checks. We checked. Source: Stockwatch →

By the time an ICANN complaint is reviewed, processed, and acted upon, the scam domain has already expired, the money is gone, and the victims have given up. The process is slow by design. Filing an ICANN complaint is like calling the fire department after the building has burned down, been demolished, and turned into a parking lot. This is not a check. This is not oversight. This is theater.

Case in point: Trustname.com (IANA #4318) — an ICANN-accredited registrar. "Fastest growing independent registrar." Our investigation found: Estonian tax filings showing €120 in revenue, one employee, negative equity, and a company deletion notice. Both owners are Belarusian. The registrar openly markets bulletproof hosting, serves scam casinos, 18+ content, illegal pharmacies, and fraud operations. ICANN-accredited. Does that accreditation make them legitimate? Does it protect the victims of the scam casinos they host? Of course not. It just means they filled out the same form NameSilo did.

Maybe we should buy ICANN accreditation too. Then we can write it everywhere:
"Hi, this is PhishDestroy. ACCREDITED BY ICANN, CREDENTIALED BY DOMAIN CCK, PAYMENT PROCESSED BY A REGISTRAR AND A HOSTING PROVIDER."
Sounds impressive, right? Sounds like it means something? It doesn't. And when NameSilo writes it in every response to every abuse report they ignore — it doesn't mean anything either. Except that they think it does. And that delusion is part of the problem.

RAA Section 3.18 — the clause NameSilo pretends doesn't exist.
The Registrar Accreditation Agreement — the document NameSilo signed — includes Section 3.18, which explicitly requires registrars to investigate and respond to abuse reports. Not ignore them. Not delete them. Not fabricate cover stories. Not offer to clean VirusTotal detections for the reported domain. Investigate. Respond. Act. We started citing RAA 3.18 in every single report we file. NameSilo's response? The same ICANN accreditation mantra. They invoke the very authority whose rules they violate — in the same sentence where they violate them. It would be comedy if people weren't losing millions.

Maybe NameSilo has a special ICANN — a private edition, issued by the grandfathers from Lubyanka? A bespoke accreditation where 3.18 reads: "The registrar shall ignore all abuse reports, help the scammer clean his record, and cite this accreditation as justification." Because that's how they behave. They use the ICANN badge the way a corrupt cop uses a police badge — not to enforce the law, but to break it with impunity.

ICANN is not the police. It's the DMV.

ICANN was created in 1998 when the internet was an academic project, not a battlefield. Its mandate is technical stability — making sure .com resolves the same in Tokyo, Berlin, and Moscow. It coordinates the root DNS zone, distributes IP addresses (IANA), and maintains protocol standards. Without ICANN, the internet fragments. That's why it exists. Not to police fraud. Not to protect victims. Not to investigate money laundering.

The RAA is a contract, not a law. Violating RAA 3.18 is breach of contract, not a crime. ICANN's ultimate sanction — revoking accreditation — takes years, creates precedent they fear, and risks thousands of domains in limbo. They won't do it. NameSilo uses a DMV certificate as an alibi in a murder trial. ICANN accreditation doesn't protect you from securities fraud, money laundering, or aiding a $100M theft. The real enforcers are FinCEN, SEC, FBI, and the Arizona Attorney General. ICANN is a decoration.

This is not the first time. Artists Against 419 (2018).

Before xmrwallet, before PhishDestroy, another organization tried. In 2018, Artists Against 419 filed ICANN Compliance complaint UNY-783-11184, accusing NameSilo of being a "bullet-proof registrar" for scammers. Their evidence: reseller QHoster (linked to NameSilo) was responsible for 60% of malicious domains they tracked. NameSilo's response: "We are not a hosting provider" and "We cannot determine the legality of content." ICANN's response: closed the complaint. Reason: the registrar "did not receive the report" or the issues "were outside ICANN's scope."

That was 2018. It's 2026. Nothing changed. The same registrar. The same abuse pattern. The same ICANN non-response. An ICANN Notice of Breach will not fix NameSilo — because abuse is not a bug in their business. Abuse IS the business. You don't send a code-violation notice to a building that was designed to be a front. You send law enforcement.

Why ICANN can't act — and why DOJ won't

Abuse, phishing, scam protection, money laundering, FSB connections — all outside ICANN's mandate. They say so themselves. RAA 3.18 requires "investigating abuse," but ICANN has no investigators, no courts, no power to force-close domains, and no mechanism to verify that a registrar actually investigates. For ICANN, "we received the letter and replied" = compliance. Whether the reply says "we'll remove it" or dismisses the complaint entirely — ICANN doesn't read it.

NiceNIC, Trustname, NameSilo — all technically compliant: pay fees? Yes. Submit data escrow? Yes. WHOIS works? Yes (via PrivacyGuardian). Their business model is ignoring abuse. But ICANN can't punish that, because ICANN doesn't evaluate the content of abuse responses. For bullet-proof registrars outside the US, ICANN's only option is revoking accreditation — a process that takes years and leaves thousands of domains in limbo. ICANN fears technical collapse more than it fears fraud.

NameSilo is a special case. It's a US company in Phoenix, Arizona — subject to US law (Arizona AG, FBI, FinCEN, SEC). ICANN shouldn't need to handle this. This is DOJ's job. But DOJ is silent too:

ICANN — fears losing a "top 10 registrar" with 5M+ domains. Market weight matters.

DOJ — busy with Doppelganger, LabHost (NameSilo domains were seized, but LLC not named as defendant).

NameSilo — pays fees, submits escrow, doesn't violate technical RAA clauses. Formally clean.

Result — everyone has jurisdiction, nobody acts. The gap between "technically compliant" and "actively criminal" is where NameSilo lives.

This is not a single abuse incident that ICANN can address with a Notice of Breach. This is a systemic business model built on enabling cybercrime — phishing, crypto drainers, darknet services, and what the financial data strongly suggests is money laundering at scale. ICANN compliance letters don't fix that. Federal prosecution does.

njal.la is NameSilo. Period.

NameSilo's favorite defense: "That's our reseller, njal.la. We have no control." WHOIS says otherwise. Look up any njal.la domain — the WHOIS registrar field reads NameSilo, LLC. Not njal.la. Not some independent entity. NameSilo. Whatever internal partnership or reseller agreement they have is their private business. To the outside world — to ICANN, to law enforcement, to victims, to WHOIS — these are NameSilo domains under NameSilo's accreditation and NameSilo's responsibility.

Njalla is a legitimate privacy-focused registrar founded by Peter Sunde (of Pirate Bay). It serves journalists, activists, and privacy-conscious users. But its privacy features — registrant shielding, no public WHOIS, minimal paper trail — were systematically exploited to register crypto scam domains and drainers under NameSilo's accreditation. When abuse reports arrived, NameSilo pointed to njal.la; njal.la pointed to privacy. The domains stayed up. The money disappeared. The privacy shield became an abuse shield. Their internal arrangements do not override WHOIS data, ICANN rules, or the law. You cannot outsource your ICANN obligations to a privacy reseller and then claim innocence when domains under your accreditation steal $100 million.

How other registrars compare — from someone who scans hundreds of thousands of domains.

We are not theorists. We scan, analyze, and report domains at scale — hundreds of thousands of them. We work with registrars every day. Here is what we see:

WebNic (~800K domains)

Improving. They now have a real abuse handler — an actual human who reads reports and takes action. He doesn't yet realize their IPs are being blocked by Cloudflare (sends screenshots of "site not working" instead of "phishing"), but there is visible progress. A registrar that is trying to get better.

NiceNIC (Russian, not Chinese)

Hopeless. Will only improve when they cease to exist. A registrar whose business model is built on not responding to abuse. But even NiceNIC never publicly defended a scammer on Twitter. Even NiceNIC never offered to clean VirusTotal for a drainer. Even they have limits.

NameSilo (IANA #1479)

Invented its own ICANN. Created its own WHOIS. Plays by its own rules. Uses accreditation as a weapon, not an obligation. Even Russian registrars like Reg.ru stopped doing what NameSilo does around 2021. NameSilo is still doing it in 2026. They are not a rogue registrar. In our assessment, they are a criminal enterprise with an ICANN badge.

We are not ICANN experts. We are not lawyers. But we destroy 500,000+ phishing domains and can see what entire regulatory bodies apparently cannot: a registrar that invents its own laws, hides behind its own resellers, cites its accreditation as a defense while violating its accreditation's core requirements, and launders money through phantom domain registrations.

To U.S. federal and state authorities — particularly the State of Arizona:
NameSilo, LLC (Phoenix, AZ) is a US-incorporated company protecting a CIS-linked criminal operation that stole an estimated $100M+ from victims worldwide. The evidence is public, the ICANN filing is on record, the operator is identified, the lies are debunked, and the suppression campaign is documented.

This is not a business dispute. This is a US company facilitating ongoing international fraud. The infrastructure patterns — CIS-marketplace freelance orders, DDoS-Guard hosting through Russian-jurisdiction providers, operational methodology consistent with state-adjacent cybercrime — are textbook.

FBI, DOJ Cyber Division, Arizona Attorney General, FinCEN — the evidence package is ready. Contact us and we will provide everything, including materials not published here.

For the FBI specifically: NameSilo fabricated public statements, suppressed security researchers, and offered to remove VirusTotal detections for a known drainer. European authorities have requested information from X/Twitter regarding related cases and received no response — we know this from direct communication with both victims and a competent authority in an EU member state (details cannot be disclosed under EU data protection law). Ask NameSilo why. Ask them who. Ask them how much. Ask before the evidence trail goes cold — though we have ensured most of it cannot be deleted anymore.

If a registrar can say "we received no complaints" while the internet's own memory proves otherwise — if they can delete the evidence using DMCA requests and face zero consequences — then what is the point of regulators? ICANN accreditation becomes a rubber stamp and abuse handling becomes theater.

Subpoena their abuse ticket system. Compare it to what they claimed publicly. The gap between those numbers is the measure of their complicity.

Open Challenge

Prove that a single word we published is false —
and we will take everything down ourselves.

One word. One claim. One screenshot. Show us what's wrong.

0 factual rebuttals received
in 10 years of operation & months of investigation

Across hundreds of pages of evidence, dozens of victim reports, and 61 SHA-256 verified screenshots — not the operator, not NameSilo, not X, not anyone has produced a single factual rebuttal. Not one.

But if everything we say is true — then DO SOMETHING.

They are stealing millions. Right now. Today. The site is live. The domain is active. Victims are losing money while you read this. Act now.

We did not spend months of our lives building this archive, and victims did not lose millions of dollars, so that a Russian-speaking scammer could post one lie on Twitter and then cry that we saved it. NameSilo wrote 4 false sentences from an official corporate account. We archived them. They got upset that the archive exists. Their entire defense is not "it's false" — it's that the archive exists at all.

That's not how this works. You said it. We saved it. The world can read it. Deal with it.

NameSilo's response playbook — and our pre-written answers

We've dealt with enough registrars to know exactly what they'll say. Here's the script, and here's why it doesn't work.

🎙 "We are an ICANN-accredited registrar."

Yes, we know. It's a commercial license, not a character reference. Trustname.com (IANA #4318) is also accredited with €120 revenue.

🎙 "The domain was compromised."

SHA-256 hashes show code/IP never changed. Operator never claimed compromise. You invented this story.

🎙 "We had received no abuse reports."

20+ reports from us, 100+ total from public posts (BitcoinTalk 2021, Reddit 2018).

🎙 "Dead domains are normal in our industry."

Baseline is 15-21%. You're at 32.2% (2x baseline), with 615% YOY spike and 10K-17K/day bulk runs. Explain the gap.

🎙 "njal.la is an independent reseller."

WHOIS says NameSilo, LLC. Your internal arrangements don't override public data or law. Njalla domains are your responsibility.

🎙 "We will pursue legal action."

Operator threatened this in Feb. We're on IPFS. Claims are sourced, SHA-256 verified. Truth is defense. Sue us — this archive becomes court exhibit A-Z.

🎙 [Silence]

Also an option. Evidence sits on decentralized network. Silence is not a strategy. It's a countdown.

NameSilo & the SEO Grandpa playbook — same tricks:
NameSilo buys reputation the same way the xmrwallet operator does — different budget, same playbook. Forbes Advisor "review" ($50,000+ placement). Yahoo Finance press releases (labeled "paid"). Wikipedia article (flagged as promotional). Trustpilot bot farm (92% manipulation probability). Both use PR Newswire (Cision) for press releases. Both have almost zero organic web presence. The detailed fact-check of Forbes, Trustpilot data analysis, and BBB complaints are in the evidence section below.

Behavioral Pattern Match — Operator vs Registrar

We weren't looking for this. While investigating xmrwallet's fraud infrastructure, we noticed something unexpected: both entities use the same PR platform, both have zero organic web presence, both delete Trustpilot reviews, and both respond to evidence with threats instead of facts. These are not coincidences — they are structural.

Three Improbable Coincidences

1. The operator invites us to subpoena his own registrar — and the registrar helps him.

Operator emails "Feel free to subpoena the domain registrar" — then NameSilo publicly offers to remove VirusTotal detections for him. He already knew how they'd react.

2. A registrar ignores 10 years of theft reports — while laundering millions through phantom domains.

31+ abuse reports. NameSilo: "we had received no abuse reports." Meanwhile: 5.18M domains, 81.5% dead, 615% registration spikes. A company processing millions in suspicious registrations has a financial interest in not investigating fraud.

3. Both entities have nearly identical web footprints — zero organic presence.

xmrwallet: 94 referring domains. NameSilo: 102. Both use PR Newswire/Cision. xmrwallet release posted 1 day before NameSilo's. Same platform. Same week.

Each coincidence alone might be explained away. Together, they describe a single operation.

Side-by-Side: 8 Matching Behavioral Patternsxmrwallet operator vs NameSilo — same playbook, different budget

Critical +

xmrwallet / "Nathalie Roy"

NameSilo Technologies Corp

1. Paid PR Instead of Transparency

Uses PR Newswire ($500-1500/release). An anonymous "volunteer project" spending thousands on premium corporate PR distribution. Fake contact: +1 300-227-473 (area code doesn't exist).

Uses PR Newswire for all investor relations. When confronted with abuse evidence — responds with PR, not action. 12 releases archived.

2. Threats Instead of Arguments

"Nathalie Roy" threatens PhishDestroy. "Hired a lawyer and PI." No lawyer appeared. No substantive response to any technical finding.

Official tweet: "halt your falsehoods or face legal action." Zero engagement with specific evidence. Same void where substance should be.

3. Manufactured Legitimacy

Kwork SEO spam (500 rub). PR Newswire releases. 44 coordinated bot tweets. Creates appearance of legitimate crypto project.

Forbes ($50K+ placement). Yahoo Finance (auto-syndicated from PR Newswire, labeled "paid"). Wikipedia (flagged promotional). Trustpilot bot farm (92% manipulation probability).

4. Zero Engagement With Evidence

GitHub Issue #35 documents theft mechanism with code analysis. 80+ Trustpilot reviews. Zero response to any technical evidence.

31+ abuse reports about xmrwallet since 2018. BBB complaints. ICANN complaints. PhishDestroy provided detailed technical evidence. Response: "no abuse reports" and "in-depth review found no issues." Zero documentation of review process.

5. Trustpilot Manipulation — Both Delete Negatives, Both Buy Positives

7+ reviews deleted (Wayback proof). Victim Erma Powell (verified, green checkmark): "developers took everything" — deleted as "guideline breach." 3 of their own bot reviews also deleted after serving purpose. [Screenshot]

129 reviews deleted in 4 months (2,609 → 2,480, Wayback proof). Rating recovered 4.5 → 4.7 despite adding 600+ reviews. 57 perfect reviews from Hong Kong. Low-quality 5-star from single-review accounts praising "Leonid." [Browse 2,480]

6. Deny, Deflect, Disappear

Silence → threats → evidence destruction. Deleted GitHub Issues #35 & #36 with victim reports. We had already archived everything.

"In-depth review" with zero documentation. When pressed: legal threats. An investor tries to doxx an independent researcher by country, then deletes tweets. No engagement with any specific piece of evidence.

7. Disproportionate Spending

"Volunteer project" that spends $1,500+ on PR Newswire, $550/month on DDoS-Guard bulletproof hosting, runs bot campaigns, buys Kwork SEO. GitHub repo frozen since Nov 2018 (5+ years AFK). Where does the money come from?

$65.5M revenue while refusing to invest in abuse prevention. Revenue from domain registrations — including phishing domains — funds the PR machine.

8. Evidence Destruction Under Pressure

Operator deletes GitHub code, issues, commits. DDoS against phishdestroy.io. Coordinated reporting on every platform.

Locks @Phish_Destroy via Gold Checkmark. All phishdestroy.io results removed from Bing. DDoS traffic traced to njal.la — NameSilo's own reseller.

Trustpilot Forensics — Wayback Machine Proof7+ xmrwallet reviews deleted, 129 NameSilo reviews deleted in 4 months. Verified victim Erma Powell silenced.

Wayback Proof +

xmrwallet Trustpilot: May 2024 Wayback snapshot shows 45 reviews, rating 3.6 (27% one-star). Current scrape: 80 reviews, 51% five-star. We compared names: 7 reviews deleted from page 1 alone, including:

• "Elmo T. Johnson" — "XMRWallet swindled my funds. 1200 monero was vanished" — DELETED
• "B.Costa" — "Nathalie solved it" — DELETED (mentions operator by name)
• 2 verified reviews (Trustpilot checkmark) — DELETED
• 3 of their own bot reviews ("Thomas", "Jabari Rivera", "Evelyn Malik") — deleted after serving purpose

Victim testimony: Erma Powell (verified Trustpilot account, green checkmark) posted Apr 22, 2024: "I'm in a panic, I created a wallet on the official site, put money in and the developers took everything, the code on github has nothing to do with this site." Trustpilot removed it: "breaching Guidelines for Reviewers."

Erma Powell verified victim review - deleted

Wayback Machine xmrwallet Trustpilot May 2024

NameSilo Trustpilot: Jan 2026 Wayback snapshot: 2,609 reviews. Current (May 2026): 2,480. That's 129 reviews deleted in 4 months. Rating: 4.7 (2023) → 4.5 (2024) → 4.7 (2025) — recovered despite adding 600+ reviews. This only happens when negatives are deleted faster than they arrive.

Wayback Machine snapshots: NameSilo Trustpilot 2023 → 2024 → 2025 → mid-2025 → Jan 2026. Track the review count and rating changes over time. Click to enlarge.

Sources: Wayback xmrwallet May 2024 · Wayback NameSilo Jan 2026 · Full data (JSON)

1.8

SmartCustomer.com — Where NameSilo Can't Delete Reviews42 reviews, 1.8/5 rating, 76% one-star. Compare with Trustpilot's manipulated 4.7/5.

Contrast +

On Trustpilot, NameSilo maintains a 4.7/5 rating by deleting 129 negative reviews in 4 months and planting bot reviews praising "Leonid." On SmartCustomer.com — a platform where businesses cannot delete reviews — NameSilo's real rating is 1.8/5. 76% are one-star.

4.7/5

Trustpilot (manipulated)
129 reviews deleted, bots planted

1.8/5

SmartCustomer (unmanipulated)
42 real reviews, 76% one-star

Abuse-related reviews on SmartCustomer:

Stijn V. (Oct 2025): "We reported a fraudulent copy of an existing domain, the fraudulent domain is actively sending out phishing emails. The abuse report procedure is not yielding results. NameSilo is making profit out of fraudulent activities."

Akif A. (Jan 2025): "NameSilo has demonstrated complete incompetence in handling complaints about phishing sites. I have repeatedly contacted their support team with clear evidence of fraudulent activity..."

caaapkxtsgoold c. (Sep 2023): "NameSilo tries to hide reports of phishing by ignoring communications to their abuse contact info and forcing you to use their internal form system so that you cannot prove..."

Britney H. (Apr 2023): "NameSilo protects pedophilia and criminals, after numerous reports they do nothing."

And the 5-star reviews? Same pattern as Trustpilot — "Leonid was extremely helpful with all my questions" (Jagoda S., May 2025). Same name, same template.

Source: smartcustomer.com/reviews/namesilo.com · Full data (JSON, 42 reviews) · HTML cached: p1 p2 p3

Trustpilot vs Reality — Both Entities, All PlatformsWhere they can delete reviews: 4.7/5. Where they can't: 1.8/5 and 1.5/5. Same suppression playbook, same platform.

Pattern +

Trustpilot's business model prioritizes companies over consumers. Businesses can flag reviews, request removals, and leverage paid features to manage their reputation. Both xmrwallet and NameSilo exploit this to suppress truth. On platforms where they can't — the real ratings emerge.

xmrwallet.com

Trustpilot3.6 → 4.1/5(manipulated)

SmartCustomer1.5/5(4 reviews, all 1-star)

ScamAdviser1/100(trust score)

NameSilo

Trustpilot4.7/5(manipulated, 129 deleted)

SmartCustomer1.8/5(42 reviews, 76% one-star)

MyWOTDocumented(screenshot)

The Trustpilot pattern is identical for both: aggressively delete negative reviews, plant bot positives (praising "Leonid" for NameSilo, praising "Nathalie" for xmrwallet), maintain an artificially high rating. On Trustpilot, a phishing wallet that stole $100M+ had a rating higher than most legitimate cryptocurrency exchanges. No other Monero wallet even has a Trustpilot page — because real wallets don't need reputation laundering.

Both exploit Trustpilot's business-first model where the company being reviewed has tools to flag, dispute, and remove reviews. On platforms without these tools (SmartCustomer, ScamAdviser) the truth emerges instantly. Same platform. Same playbook. Same result.

The pattern that proves it's deliberate:

Both entities removed themselves from every honest review platform — Sitejabber (now SmartCustomer), ScamAdviser, MyWOT — but kept and actively managed only Trustpilot, the one platform where businesses can suppress negative reviews. Consider what this means:

SmartCustomer/Sitejabber — xmrwallet: 1.5/5. NameSilo: 1.8/5. Both requested delisting or stopped engaging. Real reviews stayed.

ScamAdviser — xmrwallet: Trust Score 1/100. Both present but unable to manipulate scores.

MyWOT — Both documented. Cannot suppress community safety ratings.

Trustpilot — xmrwallet: rating above most crypto exchanges. NameSilo: 4.7/5 (129 reviews deleted in 4 months). The ONLY platform where they maintain high ratings.

Where they can't delete — they abandon. Where they can delete — they invest. Both entities chose the same platform, used the same methods, and achieved the same result: fake credibility. This is not two separate decisions. This is one playbook.

Sources: SmartCustomer xmrwallet · ScamAdviser xmrwallet · MyWOT xmrwallet · MyWOT NameSilo · ScamAdviser NameSilo · All screenshots & HTML cached.

How Reputation Manipulation Actually WorksPaid services to delete reviews, deindex articles, remove Google results. Real prices. Real marketplace. This is how they do it.

Context +

Many people assume it's impossible to manipulate search results, delete reviews, or control what appears online. It's not only possible — it's a professional industry with fixed prices and guaranteed delivery.

There are escrow-based platforms where reputation management is sold as a service. Money goes in, the order is verified, the negative content disappears, the seller gets paid. These are not underground forums — they operate openly with "VIP Member" badges, review counts, and customer ratings. The services include:

Published prices (from screenshotted listings):

Deindex news article from Google: $800+ (24-48 hrs)

Remove Google Review: $500 (14 days)

Remove Trustpilot review: available

Remove Glassdoor review: $1,200

Remove Reddit post: $1,000

Deindex blog post: $150 (14 days)

Full YouTube video removal: $1,000 per video

Negative Article Removal: $1,000 (24-72 hrs, "High Success Rate")

Forbes "organic" feature placement: available ("100% Non-Sponsored" claim)

TikTok account takedown: $250 per case

This is how xmrwallet maintained a Trustpilot rating higher than legitimate crypto exchanges while stealing $100M+. And how NameSilo maintains 4.7/5 while 76% of real reviews on other platforms are one-star. It's not magic — it's a marketplace.

Proof that this suppression is active against us: NiceNIC (another bulletproof registrar) flagged and removed our Trustpilot review — a moderate 3-star, factual assessment — claiming it contained "harmful or illegal content." The same mechanism. The same playbook.

Deindex ANY website, forum, article - $800

Price list: deindexing, removal, suppression

FB removal, Amazon, Glassdoor deindexing prices

TikTok takedown, Negative Article Removal

PhishDestroy NiceNIC review removed by Trustpilot

Screenshots from reputation management marketplaces (platform name withheld). Last image: PhishDestroy's own Trustpilot review of NiceNIC — removed after being flagged as "harmful content." A factual, moderate 3-star review about a registrar with 1.5/5 real rating. This is the system they exploit.

PR Newswire Releases — All 15 Archived3 xmrwallet + 12 NameSilo. Same platform, same pipeline. "Volunteer wallet" on a stock-price platform.

Key Link +

A "volunteer open-source wallet" publishing press releases on a platform designed for publicly-traded companies is not normal. It's someone with access to a corporate PR account — or the same PR agent.

xmrwallet releases

Jan 21, 2026 — "Expands Privacy Access with Full Tor Network Integration"
Apr 19, 2023 — "Upgrade Website to Support Charities"
Sep 26, 2023 — "Companies Embrace Cryptocurrency"
Contact: Nathalie Roy, +1 300-227-473 (fake), [email protected]

NameSilo releases (12)

Jan 22, 2026 — "Surpasses 6 Million Domains" (1 day after xmrwallet)
May 1, 2026 — 2025 Year-End Results
+ 10 more: Q1-Q3 results, SewerVue, CommerceHQ, Reach Systems, subsidiary sale

The Tor release kicker: the PR Newswire release announces "Tor Network Integration" for an "open-source" project whose last GitHub commit was November 6, 2018 — over 7 years before. No Tor code was ever committed. They paid $800+ to advertise a feature that doesn't exist in their codebase.

All 15 pages archived: Browse cached releases

Operator's Farewell Letter — May 5, 2026Admits investigation forced closure. Signed "The Creator." Domain still active. NameSilo still hasn't suspended it.

New +

On May 5, 2026, the xmrwallet operator posted a closure announcement on the site. Signed "The Creator." The letter admits that the investigation forced shutdown — but contains verifiable lies and contradicts his earlier emails. The domain remains active. NameSilo still hasn't suspended it.

Read the full farewell letter →

NameSilo tweet - threats instead of facts

Left: NameSilo's official response — threats, zero facts. Center: Yahoo Finance labels their "news" as "paid press release" (Cision logo). Right: Forbes Advisor shows "We earn a commission" — paid review placement, not journalism.

The Registrar

But let's talk about NameSilo itself.

How we stumbled onto this — from gut feeling to 130M domain analysismethodology+

How we stumbled onto this.

We never set out to analyze NameSilo's entire domain portfolio. We work with registrar data constantly — it's part of what we do when tracking phishing infrastructure. We know that a large percentage of domains on the internet are dead. That's normal. People buy domains and forget about them. Companies register names defensively. Speculators sit on inventory. We get it. We never assumed that "dead domain = suspicious."

But when we were scrolling through the NameSilo dataset — 5.18 million rows — something felt off. Not a statistic. Not a number. Just a visual impression. Row after row of gibberish domain names. sdf8k3jx.sbs, x9wqm2.cfd, aaa111bbb.xyz — with no IP, no email, no phone, no Majestic rank. Just... nothing. Thousands of them. Tens of thousands. The sheer density of emptiness was unusual. We've looked at datasets from GoDaddy, Namecheap, Tucows — they all have dead domains, but the ratio of obviously-random-garbage to real-looking names was different at NameSilo. It was visible to the naked eye.

So we decided to count. Not to prove a theory — we didn't have one. Just to see if our gut feeling was backed by numbers. We pulled datasets from 8 registrars, 130 million domains total, applied the same methodology to all of them, and compared.

The gut feeling was correct. NameSilo was 10 percentage points above its closest competitor. The dead domain rate was 2x the industry baseline. And when we dug deeper — the 615% year-over-year spike, the 10,000 domains/day bulk runs, the junk TLD concentration — it stopped looking like neglect and started looking like a pattern. We didn't go looking for money laundering. The data showed it to us.

Suspected Money Laundering Flow

$100M+ stolen XMR

    │

    ▼

Crypto → Fiat conversion (mixers, DEX, OTC)

    │

    ▼

Bulk domain purchases at NameSilo

    │    10,000-17,000 domains/day

    │    $26.5M wholesale on dead domains

    │    96% no email, 99.9% no web presence

    │

    ▼

NameSilo reports "legitimate revenue"

    │    C$65.5M revenue (2025)

    │    C$133M market cap (~US$98M)

    │    P/E 143.8x (industry avg: 21x)

    │

    ▼

Forbes "review" ✓   Wikipedia "coverage" ✓   Trustpilot bots ✓

    │    Purchased legitimacy

    │    All paid. All labeled. All provable.

    │

    ▼

Clean money out  →  Stock (CSE: URL)  →  "Legitimate tech company"

Why are 81.5% of NameSilo domains dead?

DNS scan: 32.2% no IP + 33% parking stubs = 2.82M (54.4%). Full economic analysis (age, MX, content, patterns): 4.22 million dead domains — 81.5% of 5.18M. There are only 3 possible explanations. All of them are damning:

Theory 1: Money Laundering

Stolen funds converted to domain purchases. Registrar gets "revenue." Domains are never used — the transaction IS the purpose. $50.8M/year phantom profit from dead registrations.

Theory 2: Self-Dealing

NameSilo buys domains from itself to inflate revenue. C$65.5M revenue looks great for investors. But 81.5% of domains are dead. Real active-customer revenue is ~C$12M. The stock trades at P/E 143.8x on phantom numbers. Securities fraud.

Theory 3: Front Operation

The registrar was never built for real customers. The Win98 panel, the $15.56 .com price (#96 of 130), the ignored abuse reports — these aren't failures. They're features. The real product is the transaction itself: accept money, register domain, report revenue, never ask questions. A front doesn't need a good UI. It needs a good accountant.

"But maybe there's a legitimate explanation?" — every excuse debunked4 counterarguments+

We've heard every excuse. Let's address them honestly:

"Chinese gambling sites buy bulk domains"

Gambling sites use their domains. They have websites, content, traffic, ads. NameSilo's dead domains have no IP, no DNS, no MX, no content. Nothing. A gambling operator buying 10,000 domains puts casinos on them. NameSilo's buyers put nothing.

"Privacy-conscious users don't activate domains immediately"

Privacy registrars exist — Njalla, Gandi, even NiceNIC. Their customers buy domains to use them, privately. NameSilo's dead domains aren't private-but-active. They're private-and-dead. No website. No email. No DNS. For years. That's not privacy — that's a transaction with no purpose except the transaction itself.

"Every registrar has dead domains"

Yes. Industry baseline: 15-21%. Namecheap: 32.6%. NameSilo: 81.5%. That's not a difference in degree. That's a different business model. And it's growing — 615% year-over-year spike in dead registrations. No legitimate market force produces this pattern. Organic domain sales don't grow 6x in one year while the domains being sold are never used.

"Domain investors hold portfolios"

Domain investors park domains on Sedo, Afternic, or Dan.com — showing "for sale" pages. That registers as alive in our scan. NameSilo's dead domains don't even have parking pages. They have nothing. An investor who buys a domain and doesn't even park it is an investor with no intention of selling. That's not investing. That's laundering.

No rational buyer — Chinese, American, or Martian — purchases thousands of domains per day, with growing volume, to never use them. There is no legitimate fourth explanation. If you find one, we'll take everything down.

The NameSilo Pyramid — 5.18M domains deconstructed layer by layerfull breakdown + renewal trap + .sbs monopoly+

The NameSilo Pyramid — 5.18 Million Domains Deconstructed

What happens when you actually check if anyone uses these domains?

Total domains

5,179,405

100%

No DNS + parking stubs

2,882,774

56%

Has a real IP address

2,296,631

44%

HTTP alive (actually responds)

~958,188

18.5%

Real business (org/company)

54,855

1.06%

Top-million (has real traffic)

17,875

0.35%

Tranco top 10K

58

out of 5.18M

What this means in human terms:

99.65%

of NameSilo's portfolio has
ZERO confirmed traffic

1 : 1.3

For every 1 top-million domain,
1.3 phishing domains

387x

Phishing domains outnumber
Tranco top-10K by 387x

The "dirty ratio" depends on what you compare against:

vs Total (5.18M):      0.43% — "barely anything"

vs Live IP (2.3M):     0.98% — "almost 1%"

vs HTTP alive (958K):  2.34% — "every 43rd site"

vs Top-million (17.8K): 125.6% — "more scam than legit"

vs Real business (54.8K): 40.9% — "1 phishing for every 2.5 businesses"

This is why NameSilo buys phantom domains. When you compare 22,000 malicious domains against 5.18 million total, it's "0.43% — barely anything." But when you strip away the dead weight and compare against domains that actually work, the picture changes completely. The phantom domains are a statistical smokescreen.

Why would anyone choose NameSilo?

A serious question. We looked at every possible reason and tested each one.

Why Namecheap as the benchmark? Both companies are in the same US state (AZ), similar scale, both accept cryptocurrency, both offer API access, and both compete for the same budget-conscious bulk registrant. Namecheap is the closest legitimate analogue to NameSilo — same market, same tools, same customer base. Any difference in dead domain rates, abuse patterns, or business practices between these two cannot be explained by pricing or geography. We have no affiliation with Namecheap and do not intend to cause them any reputational harm. They appear in this report solely because they are the most methodologically honest comparison available. We apologize to Namecheap for any inconvenience this comparison may cause.

Every ICANN-accredited registrar sells the same product — domain names. The TLDs are identical. A .com from NameSilo and a .com from Namecheap point to the same root servers, managed by the same registry (Verisign). There is zero technical difference. So why would a customer choose NameSilo? Let's check every possible reason:

Is it the price?

We checked .com prices across 136 ICANN-accredited registrars using tldes.com (independent price comparison, updated live). Here's where NameSilo actually ranks:

NameSilo's own "vs Other Registrars" page compares their $17.29 against Squarespace ($20), GoDaddy ($23.98), and Name.com ($17.99) — cherry-picked expensive competitors with inflated prices. They conveniently forgot the 95+ that are cheaper. Here's the comparison they didn't want you to see:

#.com RegistrarRegisterRenewTransfer

1Spaceship$2.90$10.18$8.17

3GoDaddy$5.19$23.19$13.19

6Namecheap$6.99$14.98$11.08

14Dynadot$8.99$10.88$10.49

23Porkbun$10.08$11.08$10.08

26Cloudflare$10.46$10.46$10.46

...95 registrars cheaper than NameSilo

~96NameSilo 🤡$15.56$17.29$9.80

#96

Out of 130 registrars
.com register: $15.56
Bottom 26%

5.4x

More expensive than #1
Spaceship $2.90 vs NameSilo $15.56

95+

Cheaper registrars
All ICANN-accredited
Same product. Same TLD.

95 ICANN-accredited registrars sell .com cheaper than NameSilo. Not 5. Not 20. Ninety-five. Namecheap is 2.2x cheaper. Spaceship is 5.4x cheaper. Cloudflare is 1.5x cheaper. All sell the exact same product — a .com domain from the same Verisign registry. All include free WHOIS privacy. All are ICANN-accredited. So why does NameSilo have 5.8 million domains?

Their own comparison page is deliberately misleading.

On namesilo.com, the "NameSilo vs Other Registrars" comparison shows their $17.29 .com against Squarespace ($20.00), GoDaddy ($23.98), and Name.com ($17.99). But wait — those aren't even the real prices. On tldes.com, GoDaddy is $5.19 (not $23.98) and Name.com is $11.24 (not $17.99). NameSilo used inflated renewal/promo-excluded prices for competitors while showing their own registration price. Both GoDaddy and Name.com are actually cheaper than NameSilo at registration. They didn't just cherry-pick expensive competitors — they inflated the competitors' prices too. And they excluded Spaceship ($2.90), Namecheap ($6.99), Cloudflare ($10.46), Porkbun ($10.08), Dynadot ($8.99), and 100+ other cheaper registrars. This is not a comparison — it's marketing fraud. And they highlight "BULK DISCOUNTS" as a unique feature — because of course they do. Bulk discounts for bulk phantom purchases.

They also advertise "Over 150+ Payment Options Accepted". We counted. Their checkout page lists: Visa, Mastercard, Amex, Discover, JCB, Elo, UnionPay (7 cards), PayPal, Alipay, Venmo (3 web wallets), Bitcoin (1 crypto), and NameSilo Account Funds (1 internal). That's 12 payment methods. Not 150. We looked everywhere — no bank transfers, no wire, no other crypto, no invoice billing. Twelve. They inflated the payment count by 12.5x on their own website. The same way they inflate domain counts, revenue figures, and competitor prices. It's a pattern.

Source: tldes.com/com — independent price comparison, 136 ICANN-accredited registrars, live prices. Also cross-referenced with tld-list.com. Verify yourself — the data is public.

"Cheapest on the Internet" — across 12 TLDs

NameSilo's own claim: "we have the cheapest domain name registration prices on the Internet." Here's every TLD checked.

TLDReg $Renew $RankCheap $TotalCheapest is...

.com$15.56$17.29#96$2.90/130Spaceship 5.4x cheaper

.net$14.36$15.95#46$5.20/130Domain.com 2.8x cheaper

.org$9.71$10.79#33$4.62/129Unstoppable 2.1x cheaper

.xyz$1.79$15.79#8$0.98/118Renewal 8.8x registration!

.info$3.75$29.49#17$0.67/126Renewal 7.9x registration!

.io$31.49$69.99#9$14.98/113Spaceship 2.1x cheaper

.top$1.88$4.88#8$1.18/90Spaceship 1.6x cheaper

.app$15.29$16.99#21$4.98/90Spaceship 3.1x cheaper

.tech$7.99$68.99#41$1.53/118Renewal 8.6x registration!

.shop$1.99$38.99#21$0.85/98Renewal 19.6x registration!

.me$8.99$19.99#18$1.98/109Spaceship 4.5x cheaper

.club$1.19$19.49#1$1.19/116#1 for registration only. Renewal: #39 ($19.49).

11 of 12

TLDs where NameSilo is in the cheap half
Except .com — the one that matters

1 of 12

TLDs where NameSilo is #1
.club only. And renewal is #39.

19.6x

Worst renewal trap (.shop)
$1.99 register → $38.99 renew

The Renewal Trap — cheap registration, predatory renewal

NameSilo's "cheap" TLDs are a bait-and-switch: .shop $1.99 → $38.99 (19.6x), .tech $7.99 → $68.99 (8.6x), .xyz $1.79 → $15.79 (8.8x), .info $3.75 → $29.49 (7.9x). Register cheap, renew expensive. But dead domains don't renew — which is exactly the point. If you're buying domains to wash money, you only care about the $0.99 registration price. The $14.95 renewal never happens because the domain expires after 1 year. This is why 98% of dead .buzz domains are 1-year registrations.

NameSilo owns 19.8% of ALL .sbs domains on Earth

374,910 out of 1,895,100 global .sbs registrations are at NameSilo. One registrar holds one-fifth of an entire TLD. For context: NameSilo holds 1.1% of .com. The expected share for a "top 10 registrar" is 2-5% of any TLD. 19.8% in a single junk TLD from their named partner ShortDot is not market success — it's a captive pipeline.

.sbs: NameSilo 19.8% of 1.9M global — .vip: 4.1% of 1.8M — .xyz: 3.6% of 10.2M

.info: 3.3% of 6.5M — .top: 2.8% of 6.6M — .com: 1.1% of 186M

Not price. Not UX. Not support. Not ICANN. Then what?UX / price / support / reputation comparison+

Is it the UX?

✨

Namecheap
Modern UI, 2FA, real-time DNS, apps

⚡

Cloudflare
Best-in-class dashboard, zero-markup

💾

NameSilo
Windows 98. Their CEO admits it.

Is it the support?

We tested it. We sent the same abuse report (xmrwallet.com) to multiple registrars. Namecheap: responded and acted. WebNic, PDR, Key-Systems: responded and acted. NameSilo: ignored 20+ reports, publicly lied, offered VT delisting for the scammer, used Gold Checkmark to silence researchers. Their "24/7 Customer Service" (investor deck, slide 6) apparently does not extend to abuse victims.

Is it the ICANN accreditation?

Every registrar in this comparison is ICANN-accredited. That's literally the requirement to sell gTLD domains. There are ~2,500 ICANN-accredited registrars worldwide. NameSilo is not special. Trustname.com (IANA #4318) is also accredited — with €120 in revenue. ICANN accreditation is the domain equivalent of having a business license. It means you filled out the form. It does not mean you are trustworthy, affordable, or competent.

Is it the design? The brand? The reputation?

Their Wikipedia page is flagged as promotional. Their Forbes review is paid placement. Their Trustpilot has bot review patterns. Their admin panel looks like it was designed by the same person who orders SEO articles on Kwork for 500 rubles. Their CEO admitted they need a "complete UX overhaul" after seven years. Their Q1 and Q2 2025 press releases are identical copy-paste.

So why does NameSilo have 5.18 million domains?
Not price. Not UX. Not support. Not reputation. Not ICANN (everyone has it). Then what? The only explanation left is that most of these domains are not bought by real customers making rational choices. They are bought in bulk by unknown actors for unknown purposes — or by NameSilo from itself. Either way, the "5.8M active domains" number that drives the stock price is not what investors think it is.

Every single public-facing claim NameSilo makes is inflated, fabricated, or misleading:

Their claimRealityMethodInflate

"5.8M active domains"~958K activeCount phantoms as "active"6.1x

"150+ payment options"12 methodsCount card brands as "options"12.5x

GoDaddy "$23.98"$5.19Use renewal price, not register4.6x

Name.com "$17.99"$11.24Use inflated price1.6x

"No abuse reports"100+ receivedDelete and deny∞

"Domain compromised"Code never changedFabricate narrativeFiction

"Low cost leader"#96 of 130 (.com)Show inflated competitor pricesFraud

"Fastest growing"615% dead spikeCount phantoms as growthPhantom

This is not a company that lied once to protect a scammer and got caught. Lying is the operating principle. Every metric, every comparison, every public statement is engineered to show a number larger than reality. The xmrwallet cover-up wasn't an anomaly — it was the same reflex applied to an abuse report. Inflate, deny, deflect, cite ICANN accreditation, move on.

And this answers the original question: why does anyone "choose" NameSilo? Real customers making rational decisions don't choose NameSilo. 95 registrars are cheaper for .com. The UI is from 2008. The support ignores abuse. The only "customers" who need NameSilo are those who need: bulk registration with no questions asked, junk TLDs at $0.99, a privacy service that shields 109K malicious domains, and a registrar that will publicly defend you when you get caught. That's not a customer base. That's an arrangement.

The money comes from phantom domains. The phantom domains come from bulk buyers who don't exist as real businesses. The "revenue growth" comes from counting phantoms. The stock price comes from the revenue growth. Everyone in this chain gets paid. Except the investors. And the victims.

The Numbers Don't Lie

NameSilo (suspicious)

• 1.67M no IP at all + 1.15M on parking stubs = 2.82M DNS-dead

• Full economic analysis (age, MX, content, patterns): 4.22M dead

• Combined: ~4.22M out of 5.18M (81.5%) are dead domains

• $50M+ phantom revenue from dead registrations

• 96% no contact email

• 18% junk TLDs (.sbs/.cfd/.xyz)

• 7x spike in dead registrations 2023→2024

• P/E 143.8x (industry: 21x)

• Forbes: PAID review

• Wikipedia: PROMO flagged

• Trustpilot: bot reviews

Namecheap (how a real registrar works)

• 32.6% dead domains (industry baseline)

• Similar pricing, same market, same state (AZ)

• 93.5% no email (lower)

• 54% .com (legitimate TLD mix)

• Steady growth, no spikes

• Responds to every abuse report

• We worked with them directly — showed cloaked scam, they acted

• Modern, clean design

• Significantly larger — 24M+ domains

• No criminal resellers. No FSB connections.

• Organic press, clean Wikipedia, real reviews

• This is what a registrar looks like when it's not a front

NameSilo is 10 percentage points dirtier than its closest peer. This is not a business model difference. This is a red flag.

"But NameSilo is cheaper!" — Is it?

NameSilo's only selling point is price. Their own comparison page shows $17.29 .com against Squarespace and GoDaddy. Let's check the real numbers from tldes.com (independent comparison, 136 registrars):

TLDNamecheapNameSiloDifference

.com register$6.99$15.56+122%

.com renew$14.98$17.29+15%

.com transfer$11.08$9.80-12%

WHOIS privacyFreeFreeTie

Total domains24M+5.18MNC 4.6x

.com rank (of 130)#6#9690 places

Who owns .sbs and .cfd? Follow the money.

Registry ↔ Registrar — a partnership worth examining.

The junk TLDs filling NameSilo's dead domain graveyard — .sbs, .cfd, .icu, .cyou, .bond, .buzz, .qpon — are all owned by a single company: ShortDot SA, a Luxembourg-registered Société Anonyme (9 Rue Louvigny, L-1946). ShortDot operates 7 TLDs through CentralNic (London) as technical backend.

On their own website (shortdot.bond/about), ShortDot lists their key registrar partners. Out of "over 400 registrar partners", they name exactly six by name:

GoDaddy, Alibaba, GMO, Namecheap, NameSilo, Dynadot

NameSilo is one of six named partners of the company that owns the exact TLDs dominating their phantom domain portfolio. Now look at the timeline:

Apr 2024ShortDot acquires .sbs from Australian SBS Corporation (IANA record) Apr 2024ShortDot acquires .cfd from DotCFD Registry Ltd (IANA record) 2024NameSilo dead domain registrations spike 615% (67K → 485K) 2025Spike continues: 585K dead domains registered, 10K-17K/day

The economics of this partnership:

ShortDot sells .sbs/.cfd wholesale at ~$0.30-0.50/domain

    │

    ▼

NameSilo registers at $0.99 retail → keeps ~$0.50-0.70 margin

    │    + counts as "domain under management" for investors

    │    + inflates "revenue growth" in quarterly reports

    │    + dilutes scam ratio (more total = lower abuse %)

    │

    ▼

ShortDot reports "growing TLD adoption" to ICANN

    │    + justifies TLD acquisition costs

    │    + attracts more registrar partnerships

    │

    ▼

Both grow. Both report metrics. Nobody checks if domains are real.

NameSilo's ShortDot TLD share vs other registrars:

~11%

ShortDot TLDs at NameSilo
.sbs 7% + .cfd 4%

<0.2%

ShortDot TLDs at GoDaddy
statistical noise

<1%

ShortDot TLDs at Namecheap
normal range

These are not accusations. These are questions that demand answers:

1. Who is buying hundreds of thousands of .sbs and .cfd domains through NameSilo and never activating them?
2. Where is the money coming from? Show the payment records.
3. Does ShortDot know that their TLDs are being used as vehicles for phantom revenue at a named partner?
4. Why did the 615% dead domain spike coincide exactly with ShortDot's TLD acquisitions in April 2024?
5. Is ShortDot receiving payment for these registrations? From whom?

A named partnership. A synchronized timeline. A 55x concentration anomaly. A 615% spike in phantom registrations. If this is a coincidence, it is the most expensive coincidence in the history of domain registration.

Sources: shortdot.bond/about (partner list), IANA .sbs delegation, IANA .cfd delegation, PhishDestroy 130M domain analysis.

And then there's njal.la (Njalla) — a privacy-focused registrar whose domains resolve under NameSilo's ICANN accreditation (check any WHOIS). Their pricing: €15/year for .com, €30/year for junk TLDs (.sbs, .cfd, .cyou, .xyz, .homes — the exact TLDs filling NameSilo's dead domain graveyard). That's 2× to 30× more than what NameSilo charges retail for those same TLDs. Why would anyone pay €30 for a .sbs that costs $0.99 direct? You wouldn't — unless the point isn't the price. The point is the privacy layer. Njalla registers on your behalf, their name on WHOIS, your identity hidden. For legitimate privacy? Maybe. For scam domains that need to survive abuse reports? Perfect. And when the abuse report arrives, NameSilo says "that's njal.la, not us" — while WHOIS says NameSilo, LLC on every single domain.

Namecheap — 24M+ domains

• 2.2x cheaper for .com ($6.99 vs $15.56)
• Modern panel, 2FA, real-time DNS
• Abuse reports: same-day action (we verified)
• Clean Trustpilot, organic Wikipedia
• No dead domain spikes
• No FSB connections
• 4.6x more total domains (~19x more active)
• Lower dead rate (32.6% vs 81.5%)
• Real customer base: ~18.6M active

NameSilo — 5.18M domains

• 2.2x more expensive for .com ($15.56)
• Panel from the Win98 era (see recreation)
• Abuse reports: auto-deleted (100+ ignored)
• Bot Trustpilot, promo Wikipedia
• 615% spike in phantom registrations
• VT delisting service for scammers
• 81.5% dead domains
• 99.65% zero confirmed traffic
• Real customer base: ~958K active

Namecheap is 2.2x cheaper for .com (#6 vs #96), 4.6x bigger, has a modern UX, responds to abuse, and doesn't trade at P/E 143.8x. Adjusted for phantoms, Namecheap's real customer base is ~19x larger. The "NameSilo is cheaper" narrative is not just wrong — it's the opposite of reality. NameSilo is one of the most expensive registrars in the world for .com. Where they ARE cheapest is .sbs at $0.99, .cfd at $0.99 — their ShortDot partner's TLDs that fill the dead domain graveyard.

If NameSilo really is just a discount registrar — where are the customers? Same market, similar pricing, one has 19x more real users. The answer is in the pyramid above: 99.65% of NameSilo's portfolio has zero confirmed traffic. 58 domains in Tranco top 10K. Fifty-eight. The price isn't the product. The phantom domains are the product.

Why would a registrar buy domains from itself? — 4 reasons + investor questionsmoney laundering analysis+

Why would a registrar buy domains from itself?

1. Money laundering. Stolen crypto → Bitcoin → domain purchases at your own registrar. The registrar reports "revenue." The money is clean. Up to $50.8M/year in phantom profit. No questions asked because who audits domain registrations?

2. Ranking inflation. ICANN rankings, industry reports, and press coverage use "domains under management" as the primary metric. More domains = bigger registrar = more trust = more real customers. NameSilo claims "top 10 registrar" status with 6.26M domains. How many are real? If 81.5% are dead, the real active base is ~958K. That's not top 10. That's mid-tier at best.

3. Revenue inflation for stock price. NameSilo Technologies trades at P/E 143.8x. Revenue grew 18.5% in 2025. But how much of that growth is phantom domains? Inflated revenue = inflated stock = real money for insiders selling shares. This is textbook securities fraud if the domain purchases are self-dealing.

4. Diluting the scam ratio. This is the clever part. If 5% of your domains are involved in scam/phishing/fraud, that looks terrible. But if you buy 2 million dead domains from yourself, suddenly scam domains are only 0.5% of your total. "We have 6 million domains and only a tiny fraction are problematic." The dead domains are a smokescreen — statistical noise to make the abuse percentage look smaller than it is.

All four benefits come from the same action: buy domains from yourself. Launder money. Inflate rank. Inflate stock. Dilute the scam ratio. One move, four wins. Who's checking?

A question for NameSilo Technologies investors

CSE: URL · OTC: URLOF · C$1.44 · Market cap: C$133M · Shares: 92.6M · CEO: Paul Andreola

Q3 2025: Revenue C$16.9M (+17.9%) · Net income C$1.15M (+135%) · Cash: C$2.4M · Deferred rev: C$33M

For NameSilo shareholders:

You bought shares in a company with a P/E of 143.8x — 7x the industry average. Do you know that 81.5% of the domains you're paying for are dead or empty? 4.2 million domains that nobody uses. Your company's "6.26 million domains under management" is really about 958,188 active domains. The rest is either phantom registrations or parking page filler. The "18.5% revenue growth" in 2025 — how much of that is real customers, and how much is bulk dead-domain purchases that inflate the top line?

Your company publicly defended a $100M+ theft operation. Your company offered to remove VirusTotal security detections for a known crypto drainer. Your company used paid platform access (X Gold Checkmark) to silence the researchers who exposed it. Your company's CEO signed off on a tweet containing 4 statements contradicted by evidence. Is this what you invested in? Did you know? Do you know now?

If the dead domain purchases are self-dealing — which the data strongly suggests — then the revenue figures in NameSilo's financial statements are materially misleading. That's not a registrar problem. That's a securities fraud problem. CSE, OSC, and SEC should be asking questions. Shareholders should be demanding an independent audit of domain registration sources. Who is buying 10,000+ domains per day with no intent to use them? Where is the money coming from? Follow the money.

5. The affiliate excuse. NameSilo will claim their Forbes and other "reviews" are affiliate partnerships — just like the xmrwallet operator claims "donations" fund his operation. Technically, some links in those articles use affiliate tracking. But others link directly — no tracking, no commissions. Someone is buying reviews of themselves without even bothering to earn referral fees. The point isn't the affiliate cut. The point is purchased legitimacy.

Adjusted Financials

Strip the Phantoms — What Is NameSilo Actually Worth?

Take the reported numbers. Remove 81.5% dead domains. See what's left.

MetricReportedAdjustedDelta

Domains6.26M~958K-84.7%

Annual revenueC$65.5M~C$12M-81.7%

Revenue/domainC$10.46C$12.53+19.8%

Net income (ann.)C$4.6M<C$1M-80%+

P/E ratio143.8x>700xabsurd

Market capC$133MC$133Movervalued 10x+

Registrar rank"Top 10"Mid-tier~6x inflated

Methodology: "Adjusted revenue" = reported revenue × (active domains / total domains). Active = 958,188 (HTTP alive with content). This is conservative — some "alive" domains are still speculative or parked. Net income adjusted proportionally. P/E = market cap / adjusted net income. Revenue/domain increases because real customers pay more than bulk junk TLD buyers.

REPORTED TO INVESTORS

C$65.5M

"Fastest growing registrar"

REAL BUSINESS (PHANTOMS STRIPPED)

~C$12M

A small mid-tier registrar, overvalued 10x

C$53.5M per year — the gap between reported and real. That's not rounding error. That's not market fluctuation. That's not "different accounting methods." That's either the biggest bulk-buying customer in registrar history who generates zero traffic — or it's fraud. There is no third explanation. CSE, OSC, SEDAR+ — this gap should trigger an independent audit. It hasn't. Yet.

Corporate Structure — Why Canada? Why CSE? Why Arizona?dual-jurisdiction analysis+

Corporate Structure

Why Canada? Why CSE? Why is the business in Arizona?

The corporate structure is not an accident. It's a feature.

NameSilo Technologies Corp

Canada — holding company
Trades on CSE: URL (Canadian Securities Exchange)
OTC: URLOF
CEO: Paul Andreola
CFO: Natasha Tsai (signs the phantom numbers)

NameSilo LLC

Phoenix, Arizona — actual registrar
ICANN-accredited (IANA #1479)
CEO: Kristaps Ronka (18.5% owner)
Accepts Bitcoin. No KYC. Generates the "revenue."

Why this structure exists:

1 CSE is the weakest major exchange. Minimal listing requirements, minimal scrutiny. Where cannabis companies, crypto shells, and junior miners list when they can't get on TSX or NYSE. A P/E of 143.8x would trigger immediate analyst attention on any serious exchange. On CSE — nobody asks.

2 Dual jurisdiction = investigation nightmare. FBI wants to investigate → "it's a Canadian company, go to RCMP." RCMP wants to investigate → "operations are in the US, go to FBI." SEC doesn't regulate — company is Canadian. OSC (Ontario Securities Commission) has fewer resources than SEC. Each jurisdiction points to the other.

3 Business must be in the US for ICANN accreditation, US payment processors, and American customers. But the holding company is in Canada because Canadian securities regulation is softer, CSE doesn't ask hard questions, and insider stock sales are easier.

4 The money flows across the border. Dirty money enters as Bitcoin in Phoenix (domain purchases). "Clean revenue" is reported in Canada (CSE filings). Stock is sold on Canadian exchange. Two countries, two regulatory systems, one gap in the middle.

Al Capone kept his business in one state and his banks in another. Same logic, different century.

Canada's regulatory gaps — by design

Crypto & Registrars

Canada tightened AML for crypto exchanges (FINTRAC, Travel Rule from 2026). But an ICANN registrar accepting Bitcoin for domains is not an MSB (Money Services Business). Buying a domain is a goods transaction, not a financial service. The registrar is not required to run exchange-level KYC or file SARs (Suspicious Activity Reports) per BTC transaction.

Privacy Laws (PIPEDA + Quebec)

In Canada — especially Quebec — personal data protection is stronger than in the US. Until recently, there was no public beneficial ownership registry. You couldn't simply look up who's behind a company. To deanonymize a "private citizen" you need a criminal subpoena, not a civil discovery request or regulatory inquiry.

The Corp + LLC structure is legal — thousands of companies use it. FINTRAC/OSC are real regulators, but their resources are dwarfed by SEC/FBI. The risk appears only when you combine legal corporate structures with phantom operations — which is exactly what the data shows.

"Nathalie Roy" — not a brand for victims. A regulatory shield for the operator.

The xmrwallet operator chose a specific identity construction: a Canadian female volunteer running a non-commercial open-source project. This is not random. It's a regulatory strategy:

Legal StatusObligationsExposure

Corp / LLCRegistration, taxes, AML, reporting, beneficial ownership disclosureHigh

"Private individual"No license, no registry, privacy laws protect, no MSB obligationsLow

In 2014–2019, crypto wallets operated by "private individuals" did not fall under MSB regulations. Canadian/Quebec privacy laws shielded personal identity without corporate transparency. The "volunteer" + "non-commercial" combination provided exemption from AML/KYC obligations. A "donation-based volunteer project" was a regulatory grey zone that FinCEN and FINTRAC did not aggressively cover.

If the operator had registered as "XMRWallet Ltd." or used a male Eastern European name — regulators would have investigated by 2016–2017. A "Canadian female volunteer" was a status that regulators ignored until it was too late. The identity doesn't exist as a business. That's exactly why the scheme worked for 10 years.

"Nathalie Roy" is not a person. It's a legal construct optimized for regulatory evasion.

Integration Phase

Why Sewer Pipes? Why Underwater Cameras? Why Mexican Taxi Ads?

NameSilo's "diversification" makes no business sense — unless you understand the three phases of money laundering.

PHASE 1: PLACEMENT

Dirty money → domain purchases
Bitcoin accepted, no KYC
$26.5M/year entering

PHASE 2: LAYERING

Domains → "revenue" → stock price
$1 cost → $2.92 on paper
$50.8M phantom profit

PHASE 3: INTEGRATION

"Profits" → buy real companies
Now you own real assets
Laundering complete

Phase 3 is the EXIT. You can't sit on $50.8M phantom profit forever. You need to convert paper money into real assets:

$2.45M → SewerVUE Technology (sewer pipe inspection robots)

$1.60M → Ola Media (Uber screens in Mexico)

LOI     → Reach Systems (underwater cameras & cable winches)

???     → Atlas Engineered, Alchemy Labs, Cheelcare, Allur Group

All purchased with "legitimate profits" from a registrar where 81.5% of domains are dead.

And the more random the acquisitions, the better the cover. If they only bought domain companies, the pattern would be obvious. But sewer pipes + underwater robots + Mexican taxi ads? That looks like an eccentric CEO "diversifying." Nobody investigates a sewer pipe company for money laundering connections. That's the point.

Al Capone had laundromats. NameSilo has sewer pipes.
Different century, same logic: push dirty money through a business, buy real assets, look legitimate.

The unanswered questions

Who owns xmrwallet.com?
Why did NameSilo risk everything to protect them?

xmrwallet.com stole far more than $20 million in Monero over a decade. The real total is likely 5x higher. Other victims have contacted us with their losses. The theft mechanism is documented down to 8 PHP endpoints and Google Analytics tracking.
NameSilo's public tweet contained 4 statements contradicted by evidence — each debunked in detail above with SHA-256 hashes and the operator's own emails.
NameSilo blamed "resellers." There are no resellers. Direct registration.
Is the operator a friend? An employee? A business partner? What possible reason does a US ICANN-accredited registrar have to publicly lie, destroy their own credibility, and use paid platform access to silence researchers?
NameSilo — are you truly claiming you never received a single abuse report before ours? We have 20+ delivery receipts. The real total from all reporters is likely over 100. Do you know how much this site stole in just the last 3 years?

Suppression Log

Documented Suppression & Censorship Attempts

The operator kept victims silent for a decade. Then he tried it on us. We documented it all before it happened.

Twitter / X

Gold Checkmark corporate support used to lock @Phish_Destroy. X reviewed: "no violation." Still locked.

Bing Search

All phishdestroy.io results removed from Bing. Complete erasure from Microsoft search.

GitHub

False DMCA takedowns against repos. Operator deleted Issues #35 & #36 with victim reports.

Trustpilot

100+ victim reviews removed through automated moderation abuse.

Google / DMCA

DMCA requests against Google search results, domains, hosting. Anything reportable gets reported.

SEO Burial

50+ paid articles via Kwork, Freelancehunt, intermediaries. Orders indexed on Google Drive.

YouTube

Technical analysis videos reported and removed. Researchers demonstrating the theft silenced.

BitcoinTalk

Coordinated reporting against warning threads. Community discussion suppressed.

Gov Emails

Government email addresses used to file fraudulent abuse reports on platforms.

DDoS-Guard

"Open source" wallet on bulletproof hosting. GitHub code ≠ production code. Anti-analysis infrastructure.

Report buttons, DMCA systems, freelance marketplaces — every available mechanism has been weaponized for suppression. This is a decade-long strategy — not an accident. The operator and NameSilo are on the same side. The case file is with ICANN Contractual Compliance and federal law enforcement.

Prosecution Brief

The Case for Money Laundering

Not a theory. Not speculation. A chain of evidence that leads to one conclusion.

Dead domains by registrar — NameSilo 81.5% vs industry average 25-32%

NameSilo 81.5% dead vs Namecheap 32.2%, GoDaddy 28.0%. Only NiceNIC (85.0%) is worse.

1

STEAL

xmrwallet.com hijacks Monero transactions for 8+ years. Estimated $100M+ stolen. Funds are in XMR — untraceable by design.

2

CONVERT

XMR → BTC via DEX/mixers/OTC. Untraceable step. Output: Bitcoin in anonymous wallets.

3

WASH

Buy domains in bulk at NameSilo. NameSilo accepts Bitcoin. No identity verification required. 10,000-17,000 domains/day. Junk TLDs at $0.99 each from their ShortDot partner. No WHOIS contact. No email. No phone. The domains are never activated — the purchase IS the purpose.

4

REPORT

NameSilo books the purchases as legitimate revenue. C$65.5M/year. "Fastest growing registrar." "6.26M domains under management." Files quarterly earnings on SEDAR+. Stock trades on CSE (URL) and OTC (URLOF). P/E 143.8x. Phantom domains become phantom revenue becomes real stock price.

5

CASH OUT

Insiders sell shares on a public exchange. Clean money. Kristaps Ronka (18.5% owner, LLC CEO) holds ~17M shares. Paul Andreola (parent company CEO) has board control. The stolen crypto has been transformed into Canadian stock market equity. The laundry is complete.

Suspected money laundering flow — XMR to stock market

Full pipeline: stolen XMR → crypto conversion → bulk domains → "revenue" → CSE:URL stock

The Bitcoin On-Ramp

NameSilo accepts Bitcoin as payment. This is not a technical detail — this is the on-ramp. The laundering pipeline is: stolen XMR → BTC (via DEX/mixers) → domain purchases at NameSilo → "revenue." The entire chain from theft to clean money requires zero identity verification. No KYC. No bank. No wire transfer. Just Bitcoin to domains to stock price. They don't even accept Monero — which is strange for a registrar that protects the world's largest Monero theft operation. Or maybe not strange at all: accepting XMR directly would be too obvious. The BTC step is the mixer.

The Math — Dead Domain Economics$26.5M/yr wholesale on dead domains. $3.2M-$12M+ spent on domains never activated. Source of funds: unknown. Payment: Bitcoin accepted, no KYC.

Financials +

The Math

Dead domains (2024):485,000 (615% spike from 67K in 2023)
Dead domains (2025):585,000 (10K-17K/day runs)
Avg cost per domain:$0.99 - $3.00 (junk TLDs: .sbs, .cfd, .xyz)
Annual spend (low):$579,150 (585K × $0.99)
Annual spend (mid):$1,755,000 (585K × $3.00)
Cumulative dead total:1,668,355 domains with no IP address
Estimated total spend:$3.2M - $12M+ on domains that were never activated
Source of funds:UNKNOWN — no WHOIS, no email, no phone, no org
Payment method:Bitcoin accepted. No KYC required.

Someone is spending millions of dollars per year to buy domains they never use, from a registrar that accepts Bitcoin and asks no questions, and nobody knows who they are. This is either the worst investment in internet history or a money laundering operation.

10 Questions for the InvestigationFor FBI, FinCEN, Arizona AG, CSE/OSC, ICANN Compliance — anyone with subpoena power. Every question answerable with one subpoena.

FBI +

01 Show the payment records for the 585,000 dead domains registered in 2025. Who paid? From which wallets, cards, or accounts? Through which payment processor?

02 How many domain purchases were paid in Bitcoin? What is the total BTC amount? Were any of those transactions traced to mixers, DEXs, or known illicit wallets?

03 How many unique customers are responsible for the 10,000-17,000 daily dead domain registrations? Is it 10,000 people buying 1 domain each, or 3 accounts buying 5,000 each?

04 Do any of those accounts belong to NameSilo employees, officers, or related parties? To Kristaps Ronka? To Paul Andreola? To any entity controlled by them?

05 What is the relationship between NameSilo and ShortDot SA? Is there a revenue-sharing agreement? A volume commitment? A financial relationship beyond standard registrar-registry terms?

06 Subpoena NameSilo's abuse ticket system. How many abuse reports about xmrwallet.com were filed between 2018 and 2026? Compare to their public claim of "no reports received." The gap is the measure of perjury.

07 Who authorized the VirusTotal delisting offer to the xmrwallet operator? Was this a one-time courtesy, or does NameSilo routinely help flagged domains clean their security records?

08 Has NameSilo filed any Suspicious Activity Reports (SARs) with FinCEN regarding the bulk dead domain purchases? If not, why not? 585,000 domains/year with no business purpose from anonymous buyers is textbook suspicious activity.

09 What percentage of NameSilo's reported C$65.5M revenue comes from domains that were never activated? Provide the exact number. Then explain to the CSE, OSC, and investors why this wasn't disclosed as a risk factor.

10 Trace the Bitcoin payments. Blockchain analysis firms (Chainalysis, Elliptic, TRM Labs) can determine whether BTC used to purchase NameSilo domains originated from XMR-BTC swaps, mixing services, or wallets linked to known criminal activity. This is one subpoena and one Chainalysis report away from answers. Do it.

Every one of these questions can be answered with a single subpoena.
The only reason they haven't been answered is that nobody has asked.

Updated Analysis

The Money Laundering Machine — How It Actually Works

A car wash that washes 10 cars a day but reports 100. Where does the money for 90 phantom cars come from? NameSilo is the same — except instead of cars, it's domains. 4.2 million phantom "washes" that don't exist.

Dead Domains

4,221,217

81.5% of all NameSilo domains

Est. Retail Value

$77.3M

At list prices. Actual revenue: C$65.5M

Paper Profit

$50.8M

$1 in → $2.92 "revenue" out

How the scheme works — step by step

STEP 1: You have $100K in dirty money

STEP 2: Create accounts via PrivacyGuardian

        Each looks like a real client: [email protected]

STEP 3: Buy 10,000 .sbs domains at $14.95 = $149,500 "revenue"

STEP 4: Real cost: 10K × $0.68 wholesale + $0.18 ICANN = $8,600

STEP 5: Books show: Revenue $149,500 − Cost $8,600 = $140,900 "profit"

        The "client" is yourself. You paid $149,500 dirty

        → received $140,900 clean "business income"

Why this works perfectly:

1. PrivacyGuardian hides the buyer

Every domain registered to pw-{hex}@privacyguardian.org. Impossible to prove the "client" = NameSilo itself. 3M+ PG-protected domains.

2. Domains are the perfect product

Digital, no warehouse, no shipping, no trace. Cheap wholesale, expensive retail. Millions of units — easy to hide thousands of "your own" among real ones.

3. Cheap TLDs = maximum multiplier

.cyou: $0.48 → $14.95 = 31x
.sbs: $0.68 → $14.95 = 22x
.cfd: $0.68 → $14.95 = 22x
.icu: $0.98 → $14.95 = 15x

4. Scale makes it invisible

5.18M domains — who checks each one? Real customers mixed in as cover. 4,260 new dead domains per day in 2025.

The economics of laundering through NameSilo

DAILY SPEND

$72,645

on dead domains

DAILY "REVENUE"

$211,807

booked on paper

ANNUAL COST

$26.5M

to registries

ANNUAL "PROFIT"

$50.8M

phantom margin

The dead domains dominate the economics. At estimated retail prices, dead domain registrations represent $77.3M in value (wholesale cost: $26.5M, paper margin: $50.8M). NameSilo's actual reported revenue is C$65.5M (~US$48M) — the gap reflects bulk discounts and junk TLD pricing. Either way, the vast majority of revenue comes from domains nobody uses. The tail wags the dog.

Laundering cost:

Dirty $100,000 →

  $4,500 goes to registries (4.5% fee)

  $95,500 becomes "clean business income"

Standard money laundering rate: 10-30%

NameSilo's rate: 4.5% via cheap TLDs

This is extremely cheap laundering.

Evidence that this is exactly what's happening

81.5% of domains are dead Real clients don't pay for empty domains

99.65% have zero traffic Who pays $17/yr for .com without a site?

19.8% of ALL .sbs = NameSilo One registrar = 1/5 of entire TLD

1.5M new domains in 2025 (4,260/day) Organic growth doesn't look like this

PrivacyGuardian on 3M+ domains Perfect cover — buyer is anonymous

ShortDot TLDs: 732K domains All from one registry — possible kickback

$26.5M/year on dead domains Who pays $26 million for nothing?

NameSilo is a digital car wash.
4.2 million phantom cars. $50.8 million in phantom profit.
And the only "soap" they use is a $0.68 wholesale domain from their own partner.

Follow the Money — C$65.5M revenue breakdown, phantom domains, cohort analysisfinancial deep-dive+

Financial Analysis

Follow the Money — Who Pays and For What?

C$65.5M revenue. 5.18M domains. Let's see how much is real.

Revenue Breakdown by SegmentDead (32.2%) + Parking (22.3%) + Unknown (17.4%) + Business (0.7%) + Real traffic (0.35%). Full table inside.

Data +

SegmentDomains%Est. RevenueWho?

Dead (no IP, never activated)
1,668,355
32.2%
~$2.5M
???

Parking stubs (Sedo/CF/Shopify)
1,153,281
22.3%
~$5.8M
Speculators?

HTTP alive, no business identity
~903,000
17.4%
~$7.2M
Personal?

HTTP alive + some org/business
~37,000
0.7%
~$0.4M
Micro-biz

Top-million (has real traffic)
17,875
0.35%
~$0.2M
Real clients

Tranco top 10K (major sites)
58
0.001%
~$870
Actual brands

IDENTIFIABLE REAL CLIENTS

~$8M

Top-million + businesses + personal sites
~17% of total revenue

GRAY ZONE

~$32M

Parked, speculative, unknown purpose
~67% of total revenue

UNEXPLAINABLE

~$8M

Dead domains, zero activity, no owner
Pure phantom revenue

The Client Problem

If NameSilo's 5.18M domains belong to real customers making real purchases — where are they?

Real customers would have:

• Working websites (only 18.5% respond to HTTP)
• Contact emails (96% have none)
• Business identity (1.06% have org name)
• Measurable traffic (0.35% in top-million)
• Reason to pick NameSilo over 95 cheaper options

NameSilo's "customers" have:

• No website (81.5%)
• No email (96%)
• No business name (98.9%)
• No traffic (99.65%)
• Gibberish domain names on .sbs/.cfd
• Registered 10,000-17,000/day in bulk runs

Who are these "customers"? They have no website. No email. No business. No traffic. They buy domains they never use, on TLDs nobody wants, at a registrar that's more expensive than 95 alternatives. They register in bulk — 10,000-17,000 per day — in patterns consistent with automated purchasing. And they pay with Bitcoin, which requires no identity verification.

These aren't customers. Customers use what they buy. These are transactions. The domain is not the product — the transaction is the product. The purpose of buying 585,000 dead domains per year is not to have 585,000 websites. It's to move money from point A (anonymous crypto wallet) to point B (NameSilo revenue line) and make it look like a legitimate business transaction.

Revenue per real domain — the smoking gun

NamecheapNameSilo
Total domains:24M+5.18M
Dead domain rate*:32.6%55.7%
Est. active domains:~18.6M~2.36M
Revenue:~$180M USD~$48M USD
Revenue per TOTAL domain:$7.50$9.27
Revenue per ACTIVE domain:$9.68$20.34

* Dead-domain metrics in this report (same 5.18M dataset): 32.2% = no DNS/IP. 54.2% = provably dead/parked (no DNS + Sedo + CF parking + Shopify unconfigured). 55.7% = dead rate used for Namecheap-comparable baseline (no IP + no Majestic rank, 99.86% of NameSilo domains have zero rank). 81.5% = full economic analysis with HTTP probes, age, MX, content, patterns. Full breakdown · Rank data

NameSilo makes $20.34 per active domain. Namecheap makes $9.68. NameSilo generates 2.1x more revenue per real customer than Namecheap — while being a smaller, more expensive (for .com: $15.56 vs $6.99), less popular registrar with worse UX. How? Because the phantom domains aren't free. Someone is paying $8-10M/year for domains that generate zero value. That money inflates the revenue line while the "customer" gets nothing — because the customer doesn't exist, or the customer IS NameSilo.

Born Dead — NameSilo vs Namecheap + Forbes Fact-Check + Full AnalysisDomain comparison, pricing tables, Forbes critique, BBB complaints, self-phishing, ShortDot, ICANN, open letters.

Deep Dive +

Why we compare with Namecheap — and an apology to them

We want to be transparent about why Namecheap was chosen as the baseline, and to emphasize: this comparison is not intended to discredit Namecheap in any way. We used only publicly available data.

Why Namecheap specifically: Our initial research into NameSilo began from an anti-phishing report where both registrars appeared. What stood out were the shared characteristics: accessible API for bulk registration, cryptocurrency payments accepted, Arizona incorporation, and both among the top registrars by domain count. We wanted the closest possible comparison — same market segment, similar scale, similar features.

What we found: Namecheap is an example of how a registrar should handle abuse reports — responsive, transparent, and effective. The contrast with NameSilo's conduct only became more striking the deeper we looked. Namecheap's dead domain rate (32.2%) is within normal industry range. NameSilo's (81.5%) is not. We apologize to Namecheap for any inconvenience this comparison may cause — the data speaks in their favor.

Baseline Comparison

Domains Born Dead — NameSilo vs Namecheap

Same methodology, same data format. Namecheap (24M domains) as industry baseline. If NameSilo's dead domains were "normal" — the rates would match. They don't.

Age Cohort Comparison TableNameSilo vs Namecheap dead rate by domain age. NameSilo exceeds baseline in every cohort. 615% spike in 2024.

Data +

Age CohortNC DeadNS DeadDeltaExcessPattern

0–30 days
25.4%
59.5%
+34.1pp
43,758
██████

1–3 months
25.0%
61.7%
+36.7pp
100,694
███████

3–6 months
25.7%
61.7%
+36.0pp
177,560
███████

6–12 months
27.5%
51.6%
+24.1pp
257,766
█████

1–2 years
41.1%
65.4%
+24.4pp
423,747
█████

2–5 years
30.3%
40.5%
+10.1pp
64,859
██

5+ years
32.0%
46.0%
+14.0pp
116,902
███

TOTAL
32.6%
55.7%
+23.0pp
1,201,304

Namecheap (normal registrar)

Fresh: 26% dead
Mid-life: 38% dead
Mature: 32% dead

LOW → HIGHER → LOWER — normal lifecycle. Domains start alive, some die mid-life from abandoned projects, survivors stabilize.

NameSilo (anomaly)

Fresh: 56% dead
Mid-life: 59% dead
Mature: 46% dead

HIGH → HIGH → HIGH — flat across all ages. Domains are born dead and stay dead. The gap narrows with age only because older cohorts predate the 2024-2025 bulk ramp-up.

EXCESS DEAD DOMAINS

1,201,304

above industry baseline

EXCESS FAKE REVENUE

$22.0M

annual phantom income

EXCESS PAPER PROFIT

$14.5M

money from nowhere

This is not "normal dead domain rates." We controlled for it. Even if you accept that every registrar has dead domains — NameSilo has 1.2 million MORE dead domains than you'd expect from a registrar this size. Those 1.2M excess dead domains generate $22M/year in fake revenue. That's not neglect — that's a 23 percentage-point gap above the baseline, concentrated in domains under 2 years old.

The killer stat: NameSilo's dead rate for domains under 30 days old is 59.5%. Namecheap's is 25.4%. At NameSilo, 6 out of 10 domains are dead within their first month of life. These domains were never intended to be websites. They were born dead. They exist only as revenue line items.

New domain registrations per year (all NameSilo)

   63,882 █

   82,009 █ +28%

   94,594 ██ +15%

  109,918 ██ +16%

  193,726 ████ +76%

  616,014 ████████████ +218%

1,555,424 ██████████████████████████████ +152%

1.5M new domains in 2025 (4,260/day) — 99%+ have no traffic. Growth correlates with spending on registry fees, not customer acquisition. This is not organic growth. This is a budget increase.

What Do These "Domains" Look Like?

We analyzed 1,669,111 dead domains from the 5.1M dataset. Here's what "customers" are buying:

TLDDeadGibberishGib %1-YearSample names

.vip26,06218,19870%14,29102410010.vip, 07261.vip, 09085.vip

.lol15,7259,47760%2,361128012.lol, 1234.lol, 025.lol

.xyz141,10882,77159%74,783000000004.xyz, 000001001.xyz

.mom10,1885,76757%3,783168.mom, 1688.mom, 288.mom

.top58,26423,76641%37,4360005551.top, 00142.top, 00219.top

.buzz17,2586,48538%16,9191xbet-djjj.buzz, 1xbet-vms2.buzz

.sbs91,82334,31637%32,00302g740c6.sbs, 0499777com06xl03.sbs

.cfd84,06720,33824%33,1610000660033aa.cfd, 000077700881qq.cfd

.com782,55999,11613%148,6200-www.com, 00003test.com, 0000yh5.com

378,547

Gibberish names
22.7% of all dead domains
Random strings, hashes, numbered sequences

522,288

1-year registrations
31.3% of dead domains
Bought for exactly 1 year. Never renewed.

98%

.buzz 1-year rate
16,919 of 17,258 dead .buzz domains
ShortDot TLD. One-time purchases.

The registration spike is not gradual growth — it's an explosion:

 46,475 dead registered

 67,946 dead registered  +46%

485,859 dead registered  +615% ████████████████████████

585,595 dead registered  +21% █████████████████████████████

145,298 (4.5 months, annualized ~387K)

These are not domain names. These are transaction IDs. 0499777com06xl03.sbs is not a business. 000000004.xyz is not a brand. 1xbet-djjj.buzz is a gambling phishing domain. 378,547 gibberish names. 522,288 bought for exactly one year and abandoned. No real customer buys 02g740c6.sbs for $0.99, uses it for zero days, and lets it expire. This is automated purchasing with no human intent behind it — except the intent to move money.

C$65.5M revenue with 58 domains in the global top 10,000.
Namecheap has 24M domains and thousands in top-10K. GoDaddy has 80M+. NameSilo has 58.
Where is the money coming from? Not from the 58 real websites. Not from the 17,875 with measurable traffic.
$48M/year from a customer base that is 99.65% invisible.

And a final question: a company with C$65.5M revenue and C$133M market cap can't afford to update a UI that looks like Windows 98? Actually — in their Q3 2025 earnings release, NameSilo LLC CEO Kristaps Ronka admitted they "began a complete UX/UI overhaul using seven years of customer learning." Seven years. It took seven years of customers fleeing to Namecheap before someone noticed the panel looks like a GeoCities page from 1998. But here's what they did with the money instead of fixing UX: they acquired SewerVUE Technologies — a company that inspects sewer pipes with radar. A domain registrar that protects $100M theft operations and inspects sewage. You cannot make this up. See our faithful Win98 recreation of the NameSilo experience →

And then there's the parking IP problem.

Of the domains that DO have an IP address, 36.7% point to just 10 IP addresses — all parking/stub pages. The top IP alone (Sedo parking: 91.195.240.123) hosts 522,466 NameSilo domains. Another 646,381 domains sit on known parking infrastructure. These aren't websites. These are placeholder pages displaying generic ads.

522,466 → Sedo parking (91.195.240.123)

484,719 → Cloudflare default (188.114.96.3 + 188.114.97.3)

82,563 → Shopify default page (23.227.38.65)

63,532 → NameSilo own parking (64.190.62.22)

= 1.15M domains on stub IPs out of 3.5M with DNS

So: 1,668,355 domains (32.2%) have no IP at all — completely dead. Of the 3.51M that DO resolve, 1,153,281 (33%) point to parking/stub IPs. Combined total: ~2,821,636 domains (54.4%) out of 5,179,405 are not real websites. More than half. And that's just DNS. Our full economic analysis—factoring in age, MX records, content, and registration patterns—puts the real dead rate at 81.5% (4,221,217 domains). Over $50M in phantom revenue.

The real active customer base of NameSilo is approximately 958,188 domains — not 5.18M as they claim. Their "top 10 registrar" status is built on phantom registrations. We're not the tax authority. But this is textbook money laundering infrastructure — anonymous buyers, cryptocurrency payments, zero activation, inflated revenue. FinCEN has issued guidance on exactly this pattern. Nobody is following it.

The operator phishes himself — self-cloning scheme + bait infrastructuretechnical breakdown+

The operator phishes himself. Yes, really.

A note before we continue: many security colleagues wanted to join this investigation. We deliberately refused all help to protect them from retaliation. Every suppression attempt they make creates more evidence and another line on their criminal resume.

Now — the self-phishing scheme. When we presented our technical analysis, the operator's first response was: "you visited a phishing site." Yes. We know. His site IS the phishing site. But here's the twist: the operator creates phishing copies of his own scam site and then blames victims for visiting "phishing."

There are real third-party phishing copies (such as xmrwallet.app, likely operated by independent scammers). But the operator's own domains — xmrwallet.biz, xmrwallet.me, xmrwallet.net, xmrwallet.cc — share the same code structure, same backend, same WHOIS patterns. These are operator-controlled mirrors, not external phishing. His defense of "you visited a phishing clone" relies on blaming domains he himself controls.

And where were these self-phishing domains hosted? On njal.la — a NameSilo reseller. The same njal.la whose API NameSilo disabled. The same ecosystem. When the "blockchain syncing" excuse got debunked by the official Monero project, these geniuses pivoted to: "it's not us, it's phishing copies targeting us!" Except the phishing copies are hosted on their own partner's infrastructure, use the same code, and connect to the same DDoS-Guard / IQWeb backend.

The Russian-speaking scammer behind this is known in the community — check keplr.at and related domains. Same actor, same methodology, multiple sites. We always do public scans (we noticed they started using URLscan — but for users with a Pro subscription, everything is accessible). Compare the code of xmrwallet.app with xmrwallet.com. Compare the wallet creation flow. Compare the transaction handling. Then tell us again that one is "phishing" and the other is "legitimate."

To be precise: there is exactly one independent actor we identified who made actual phishing copies of xmrwallet — a known Russian-speaking scammer operating primarily on .at domains (keplr.at and similar), who phishes multiple crypto wallets. He created copies of xmrwallet as one of many targets. Every other "phishing copy" of xmrwallet over the past 10 years was created by the operator himself.

Why would a scammer phish his own scam? Two reasons. First: to create a narrative. "Look, people are making phishing copies of our legitimate service — we must be important, we must be real." It's reputation theater. A legitimate wallet gets phished. A scam wallet doesn't — unless the scammer does it himself. The self-phishing copies let the operator claim credibility he never had. Second: to deflect blame. When victims complain that their funds disappeared, the operator points to the "phishing copies" and says: "You must have used a fake site, not ours." The victim blames the phishers. The operator keeps stealing. The registrar nods along. Everyone wins — except the people losing their money.

The xmrwallet.homes, xmrwallet.app, and dozens of other "phishing copies" that the operator conveniently blames — all trace back to the same origin. Same code. Same logic. Same hosting. Same operator playing both sides. The only real phishing actor (keplr.at) simply copied what was already a scam. Everyone else who got blamed for "phishing xmrwallet" was the operator himself, running mirrors of his own theft operation and pretending they were attacks.

Self-phishing through your own reseller network, blaming victims for your own mirror infrastructure, while your registrar helps you clean VirusTotal detections. This isn't a scam anymore. This is an industrial operation.

NameSilo Domain Console

NameSilo Domain Manager

NameSilo DNS Management

NameSilo Domain Defender

This is the admin panel of a company that people trust with their businesses. Look at the design. Look at the UI. Does this look like a modern, well-funded technology company? Or does it look like something built by the same person who orders SEO articles on Kwork for 500 rubles?

Now compare it to fd.nic.ru — a Russian registrar. Remarkably similar aesthetic, isn't it? Same era, same design philosophy, same target audience.

NameSilo claims to manage 6.26 million domains. Our analysis of 5.18 million shows 81.5% are dead — 4.22 million domains with no website, no email, no purpose. Bulk domain registration at scale with anonymous Bitcoin payment and zero activation is not a business model.

Domain infrastructure — 10 domains, DDoS-Guard, IQWeb

Operator's domain network: 10 domains across DDoS-Guard (Russia) & IQWeb FZ-LLC (UAE). Co-hosted with carding marketplace bclubs.to and pirate streaming kinogo.ec. All mirrors share identical code hashes.

Forbes, Wikipedia, Trustpilot — purchased legitimacy infrastructurefake reviews + paid articles+

The Forbes Advisor Article — A Case Study in Purchased Legitimacy

Forbes Advisor published a "review" of NameSilo ("Audited & Verified: May 6, 2024"). It contains the affiliate disclosure: "We earn a commission from partner links." The article recommends NameSilo as the "best registrar for low-cost domains." Let's fact-check it against reality:

Forbes ClaimsRealityVerdict

"$10.95/year for .com"$15.56 register, $17.29 renew (tldes.com)Wrong

"Best for low-cost .com"#96 of 130 registrars. 95 are cheaper.False

"24/7 customer support"Site now shows business hours, not 24/7Outdated

"Highly rated support"100+ abuse reports ignored. VT delisting offered to scammers.False

Compares with Google DomainsGoogle Domains shut down Sept 2023. Article "audited May 2024."Dead source

"3 million active domains"They now claim 6.26M. Real active: ~958K.Both inflated (real: ~958K)

Panel screenshotsOnly the pretty public facade. Real admin panel (Win98) hidden behind login.Misleading

Forbes also includes this disclaimer: "Information may have changed since publication. Past performance is not indicative of future results." and "Forbes Advisor adheres to strict editorial integrity standards."

"Editorial integrity" that recommends a registrar as "best for low-cost .com" when 95 registrars are cheaper. That says "24/7 support" when the site shows business hours. That compares with a dead competitor. That shows fake screenshots of a panel that doesn't exist. Same playbook as Kwork SEO articles — different budget, same result. A $500 Kwork article and a Forbes Advisor "review" serve the same purpose: purchased legitimacy.

And it doesn't stop at Forbes. NameSilo's "news" on Yahoo Finance carries this label: "This is a paid press release." Every "article" about NameSilo in financial media is purchased. The Forbes review. The Yahoo Finance press releases. The Trustpilot ratings. The Wikipedia page (flagged as promotional). There is no organic positive coverage of NameSilo. It is all bought.

FTC Warning Letter — December 20, 2024

The U.S. Federal Trade Commission sent NameSilo an official warning letter on December 20, 2024, signed by Lois C. Greisman (Associate Director, Bureau of Consumer Protection, Division of Marketing Practices). The letter states:

"I write to inform you that one or more domains registered by NameSilo appear to be perpetrating an imposter scam that utilizes the Federal Trade Commission (FTC) name without authorization and implies a false affiliation with the FTC."

"The FTC is not affiliated with the entities or individuals operating this website. Please be advised that it is a violation of the Rule on Impersonation of Government and Businesses ("Impersonator Rule"), 16 C.F.R. § 461, to "materially and falsely pose as, directly or by implication, a government entity or officer.""

"We expect to hear from NameSilo regarding this urgent consumer protection matter promptly."

Think about what this means: a federal agency had to send an official letter to get NameSilo to act on a domain impersonating the FTC itself. Not a random phishing site. Not a crypto drainer. A domain pretending to be the Federal Trade Commission. If even the FTC needs to send formal correspondence to get a phishing domain removed — what chance does a regular victim have? The answer: none. Read the full FTC letter (PDF) →

BBB Complaints — Pattern of Abuse Denial

NameSilo's Better Business Bureau page contains complaints from real victims. A pattern emerges: victims report phishing domains, NameSilo deflects:

Victim complaint (BBB):

"NameSilo did not remove the domain that was proven to be used for phishing and allowed it to continue impersonating our company. Their phishing abuse form does not work. When I tried emailing them, they only had an auto-responder. We filed a complaint with ICANN since their abuse reporting system is essentially non-functional. We are considering filing a lawsuit under ACPA."

NameSilo response (March 18, 2024):

"We cannot confirm phishing — it appears to be SPAM. As a domain name registrar, we do not have any control over the content of emails... It is too easy to spoof domain names for us to investigate complaints."

Translation: "We can't confirm phishing" (we won't look). "We don't control email content" (not our problem). "Too easy to spoof" (we won't investigate). This is the same playbook we documented with xmrwallet — deflect, minimize, refuse. The difference: these aren't our reports. These are real businesses, filing on the BBB, getting the same non-answers. Read all BBB complaints →

Trustpilot — Bot Farms Competing with Bot Farms

NameSilo's Trustpilot rating looks impressive — until you think about it. Their real customer base is ~958K active domains. How many of those customers would voluntarily write a glowing review of a registrar with a Win98 admin panel, $15.56 .com pricing (#96/130), and support that responds to phishing reports with "we can't confirm phishing"?

The pattern is complete:

Domains: buy from yourself → "6.26M under management"

Articles: pay Forbes, Yahoo Finance → "highly reviewed"

Wikipedia: write about yourself → "independently notable" (flagged as promotional)

Reviews: write about yourself → Trustpilot rating

ICANN: cite accreditation → "we are legitimate"

Real customers: ~958K. Real support: "we can't confirm phishing." Real panel: Windows 98.

We tested Trustpilot ourselves. We left a 3-star review for NiceNIC — not even negative, just honest. No profanity, no accusations, just facts. Deleted after one complaint. A verified account. A real review. Gone. Meanwhile, NameSilo's page is full of suspiciously enthusiastic 5-star reviews from accounts with US geolocation — because the geo matters. American reviewers = "look, real American customers buy our domains" (not "we launder stolen crypto by buying domains from ourselves"). The reviews serve the same purpose as the phantom domains: creating the appearance of a legitimate American customer base that does not exist.

Example: "Patty Johnson" (Trustpilot profile) — US-based, 2 reviews total. One 5-star review for NameSilo (Jan 2026): "Leonid was very helpful... 5 stars!" The other review? For Otrium — a company with reviews alleging fraud and stolen money. One bot account writing for two different scam-adjacent businesses. And the reviews share a pattern: they name specific support agents ("Leonid"), praise response time, and read like templated customer service surveys — not like someone who just bought a $10 domain. Real domain buyers review prices and panel UX. Bot reviews praise "Leonid."

TRUSTPILOT DATA ANALYSIS — 2,280 NameSilo vs 2,480 Namecheap reviews

MetricNameSiloNamecheap

5-star reviews88.9%74.0%

1-star reviews7.2%16.7%

Single-review accounts62.4%59.6%

No avatar (fresh accounts)67.3%51.5%

About support/chat/service70.0%60.2%

About price/cost9.8%37.5%

Named agent "Leonid"5.7%0.0%

US geolocation35.1%26.5%

We understand the support obsession, by the way. Have you seen their admin panel? (we recreated it). With that interface, we'd need support too — or an ambulance. Half the functions don't work, the UI hasn't had a major overhaul in years, and the CEO himself admitted it needs a "complete UX overhaul" after seven years of promises. So yes: if you somehow became a NameSilo customer, you would indeed contact support. Constantly. Because nothing works without it.

But here's the tell: real frustrated users write about how terrible the interface is. That's what the 1-star reviews say — broken DNS, locked accounts, suspended domains, phishing reports ignored. Real pain, real detail, 265 characters average. The 5-star reviews? "Great support! Leonid helped. 5 stars." — 84 characters median. Real users complain about the product. Fake users praise the people.

And about those people — Leonid appeared from nowhere on April 13, 2025. Zero mentions before. Then 65 reviews in his first two months. That's not a popular support agent. That's a KPI. The timing coincides exactly with our investigation going public. The pattern is clear: investigation starts → negative coverage appears → bot farm activates → "Leonid was amazing!" fills the page. May 2025: 106 reviews (5x normal), 95% five-star, zero one-star. Not one unhappy customer in 106 reviews. For a registrar ranked #96 in .com pricing with a panel from 1998.

And the reviews themselves? 43% are under 80 characters. Four have the title just "Leonid" — nothing else. Three more: "Leonid was very helpful." That's it. 52% US geo. Among the reviewers: "Satoshi Nakamoto" (yes, really), "Author" (didn't even pick a name), "Виктор -" and "Anna Koroleva" (Russian names on a US-targeted registrar), "Boris Martin" and "Andrei Dobrescu" (Eastern European), all mixed with "Brad", "LaToya", "Patty Johnson." Someone is writing reviews in bulk and cycling through a name generator that can't decide which continent to pretend to be from. The name Leonid itself is Russian — which fits the pattern perfectly. A Russian-named support agent praised by Russian-named bot accounts on a registrar with FSB connections and xmrwallet ties. At this point, the question isn't whether these reviews are fake. The question is whether Leonid is a real person or a character in a script.

The Hong Kong anomaly — and the phantom Chinese customer base

Hong Kong: 57 reviews. 57 out of 57 are five-star. 100%. Zero four-star. Zero three-star. Zero anything else. 91% single-review accounts. Over 7 years. Statistically impossible for any real customer base. China: 94% five-star, 80% single-review, 84% no avatar. Singapore: 95% five-star, 85% single-review. Combined: 168 reviews from Chinese-speaking markets — almost entirely fabricated.

And the names? "Mihai" and "Jesse Barrett" reviewing from Hong Kong. "Franck" from mainland China. Mixed with 陈旭, 幽羽千葉, and zhanglili. A bot farm that couldn't decide whether to use Chinese or Western names — so it used both.

Why China? Because NameSilo actively markets there: namesilo-china.com, bcbay.com/namesilo, paid Chinese blog posts, and even a Chinese Wikipedia article. When investigators ask "who buys 4.22 million dead domains?", NameSilo will point to China. Be ready for phantom Chinese customers. The Trustpilot data shows they've been building this alibi since 2019 — 57 perfect reviews from Hong Kong, one at a time, spread over years. Patient. Deliberate. And 100% fabricated.

Independent AI Forensic Analysis — 2,480 vs 2,480 reviews

We scraped 2,480 NameSilo and 2,480 Namecheap Trustpilot reviews and submitted them to an independent Claude API analysis, anonymized as "Company A" and "Company B." The AI had no knowledge of which company was which. Its conclusions:

Forensic IndicatorNameSiloNamecheap

5-star ratio89.1%74.0%

1-star ratio7.1%16.7%

Disposable accounts (1 review, no avatar)39% of all~25%

...of those, gave 5 stars92%~65%

Reviews mentioning price11.2%39.2%

Reviews about support/service73.8%62.4%

Named single agent in reviewsLeonid: 168none

5-star vocabulary diversity (TTR)0.073~0.15

HK reviews: 100% five-star57/57n/a

May-Jun 2025 spike (5x normal)215 reviewsnone

AI manipulation verdict92%15%

From the AI report: "Company A exhibits extensive, multi-dimensional evidence of systematic review manipulation through coordinated artificial generation. The probability of these patterns occurring organically approaches zero."

TRUSTPILOT EVIDENCE FILES — SHA-256 VERIFIED

namesilo-trustpilot.html (JSON) (2,480 reviews) — fc73d928...

namecheap-trustpilot.html (JSON) (2,480 reviews) — 789cbc50...

namesilo-trustpilot-manifest.json (all 2,480 user IDs + metadata) — 8f17ca48...

namecheap-trustpilot-manifest.json (2,480 user IDs — control group) — fd9d647a...

trustpilot-forensic-report-final.txt (independent AI analysis) — eaa0fdac...

xmrwallet-trustpilot.html (JSON) (80 reviews — the scam site itself) — cf159a47...

xmrwallet.com Trustpilot — Wayback snapshots exist on ca.trustpilot.com. Our scrape captures the complete dataset at time of collection.

Every Trustpilot user ID is in the manifest. Every review text, date, country, star rating, avatar status, and total review count is preserved. Cross-reference any entry against ca.trustpilot.com/review/www.namesilo.com. Nothing was fabricated. Nothing was altered. We analyzed what they published. They published what we found.

BEHAVIORAL PATTERN ANALYSIS & PR NEWSWIRE CONNECTION

behavioral-patterns.html — Integrated into main page (below). Side-by-side patterns, Trustpilot forensics, PR Newswire releases, farewell letter.

serp-evidence.html (JSON) — 90 DuckDuckGo results for namesilo/xmrwallet scam queries

xmrwallet-twitter.html (JSON) — 44 tweets: bot promotions, victim reports

reddit-evidence.html (JSON + additions) — 93 Reddit posts, 60% removal rate, sock puppets, $1.19M+ confirmed stolen

pr-newswire-pages/ — 15 archived PR Newswire releases (3 xmrwallet + 12 NameSilo) + Google/Bing SERP dumps

pr-newswire-connection.json — Raw connection data with contact details

xmrwallet.com Trustpilot — The Scam Site's Own Reviews

We scraped all 80 reviews from xmrwallet.com's Trustpilot page. Wayback Machine snapshots exist on ca.trustpilot.com/review/xmrwallet.com. Our scrape captures the full dataset including review text, ratings, dates, and user metadata.

total reviews

51%

5-star (41)

22%

1-star victims (18)

99%

reply rate (79/80)

70%

1-review accounts

users also reviewed NameSilo

Operator reply patterns: 8x "thank you!", 7x "thanks!", 5x "clone/phishing site" deflection. The operator actively maintains 99% reply rate to boost Trustpilot TrustScore — while actual victims report stolen funds since 2020.

Victim Lee Davis (2022) mentions emailing "owner Nathalie Roy herself" — confirming the domain registrant identity directly from a Trustpilot review.

Cross-reference: Zero user overlap between xmrwallet and NameSilo reviewers. Different bot farms, same playbook: flood with short 5-star reviews from 1-review accounts to drown out real victims.

Full dataset: Browse Reviews (JSON) — SHA-256: cf159a47...

Everything is self-referential. The domains inflate the revenue. The revenue funds the articles. The articles build the Trustpilot. The Trustpilot convinces investors. The investors fund the stock price. The stock price justifies the acquisitions. The acquisitions launder the money. And 81.5% of it is built on domains that nobody uses, reviews that nobody wrote, and articles that nobody commissioned organically. It's turtles all the way down — and every turtle is NameSilo.

Domain Registration Anomaly Report — 130M+ domains analyzed

We analyzed 5.1 million NameSilo domains against 7 other registrars (130M+ total). 32.2% of NameSilo domains are dead — never activated, no IP, no email, no web presence. Industry baseline: 15-21%. That's $12 million spent on domains that were never used. Dead registrations spiked 7x between 2023 and 2024. Bulk registration runs of 10,000-17,000 domains/day throughout 2025. Disproportionate use of junk TLDs (.sbs, .cfd, .xyz). 96% of domains have no contact email. Consistent with money laundering, self-dealing, or systematic revenue inflation.

Browse Dead Domains Full Report Download 5.1M domains (54MB gz)

For context: NameSilo Technologies Corp. (CSE: URL, OTC: URLOF) has a market cap of C$133M (~US$98M), revenue of C$65.5M, and a net margin of 1.7%. They trade at P/E 143.8x vs industry average 21x. A company valued at C$133M is protecting a $100M+ theft operation. The math doesn't add up — unless the theft operation IS part of the business model.

Corporate structure — public record:

NameSilo Technologies Corp. — parent company. Incorporated in British Columbia, Canada. Listed on the Canadian Securities Exchange (CSE: URL). Also trades OTC in the US as URLOF. Subject to Canadian securities regulation (BCSC).

NameSilo, LLC — operating subsidiary. Registered in Phoenix, Arizona, USA. ICANN-accredited registrar, IANA ID #1479. Subject to US law, ICANN RAA, and Arizona state jurisdiction.

This means two regulatory jurisdictions have authority: Canadian securities regulators (BCSC/OSC) over the parent company and its stock, and US authorities (FBI, DOJ, Arizona AG, FinCEN) over the operating entity. Neither has acted.

PrivacyGuardian.org — 109K malicious domains shielded + xmrwallet operator profileprivacy abuse + operator ID+

PrivacyGuardian.org — NameSilo's built-in scam shield

PhishDestroy scan of NameSilo's WHOIS privacy service — April 2026

PrivacyGuardian.org is not a third-party service. It is owned and operated by NameSilo. Every domain that uses PrivacyGuardian has its registrant email replaced with a pw-{hex}@privacyguardian.org address — making the real owner invisible to abuse reporters, law enforcement, and victims. Privacy is legitimate. Using your own privacy service to shield 109,000+ malicious domains from identification is not privacy — it's infrastructure for fraud.

4.97MPG candidates

109KHARD confirmed PG

181KOn public blocklists

1,065VirusTotal flagged

How we got these numbers: We extracted 4,974,265 candidate domains from the NameSilo customer dataset by matching PrivacyGuardian.org WHOIS markers. We then validated each domain via RDAP against rdap.namesilo.com. Of those validated, 109,195 were HARD confirmed as PrivacyGuardian-protected. We cross-referenced the full list against Spamhaus DBL, SURBL, PhishTank, PhishingArmy, CERT-PL, AlienVault OTX, Hagezi, uBlock, AdGuard, ThreatFox, and our own internal blocklist of 130K+ domains.

Top blocklist sources

Spamhaus DBL: 77,522

SURBL: 68,345

PhishDestroy internal: 22,783

Hagezi TIF: 16,090

1Hosts: 14,075

ScamAdviser: 6,222

PhishingArmy: 2,439

CERT-PL: 2,367

AlienVault OTX: 1,180

What these domains do

Cryptocurrency theft: 1,064

WalletConnect phishing: 69

Gambling scam: 21

Tech support scam: 20

Social media phishing: 18

Seed phrase phishing: 11

Airdrop scam: 7

Top drainers: Angel Drainer (153), Solana Drainer (48)

Top TLDs (malicious PG domains)

.com: 41,265 — .top: 26,600 — .net: 15,412

.sbs: 12,004 — .org: 11,035 — .biz: 6,962

.wiki: 6,597 — .info: 5,647 — .cfd: 5,353

.xyz: 5,225 — .vip: 4,929 — .help: 4,442

.click: 4,404 — .rest: 2,206 — .icu: 1,619

Same junk TLD profile as the dead domain analysis. .sbs, .cfd, .xyz, .top — the same abuse-prone TLDs dominate both datasets.

Top targeted brands

SushiSwap: 213 — Base: 161 — Across: 57

Sui: 38 — Hyperliquid: 32 — Google: 27

Solana: 26 — Bet365: 26 — Ledger: 25

Ethereum: 21 — Linea: 21 — OKX: 20

Coinbase: 25 — Pump.fun: 23

Ledger, Coinbase, OKX, Ethereum — real financial brands being impersonated through NameSilo's own privacy service.

Hosting geography (malicious PG domains)

US: 31,816 — DE: 20,254 — NL: 11,811

HK: 11,327 — SG: 6,639 — GB: 1,886

IE: 1,791 — JP: 1,734 — MY: 1,516

VirusTotal breakdown

Flagged ≥1 engine: 1,065 (63% of enriched)

Flagged ≥4 engines: 485 (29%)

Flagged ≥10 engines: 303 (18%)

AlienVault OTX active: 221 (13%)

The bottom line: NameSilo operates its own WHOIS privacy service. That service shields 109,000+ confirmed malicious domains from identification. These domains impersonate Coinbase, Ledger, OKX, Ethereum, Google, and dozens of other brands. They run Angel Drainer, Solana Drainer, and wallet-connect phishing at industrial scale. 77,522 of them are flagged by Spamhaus. And NameSilo — the ICANN-accredited registrar that operates PrivacyGuardian — tells every abuse reporter: "As an ICANN-accredited registrar..."

This is not negligence. This is a business model. The privacy service exists to make abuse reporting harder. The junk TLDs exist because they're cheap and disposable. The dead domains exist to inflate revenue. And the ICANN accreditation exists to wave at anyone who asks questions. 109,000 malicious domains protected by your own service, NameSilo. How many more do you need before someone calls this what it is?

Let's be clear about what we're looking at. These are not sophisticated actors. The operational pattern is identical to hundreds of Russian-origin scam operations that pay kickbacks to FSB-adjacent structures for protection — the only difference is the scale and the fact that they're hiding behind a US-incorporated company in Arizona instead of a Belize shell. The logic is the same: steal, suppress, buy reputation, delete evidence, threaten researchers, and rely on institutional inertia to never face consequences. They got comfortable because it worked for 10 years. It's not going to work for the 11th.

[email protected] — we share what we know with any victim, investigator, or prosecutor.

SEO Manipulation

"SEO Grandpa" — Operator's Google Drive Orders

Google Drive — Folder 1 Google Drive — Folder 2 Google Drive — Folder 3 Google Slides Google Sites Google Forms Google Slides 2 Presentation File Google Drawing Google Sheets — Links Google Doc Google Forms 2 GCloud Backlink (DA 91) AWS S3 Backlink (DA 96) Azure Backlink (DA 99)

Drive owner: [email protected] (last modified Oct 2023)

The Exit

Exhibit — Operator's Farewell Letter

The operator ran. The site is still live. NameSilo still hasn't suspended the domain.

On May 5, 2026, the xmrwallet operator posted a farewell letter on the site and GitHub repository — announcing complete closure. He signed it "The Creator of xmrwallet.com" without using his real name. This letter is direct evidence: it proves the operator was aware of the investigation, it contains verifiable lies about the theft mechanism, and it confirms the site was operated by a single individual from 2018 to 2026. We saved a copy immediately. As of today, the domain xmrwallet.com is still active and NameSilo still has not suspended it.

Lie #1 — "View key cannot give access to spend your funds"

"A view key does not, and cannot, give the service access to spend your funds."

Reality: The theft mechanism does not use the view key to spend. It uses session_key exfiltration — the wallet address and private view key are base64-encoded into a session identifier, sent to the server, where the server constructs its own transaction using 8 PHP endpoints. The operator knows this because he wrote the code. He is deliberately misdirecting victims toward a view-key debate while the actual exploit is server-side transaction hijacking. This is consciousness of guilt.

Lie #2 — "Unfunded" and "cannot afford server costs"

"This project is unfunded and maintained in my spare time, I simply cannot afford the server costs."

Reality: The operator stole an estimated $100M+ in Monero over 8 years. Server hosting on DDoS-Guard costs ~$550/month. He pre-paid 5-10 year domain registrations across 6+ registrars. He purchased 50+ SEO articles, social media spam packages, and maintained multiple mirror domains simultaneously. The "unfunded volunteer" narrative is for victims who don't read the technical evidence.

Admission — "The person who attacked us"

"We have recently been the target of sustained attacks... The person who attacked us did so under the accusation that our service requires a view key."

What this confirms: The operator acknowledges PhishDestroy's investigation forced the closure. He frames security research as "attacks." He does not deny any specific finding. He does not produce counter-evidence. He redirects to the view-key strawman. An innocent operator would publish the server logs proving no theft occurred. He didn't.

Evidence value — "Thank you to everyone who sent donations"

"A special and sincere thank you to everyone who sent donations throughout the years. Your immense generosity is what kept the servers running."

For investigators: The operator claims donations funded the servers. This is falsifiable. Subpoena the donation address transaction history. Compare total received donations vs. total funds that "disappeared" from user wallets. The gap between those numbers is the theft volume. The operator just told you where to look.

Read Full Farewell Letter SHA-256: 6c31afb9d6cccb1018323e491ebba78457fa7e2ebf7794670684b9e5c009a199

Captured from xmrwallet.com on May 5, 2026. The letter was published as the site's index page. We archived the complete HTML including all CSS, scripts, and metadata. The operator signed as "The Creator of xmrwallet.com" — not as "Nathalie Roy", not by any name. But the email headers from February say N.R. And the WHOIS records say the rest.

Why did he "leave"? Not guilt. Evidence destruction.

The operator — who registered under the name "Nathalie Roy" (a woman's name; we documented the operator's Kwork SEO orders and freelance activity — nicknamed "SEO Grandpa" based on his SEO spam campaigns) — did not shut down out of remorse. He redirected the xmrwallet.com domain to GitHub Pages, where the farewell letter is now hosted. This is not a shutdown. This is a calculated move to:

1. Erase URLscan evidence. When the domain points to GitHub Pages, previous URLscan scans of the malicious site become stale. New scans show a benign GitHub-hosted page. The forensic record of what the site actually did — the 8 PHP endpoints, the session_key exfiltration, the server-side TX hijacking — gets buried under clean scans of a static farewell letter.

2. Automatically reduce VirusTotal detections. When security vendors re-scan xmrwallet.com and see a GitHub Pages site instead of a malware-laden wallet, they remove their detections. The operator has been filing regular VT appeals and re-scan requests — we observed this pattern. Each re-scan with the domain pointing to GitHub lowers the detection count. This is exactly what NameSilo promised to help with: "working with the registrant to remove the website from VT reports." They found a way.

3. NameSilo got nervous. The ICANN filing, the law enforcement referral, the public exposure with 11K views — and then US authorities apparently started asking questions. The farewell letter appeared shortly after. Coincidence? The operator didn't suddenly develop a conscience after nearly a decade and $100M. Someone told him to cool down. Someone with a vested interest in making the problem go away quietly.

4. The DNS history confirms this was deliberate — and clumsy. The domain xmrwallet.com was never pointed to GitHub before this. For years it resolved to DDoS-Guard/IQWeb infrastructure — the real scam backend. The redirect to GitHub Pages was recent, intentional, and it took the operator 3 attempts to get the DNS configuration right. A "developer" who built a "sophisticated open-source wallet" needed three tries to set up a GitHub Pages CNAME. This level of technical skill is consistent with everything else about this operation. These are not sophisticated actors. They are persistent ones.

The "farewell" is not an exit. It's a cleanup operation. The domain is still registered. The DNS is still active. The operator is still out there. And the evidence destruction is ongoing — every day the domain points to GitHub, another security vendor removes their detection. This is why we archived everything before they could erase it.

@Phish_Destroy — 26 tweets that got us silenced — archived before X/Twitter deleted them26 screenshots+

Exhibit — Suppressed Social Media Evidence

Every tweet was screenshotted and archived before the account was locked via X Gold Checkmark corporate support. X/Twitter deleted the originals. We kept the receipts.

For investigators: Request X/Twitter's deletion logs for @Phish_Destroy. The reports that triggered the lock were filed by NameSilo or the operator — request the reporter identity.

Click any screenshot to view full size. All 26 images are part of the IPFS archive.

Victim & Technical Evidence — theft reports, DNS maps, GitHub issues, VirusTotal10 screenshots+

Victim theft reports, deleted GitHub issues, DNS infrastructure maps, VirusTotal detections, and the operator's CIS-origin indicators. All SHA-256 verified in ALL_EVIDENCE_HASHES.txt.

400 XMR stolen — BitcoinTalk victim report

30 XMR stolen — bits.media Russian victim

GitHub Issue #15 — "Money stolen"

VirusTotal — multi-vendor detection

DNS Map — xmrwallet.com infrastructure

DNS Map — xmrwallet.cc (suspended)

DNS Map — xmrwallet.biz (suspended)

Issue #35 — overview (DELETED by operator)

Issue #35 — auth flow diagram

Issue #35 — 8 PHP endpoints

Russian trail — CIS origin indicators

Court-Ready Documents — PDFs & Formal Filings

📄

ICANN Complaint
PDF — d4e7641a...

📄

Evidence Report
PDF — c21d7ce7...

📄

Victim Advisory
PDF — e38a36f9...

📄

Deleted Evidence Timeline
PDF — 9db29c39...

📝

Medium Article Mirror
HTML — local copy of published article

🔍

Technical Research Report
Full xmrwallet analysis — a325461c...

For Victims & Authorities

The operator's entire strategy depends on victims giving up after being silenced. This section is for those who refuse.

Advice for Victims, Investigators & AuthoritiesWhat to do if you lost money. Where to report. How to help the investigation. Contacts for FBI, ICANN, Arizona AG.

🛡️

If you are a victim

We know it feels hopeless. Monero is private. Your money seems gone. They deleted your reviews, your posts, your warnings. They want you to believe there's nothing you can do. That's not true.

There are legal levers. The registrar is a US company (NameSilo, LLC, IANA #1479). They can be called to court. The scam operator himself suggested this — interesting, isn't it?
Monero is private, not invisible. Transaction timing, exchange deposits, IP correlation, and the operator's own infrastructure leave traces. Evidence exists. Forensics firms specialize in this.
Criminal cases are open in Europe. You are not alone. Other victims have contacted us. The documented amount exceeds $20M, and we believe the real total is at least 5 times higher.
Don't be afraid of account deletion. Yes, they will try to delete your posts, your reviews, your warnings. Let them. Every deletion is documented. Every suppression attempt becomes evidence. They cannot just steal your money and force you to stay silent.
File abuse reports. Even if previous reports were ignored, file them. With NameSilo. With ICANN. With your local law enforcement. Each report creates a paper trail that becomes harder to deny.
Contact us: [email protected] — your report will be added to the case file.

The operator's power was making victims disappear. This archive makes that impossible.

⚖️

For law enforcement & regulators

This archive is structured as a court-ready evidence package. Everything you need is here.

ICANN Compliance: Full case file submitted March 18, 2026. NameSilo (IANA #1479) is an accredited registrar subject to RAA obligations including abuse handling.
Evidence integrity: Every screenshot is SHA-256 fingerprinted in EVIDENCE_HASHES.txt. The hashes were published before any party could have modified the originals.
Operator identification: The operator signed emails as "N.R." Technical infrastructure analysis, domain registration patterns, and payment trail documentation are in OPERATOR_PROFILE.md.
Registrar conduct: NameSilo's public statement contains 4 independently falsifiable claims. Full analysis: THE-LIES.md. The suppression campaign is documented in PRESSURE.md.
License: Explicit written consent for any victim, prosecutor, regulator, or court to use this material as-is.
Theft mechanism: Server-side transaction hijacking via 8 PHP endpoints. Full technical breakdown in the xmrwallet investigation.
Scale: Documented losses exceed $20M. Based on victim contacts and timeline analysis, the actual total over the full operating period is likely $100M+.
Recommended subpoenas — Trustpilot: Request all deleted/removed reviews for xmrwallet.com. Over 100 victim reviews were removed through automated moderation abuse. The original reviews are recoverable via SHA-256 hashes and Wayback Machine snapshots of the Trustpilot page. The delta between archived and current reviews is the suppression count.
Recommended subpoenas — GitHub: Request the full issue history for the xmrwallet repository, including deleted issues. We observed issues disappearing — the gap between sequential issue IDs and the ones we recorded proves deletions. Request deleted user accounts associated with victim reports.
Domain registration pattern: The operator registered xmrwallet mirrors across multiple registrars with 5–10 year registration periods. Each clone domain linked directly from the main site — all archived in the Wayback Machine. We systematically took these domains down, one by one. A legitimate service does not pre-register escape domains for a decade across multiple registrars. This is infrastructure for a long-term fraud operation.
Hosting forensics: All domains use IQWeb / DDoS-Guard infrastructure. The codebase hash is identical across every mirror — public scan results confirm this. These are not independent clones or compromised copies. This is a single operator deploying the same theft code across a network of domains on bulletproof hosting.

The Falsification Test

Run any registrar through these criteria. Only one matches.

Take Namecheap, Porkbun, Tucows, GoDaddy — any registrar on Earth — and compare it to xmrwallet.com using the criteria below. You will find zero matches beyond Trustpilot (everyone uses it). Now run NameSilo. Every single line lights up.

9 criteria — only one registrar matches all of themfalsification checklist+

1The scam operator invites you to subpoena his own registrar. Not afraid. Because the registrar then fabricates a cover story the operator never asked for.

2The registrar offers to remove VirusTotal detections for a known drainer. No registrar in the history of the internet has done this. Not NiceNIC. Not the worst bulletproof registrars we've worked against. Only NameSilo.

3Same response style. When cornered, both produce threats instead of arguments. Not facts. Not counter-evidence. Not "here's why you're wrong." Just "halt your falsehoods or face legal action" and "I've hired a lawyer." Same arrogance. Same void where substance should be.

4Same PR pipeline. PR Newswire costs $195–249/year membership + $805–3,000+ per release. It exists for publicly-traded companies where $3K is a rounding error in the comms budget. Free alternatives exist (PRLog, EIN Presswire $149). Yet a "volunteer wallet" with zero donations, a fake phone number (+1 300-227-473), and a persona ("Nathalie Roy, Founder") — the same wallet that pays $550/month for DDoS-Guard hosting in Russia and just deleted its source code from GitHub — chooses to publish on the same enterprise platform where NameSilo files CSE quarterly earnings. Then the release appears on Yahoo Finance as "news" and on NameSilo's stock page as "media coverage." It's not coverage — it's text they wrote about themselves, paid to distribute, and cited as if someone else cared. Since when does a platform built for stock-price-moving announcements publish Tor onion integration updates from a nonprofit with zero revenue? The release lists contact: Nathalie Roy, +1 300-227-473 (area code 300 does not exist in NANP — fake number), [email protected] (PR Newswire's enterprise email relay — a "volunteer" with corporate proxy), and promotes xmrwallet as providing "discreet financial tools for charitable organizations." A wallet that stole $100M+ selling itself as charity infrastructure on an enterprise PR platform. [Archived page] And here's the kicker: the PR release announces "Tor Network Integration" for an "open-source" project whose last GitHub commit was November 6, 2018 — over 7 years before the release. The repo was frozen for 5.3 years. No Tor code was ever committed. The "open-source" code is a 2018 audit prop — production runs entirely different, obfuscated code that steals keys. They paid $800+ to announce a feature that doesn't exist in their public codebase.

5Same Trustpilot playbook. Both delete negative reviews. Both plant low-quality bots. Both maintain ratings that don't match reality. 7+ confirmed deletions (xmrwallet, Wayback proof). 129 deletions in 4 months (NameSilo, Wayback proof). A victim reporting stolen funds — deleted. A bot writing "Leonid was very helpful" — approved.

6Same suppression playbook. DMCA takedowns. Mass-reporting on every platform with a "report" button. Coordinated deletion of evidence. Both entities try to erase truth — not disprove it.

7Zero organic coverage for both. 94 referring domains (xmrwallet) vs 102 (NameSilo). Neither has a single piece of independent journalism. Every "article" is paid. Every "review" is bought. Every "news" item is self-written. Run this test on Namecheap — thousands of organic mentions. GoDaddy — tens of thousands. NameSilo — 102, mostly coupon sites and exchange filings.

8C$5.9M in "digital currency" on the balance sheet of a domain registrar. 81.5% dead domains. $50.8M phantom revenue. First profit ever in 2025. Then they bought a sewer inspection company.

9When cornered: evidence destruction. The operator deleted GitHub issues #35 and #36. Then deleted the source code. NameSilo used Gold Checkmark to lock our Twitter. An insider tried to doxx our researcher, then deleted his tweets. The farewell letter posted. NameSilo still hasn't suspended the domain.

Now run this test on Namecheap. On Porkbun. On Tucows. On any registrar.

How many of these 9 criteria match? Zero. Maybe Trustpilot — everyone uses it. But the PR pipeline, the response style, the suppression playbook, the threat language, the evidence destruction, the zero organic coverage, the crypto on the balance sheet, the VT delisting offer — none of them match any other registrar. Only NameSilo. Every line. Every time.

One coincidence is chance. Nine is an org chart.

Independent SERP Analysis — 10 Registrars + 10 WalletsGoogle + Bing, 30 results each, classified by AI. xmrwallet = only wallet with crypto spam. Data speaks for itself.

AI Verified +

We scraped Google and Bing for 10 registrars and 10 crypto wallets using identical methodology (SerpAPI, top 30 results per engine, deduplicated). Results were classified by category. Then we fed the raw data to Gemini 2.5 Flash for independent analysis — no prompting toward conclusions. We show the data and let you decide.

Registrars:

RegistrarResultsPR PaidTech MediaCommunityWikiFinancial

NameSilo4400324

Namecheap3503411

GoDaddy5323216

NiceNIC3800210

Porkbun3500402

Cloudflare3300200

Ionos3700221

Name.com4600220

Hostinger4902110

Hover3901202

Wallets:

WalletResultsCrypto SpamCommunityGitHubWikiOwn Domain %

xmrwallet.com4423306.8%

Cake Wallet4503306.7%

MyMonero4604102.2%

Feather3701212.7%

getmonero32033031.3%

Exodus38050213.2%

Trust Wallet3504015.7%

Ledger55032134.5%

Trezor50042020.0%

Monerujo5702203.5%

Gemini 2.5 Flash independent conclusion (verbatim):

"xmrwallet: The presence of crypto_spam (4.5%) is a direct indicator of reliance on manufactured or low-quality paid content. Its low own-domain presence (6.8%) further supports a less organic and independently validated profile."

"xmrwallet is the only wallet with crypto_spam. The term crypto_spam itself implies manufactured or low-quality content rather than organic coverage."

Methodology: SerpAPI, Google + Bing, top 30 per engine, deduplicated. Classification by domain pattern. AI analysis: Gemini 2.5 Flash, zero-shot, no leading prompts. Raw data: serp-full-analysis.json · AI report: serp-gemini-report.md

SERP Data — PR Newswire presence in search results

We scraped Google and Bing for all entities using the same methodology (SerpAPI, top 100 results per engine, deduplicated, May 2026). The PR Newswire column tells the entire story:

EntityPR NewswireGoogle + BingUnique domains

xmrwallet0*13256

NameSilo1711641

Namecheap014252

NiceNIC013456

* xmrwallet had 3 PR Newswire releases indexed previously (Jan 2026 scrape). They have since been deindexed or removed — but we cached all 3 pages before they disappeared. NameSilo's 17 PR Newswire results are all in Bing; Google shows 0. Previous scrape (with duplicates) showed inflated numbers — this is the clean, deduplicated rescrape.

Wallet comparison — is xmrwallet a wallet or a PR operation?

We also scraped SERP for two legitimate Monero wallets — Cake Wallet and getmonero.org — to compare with xmrwallet. If xmrwallet is a real wallet, its search profile should look like theirs:

CategoryxmrwalletCake WalletgetmoneroNameSilo

PR Newswire0*0017

Paid crypto spam10000

Legit crypto news0200

Monero community244790

GitHub1711320

Cake Wallet: 0 PR Newswire. 0 crypto spam. getmonero: 0 PR Newswire. 0 crypto spam. No legitimate wallet uses enterprise PR distribution or buys placement on crypto-spam sites. xmrwallet's 3 PR Newswire releases have since been deindexed — we cached all 3 before they disappeared. The cached pages prove the releases existed: same platform, same enterprise distribution, same pipeline as NameSilo's quarterly earnings. Raw dumps (May 2026 rescrape, deduplicated): Cake Google · Cake Bing · getmonero Google · getmonero Bing

Registrar comparison

Namecheap — the 6th largest registrar on Earth — has zero PR Newswire results. NiceNIC — one of the worst bullet-proof registrars we track — has zero. Only NameSilo uses paid PR distribution among registrars. xmrwallet's PR Newswire releases were indexed until early 2026 — now deindexed, but cached in our archive. The one specific enterprise platform that connected a "volunteer wallet" to any registrar was PR Newswire, and the registrar was NameSilo. Raw SERP dumps (May 2026, clean): Namecheap Google · Namecheap Bing · NiceNIC Google · NiceNIC Bing

The Manufactured Legitimacy Pipeline

Nobody writes about this registrar. Not a single piece of independent journalism in their SERP. The design is objectively terrible — their own CEO admitted it needs a "complete UX/UI overhaul" after seven years. But they claim 6 million domains. Someone has to create the appearance that this company is alive and thriving. Enter Leonid.

On Trustpilot, a name keeps appearing in NameSilo's 5-star reviews: "Leonid." Leonid was very helpful. Leonid solved my problem. Leonid is amazing. Reviews that read like they were written by the same person, praising a support agent by name — while verified victims who report stolen funds get deleted as "guideline breaches." 129 reviews deleted in 4 months. Rating magically recovers from 4.5 to 4.7. We showed the methodology. We showed the data. If you think our analysis is not objective — here are all 2,480 surviving reviews. Replicate it yourself.

But the funniest part is the PR pipeline. Here is how it works, step by step:

Step 1: NameSilo writes a press release about themselves. In third person.

        They write: "NameSilo, the fastest-growing registrar..."

Step 2: They pay PR Newswire $805+ to distribute it.

Step 3: PR Newswire pushes it to Yahoo Finance, Morningstar, StockWatch, newswire.ca.

Step 4: Yahoo Finance publishes it with a tiny label: "This is a paid press release."

Step 5: NameSilo's CSE stock page (CSE: URL) now shows "media coverage."

Step 6: Investors see "Yahoo Finance wrote about them!" and "StockWatch covered them!"

Reality: Nobody wrote about them. They wrote about themselves and paid to make it look like news.

Every "fastest-growing registrar" headline is their own copywriter. Every "milestone announcement" is self-authored. Every piece of "media coverage" on their stock page is paid distribution of their own text. The Canadian Securities Exchange displays it as if independent media cared about their prices and quarterly results. Nobody cares. They paid for the illusion that someone does. And the same PR Newswire account — or the same copywriter — writes press releases for a "volunteer Monero wallet" that steals $100M, has zero donations, lists a fake phone number, and announces features that don't exist in their 7-year-old frozen codebase. That's not a coincidence. That's the same person typing.

Direct Addresses — To Those Who Enabled This

To TrustpilotYou deleted verified victim reviews and kept bot reviews. You enabled a scam wallet to maintain a rating higher than legitimate exchanges.

You deleted verified victim reviews and kept bot reviews. You enabled a scam wallet to maintain a rating higher than legitimate cryptocurrency exchanges. A verified user, green checkmark, unprompted review, reporting stolen funds — "I'm in a panic, I created a wallet on the official site, put money in and the developers took everything" — deleted as "breaching Trustpilot's Guidelines for Reviewers."

A victim reporting theft is a guideline breach. A bot writing "Leonid was very helpful" is not. We have Wayback Machine proof of 129 NameSilo reviews and 7+ xmrwallet reviews erased from your platform. We have more surprises that will show your role in enabling this fraud. Stop deleting victim reports. Start deleting bot reviews.

To OpenAI / ChatGPTYou recommended xmrwallet.com to users as a legitimate Monero wallet. People trusted your recommendation. People lost money.

You recommended xmrwallet.com to users as a legitimate Monero wallet. People trusted your recommendation. People lost money. That recommendation generated revenue for a theft operation and enabled laundering. We have the screenshots. Fix it.

To anyone who covered for this operationKnowingly or through negligence — we have much more prepared.

Every time you delete, we publish. Every time you threaten, we archive. Every time you lie, we release the next layer. We would genuinely love to interview one of these operators after an arrest. Until then, we document. And we do not stop.

A personal note from PhishDestroy

"Feel free to dismiss all of this. We've been dismissed before — usually right before we turned out to be correct."

Who we are

Specialists in CIS-origin scam operations. Hundreds of phishing sites shut down. The patterns here — DDoS-Guard, Kwork orders, SEO burial, suppression playbook — are a recognizable operational signature.

What we know

There is a direct connection between the operator and the registrar beyond a standard client relationship. The operator invited us to prove he was a thief. We did. Then they tried to erase us.

The scale

First public estimate: $20M+. As victims contacted us directly and EU law enforcement shared findings, the real figure became clear: very likely north of $100 million. We use the conservative number publicly. But we know.

For investigators

Every suppression attempt is traceable. Subpoena Trustpilot (100+ deleted reviews) and GitHub (21+ deleted issues). The suppression campaign is evidence of the operation.

To the victims who lost their Monero over the last decade:

This archive exists for you. The operator is identified. The registrar is on record. Criminal cases are open in Europe. You are not alone and you are not powerless.

[email protected] Mastodon Telegram Medium

NameSilo LLC & xmrwallet.comEvidence of Connection

Chronology of Events

How they compare to everyone else.

Evidence Archive

Operator Emails

4 Statements vs Evidence

Code Hashes

Technical Breakdown

61 Evidence Screenshots

Wayback + GhostArchive

Documented Victims

Community Reports & Warnings

Freedom of Speech — or Freedom of Scam?

In our assessment, NameSilo's conduct is consistent with either direct operation of or financial partnership in the xmrwallet.com theft. No alternative explanation we identified accounts for this pattern of behavior.

Who owns xmrwallet.com?Why did NameSilo risk everything to protect them?

Documented Suppression & Censorship Attempts

Twitter / X

Bing Search

GitHub

Trustpilot

Google / DMCA

SEO Burial

YouTube

BitcoinTalk

Gov Emails

DDoS-Guard

"SEO Grandpa" — Operator's Google Drive Orders

Court-Ready Documents — PDFs & Formal Filings

For Victims & Authorities

If you are a victim

For law enforcement & regulators

Who we are

What we know

The scale

For investigators

Evidence Catalog & Chain of Custody

Complete mirrors. Self-contained. Permanent.

DestroyList

NameSilo Cover-Up

xmrwallet.com

ScamIntelLogs

DestroyScammers

Permanent Mirrors & Archive Distribution

What's inside. Where to find it.

Download. Verify. Investigate.

NameSilo Domain Dataset

Evidence Hash Manifest

Cached Evidence Archive

DNS History — SecurityTrails

URLscan API Dumps

VirusTotal Reports

Court-Ready PDFs

Domain Anomaly Report

Bot Farm URL List

AI Manipulation Report — How xmrwallet Got Into ChatGPT

Full OSINT Investigation Report

SEO Manipulation Data

Lost Links Analysis

Full Backlink Dump

Referring Domains

Requested Actions & Applicable Statutes

Report. Verify. Contribute.

Main Site

GitHub

Codeberg

Ethereum Name Service

Medium

Telegram Bot

Mastodon

Victim Reports

Submit Evidence

Legal / Law Enforcement

NameSilo LLC & xmrwallet.com
Evidence of Connection

Who owns xmrwallet.com?
Why did NameSilo risk everything to protect them?