The Real Story
How We Got Here — The Unfiltered Version
~2023 to present. From "someone else will handle this" to building a 61-exhibit case file on IPFS.
+
"We knew."
We knew about xmrwallet.com since approximately 2023. Not from some dramatic discovery — we do this for a living. We saw the reports, we saw the victims, we understood the mechanism. We tried a few times to shut it down the normal way: file abuse reports, tag the registrar, move on. But this one didn't go down. And honestly — we hoped someone else would deal with it. We're volunteers. Our "budget" is whatever our parents gave us. So we watched, checked in occasionally, learned his playbook. PhishDestroy was already known — the registrar responded to our tweets, the operator knew us from GitHub. You can't ban someone's GitHub issues the way you ban a Reddit post.
Why didn't we do this earlier?+
Honestly? Time. This investigation consumed months of full-time work from multiple people. The operator had a bulletproof setup: NameSilo registration paid through 2031, DDoS-Guard hosting in Russia, 50+ PBN domains, professional suppression of every negative mention. Taking him down required more than a standard abuse report.
And we didn't initially know about the NameSilo connection. We thought they were just another lazy registrar ignoring abuse reports. That's depressingly common. It wasn't until they publicly defended the operator that everything changed.
We couldn't go public right away either — they would have deleted us. We needed IPFS, multiple mirrors, evidence archived in ways they couldn't touch. We already knew their method: victim reports on Reddit? Removed. Trustpilot reviews? Deleted — but "Leonid" the 5-star bot stays. Our own site had 108,000 pages indexed in Bing. After we mentioned NameSilo, 100,000+ links were deindexed in a single day. That raises serious questions.
The moment it clicked
In our entire career — 500,000+ phishing takedowns, hundreds of registrars — we had never seen: a scam operator telling us "Feel free to subpoena the registrar", and a registrar responding by offering to remove VirusTotal detections for the scammer. On Twitter. In public. Not NiceNIC. Not the worst bulletproof registrars in Eastern Europe. Not a single one, ever.
Why now?
Three things converged in early 2026: MyMonero shut down (its users needed an alternative — Google now shows the scam), AI started recommending xmrwallet (operator fed purchased articles to training data), and we ran out of patience (we'd cleaned 100+ of his paid articles in 2024-2025, he kept buying more).
The AI poisoning problem — details+
The operator had been feeding purchased articles to AI training data. ChatGPT, Grok, Claude — they all started suggesting xmrwallet.com as a legitimate option. I personally contacted OpenAI and got it corrected once. Then the operator bought more articles, and the recommendations came back. With MyMonero gone, AI + web search = a pipeline of fresh victims straight to the scam. Someone had to break it permanently.
The Twitter sacrifice
We chose it. 200K+ tweets, years of work — gone when NameSilo's Gold Checkmark DMCA hit. X's own system found no violation and restored us. We're still locked. X charged us $200 for the privilege. A locked account is better evidence than a live one — every suppression action is another line in our case file.
Why we didn't fight the lock+
We could have used our connections to try to restore it. We know people at platforms. We chose not to. A locked account proves that a Gold Checkmark can silence security researchers. It proves that the suppression machinery works even against documented anti-phishing operations. Watching them celebrate the takedown was more useful than fighting it.
Following the behavior, not the money
Monero is untraceable. No Etherscan, no public ledger. That's why this scam survived for a decade. But you don't always need to follow the money — you can follow the behavior: suppression of reviews, 100K+ pages deindexed in a day, identical patterns for two "unrelated" entities, platform bans on researchers (not the scammer), paid reputation manufacturing. The behavior is the evidence.
Open questions: platforms, Trustpilot, X+
Were the moderators who deleted victim posts acting independently, or responding to coordinated mass-reports? Were deindexing requests filed through normal channels, or through paid reputation management services? We know these services exist on the open market.
Trustpilot: Why were verified victim reviews mass-deleted, while "Leonid" and his 5-star bot army remain? Someone approved those deletions. Who?
X/Twitter: Our account was locked via Gold Checkmark override after X's own system cleared us. Can a Gold Checkmark subscriber permanently lock a security researcher's account? Is that a feature or a vulnerability?
The SEO Grandpa
We called the operator "SEO Grandpa" (SEO Ded in Russian). He didn't like it. When you buy articles on Kwork for 500 rubles and leave Google Drive documents publicly indexed — you earn the nickname. In his farewell letter, the operator admitted closing xmrwallet.com. We told him in our first email exactly what would happen. It happened. His registrar moved the domain to Namecheap. Whether that helps them — we'll see.
The Russian connection+
We specialize in Russian-speaking scam operators. Not by choice — by pattern recognition. The Kwork orders, the Trustpilot manipulation, the PR Newswire tactics, the technical laziness (Windows 98 admin panel on a $133M company). It's a handwriting we recognize.
Did we know about Russian connections inside NameSilo from the start? No. We discovered it during the investigation. The IP patterns, the DMCA filing origins, the SEO strategy — all pointed the same direction. Hi, NiceNIC. You've got some Russian friends now.
What we achieved
xmrwallet.com shut itself down
Farewell letter cited our investigation
Domain moved to Namecheap
AI models corrected
100+ paid SEO articles removed
All escape domains neutralized
21M decoys poisoned their database
Evidence on IPFS — permanent
ICANN complaint filed
Law enforcement briefed
The scam ran for ~10 years. Estimated $100M+ stolen. And after a decade of community efforts — it took a few volunteers with no budget, running on stubbornness and caffeine, to finally end it.
Independence & Capability
We operate independently. No corporate sponsors, no grants, no financial leverage to exploit. This autonomy allows us to pursue targets that traditional security firms avoid due to liability or conflict of interest. 130,000+ phishing domains neutralized. Years of active operations. We understand scam infrastructure, operator behavior under pressure, platform abuse report processing, and suppression campaign mechanics.
How the investigation was triggered
The operator ("Nathalie Roy") was warned directly: don't lie, don't escalate. She had multiple opportunities to quietly remediate — delete two GitHub issues and walk away. If no victims complained, the matter would have ended there. Instead, she chose to threaten, lie, and involve her registrar. NameSilo then published a tweet containing 4 independently falsifiable statements, publicly defending a VirusTotal-flagged drainer to an audience of 11,000. That tactical error triggered a full-scale forensic operation.
Our objective is in our name: PhishDestroy. NameSilo chose to become part of the phishing operation — by defending it, by publishing false statements, by suppressing evidence. The response is procedural: document the protection, neutralize the scam, refer to law enforcement.
Academic Research — forensic paper on untraceable cryptocurrency theft+
One of our researchers is writing a forensic research paper on online fraud criminology. This investigation is the primary case study — investigating theft of untraceable cryptocurrency (Monero) where blockchain analysis is impossible.
When you can't follow the money, you prove the crime through: registrar conduct analysis, suppression fingerprinting, platform log correlation (DMCA/GDPR records, Trustpilot deletion logs), and behavioral timestamps. This investigation is the proof of concept.
Operational Methodology & Counter-Measures
We predicted every action they would take. We deliberately didn't write on Twitter that we know what they do to people like us — because they're so arrogant they didn't realize they weren't suppressing us. They were doing exactly what we wanted.
Parallel tracks, simultaneously:
•11-12 formal abuse complaints to NameSilo — not to trap them, but to verify the hypothesis. Every other registrar took action. They ignored all of them.
•Database poisoning across all xmrwallet domains — 21M cryptographic decoys injected to protect victims and contaminate operator telemetry.
•Traceable suppression decoys deployed across Medium, dev.to, Azure, GitHub, our own domains, and others not yet disclosed. Over 20 links per keyword. Each designed to generate a logged takedown request — a forensic fingerprint.
•phishdestroy.io fully deindexed from Bing. When they realized the site would have more than one article about them — they didn't just deindex the articles. They deindexed the entire domain. That was part of the plan too.
•Twitter as bait. 200K tweets sacrificed. They locked it via Gold Checkmark. X's own system found no violation. Still locked.
Did we bait them? No. We did what we always do — reported abuse, published findings, documented responses. They chose to suppress. We just knew they would, and we were recording.
Suppression fingerprint strategy — 11-12 abuse complaints, all ignored+
We submitted 11-12 formal abuse complaints to NameSilo. If they were truly independent, they would investigate a VirusTotal-flagged site with documented victims. They ignored every single one. Every other registrar we tested took action.
Multi-Platform Distribution
We published on multiple platforms deliberately — Medium, dev.to, our own site — because we needed them to suppress it on each platform separately. Every suppression action is logged. All platform records are available to law enforcement.
Platform-by-platform suppression sequence+
Medium article — 304 claps, 15 comments, 19 min read.
01Published on Medium. Waited for deindexing. Documented.
02Published on dev.to. Links + site deindexed from Bing. Documented.
03Published 2 articles about NameSilo — so they'd file two separate deindexing requests. Forensic fingerprint.
04Twitter as target. Locked via Gold Checkmark. X found no violation. Still locked.
05ICANN complaint. Full evidence package. Registrar's response: silence.
Honeytokens & Decoys
They chose to suppress instead of respond. We anticipated it. One of their investors attempted to doxx a researcher, then deleted the tweets. Our goal is in our name: PhishDestroy. We destroy phishing.
The Two-Article Test & bait infrastructure+
We published two articles on Medium. Article #1 mentioned only xmrwallet. Article #2 was SEO-targeted at NameSilo. Both were deindexed. Over 20 links per keyword, all suppressed. If they're unrelated — who is cleaning NameSilo's search results?
We wrote it directly in our first email: "You are forcing us to investigate by lying." They didn't believe us. That was their mistake.
Each placement was designed to make them create evidence against themselves. Every takedown request, every DMCA — evidence they manufactured against themselves. A hunter doesn't chase untraceable prey — he sets traps and waits. They walked into every single one.
Infrastructure & Threat Assessment
4+ researchers worked on this. Evidence is on IPFS — immutable, decentralized. The operator emailed us: "I hired a lawyer and a PI." No lawyer appeared. What did appear: DMCA takedowns, DDoS attacks from njal.la, and coordinated Trustpilot manipulation. Every action documented.
Bait infrastructure screenshots & analysis+
dev.to publication — cross-posted to create multiple suppression records.
Google Search Console — every domain here was created to be taken down. And they were.
Every Azure subdomain, every article URL — built specifically so they would be reported and removed. Each request is logged by the platform. When investigators subpoena Google, Bing, Twitter, Trustpilot, and Medium — the pattern across both entities will be identical. Same requester. Same method. Same timeline. That's not two unrelated companies. That's one operation.
Why this is not a normal scam operation+
We've investigated hundreds of scam operations. None looked like this.
- A US ICANN-accredited registrar publicly defended a VirusTotal-flagged drainer
- The operator showed zero fear of his own registrar — invited us to subpoena them
- 10 years of continuous operation, same registrar, same infrastructure
- Professional suppression of all negative content for both entities — everything, everywhere, for a decade
The identical suppression pattern is the fingerprint we set out to capture. That behavioral pattern is the evidence. It's in the platform logs of every company they reported us to.
Database Poisoning & Telemetry Contamination
We injected 21 million cryptographic decoys into every xmrwallet domain (.com, .me, .cc, .biz, .net) to render their stolen datasets operationally useless. If it's a legitimate client-side wallet, our inputs are meaningless. If our inputs matter to them — that proves the theft mechanism exists. The operator added a CAPTCHA after our tool ran for weeks. A legitimate wallet doesn't need a CAPTCHA on seed phrase input. The CAPTCHA is itself evidence.
Technical details: sessions, CAPTCHA, behavioral simulation+
Each session simulated realistic user behavior — clicking links, navigating pages, mimicking different user types. Our sessions were designed so the operator could not distinguish our entries from real victims.
The CAPTCHA was a crude quadratic brute-force challenge solvable in ~0.1 seconds with Python. Ledger, Trezor, MyMonero — none have CAPTCHAs on seed input. They were protecting their theft pipeline, not their users. We analyzed and defeated it.
Operational statistics — 21M entries, 306 workers, 149 hours+
Sessions: 118,585
Auth success: 67%
Total actions: 2,595,623
Avg RPS: 5.4
Captcha solved: 167,558 (95%)
Avg solve time: 6.2s
Active workers: 306
Bandwidth: 107 GB
Complete logs total approximately 21 million successful entries across all xmrwallet domains, Feb–Apr 2026. Full dataset available to law enforcement.
Is this an attack? No. Here's why.+
We entered data into a public web form. We didn't bypass authentication, exploit vulnerabilities, or access unauthorized systems. We formally notified DDoS-Guard. They never objected. Our script consumed under 50MB RAM at 5.4 RPS — less than 1% of the server's capacity.
The beautiful part: if they keep logs (because they steal), they now have 21 million wallets to scan. Full-chain scan takes 2-5 min per wallet = 700,000 CPU hours. We created absolute computational asymmetry: milliseconds to generate a decoy, thousands of dollars to evaluate it.
Want to accuse us? Request our logs. Explain to a court why a "client-side wallet" logged and processed all 21 million.
The Greed Trap: cryptographic asymmetry — 700,000 CPU hours+
Monero seed phrases don't store creation date. Scammers must scan the entire blockchain from 2014 for every seed — 2-5 min per wallet.
21,000,000 decoys × 2 min = 700,000 CPU hours
To process in 1 month = ~1,000 CPU cores at 100%
Milliseconds to generate a decoy. Thousands of dollars to evaluate it. We weaponized their greed.
Our methods: proportional and fully ethical. No proxies, no botnets, no illegal infrastructure. Standard Cloudflare Workers — lightweight, legal, transparent. Simple, legal solutions hold up in court.
There's no middle ground here.
The operator is a criminal. The registrar either didn't know (negligence) or did know (complicity). The evidence points to the latter. This was never a shouting match. This is a case file.
Deliberate mistakes, endgame, and what happens next+
Yes, we intentionally left visible AI markers — small errors so they'd feel confident suppressing us. Every confident suppression action is now a timestamped exhibit.
Evidence submitted to ICANN Contractual Compliance and federal law enforcement. If they deny deleting reviews — Wayback captures. If they deny ignoring complaints — delivery receipts. If they deny the connection — PR Newswire timestamps and suppression pattern match.
They removed 30-50+ links across Google, Bing, and multiple platforms — for both entities. The logs exist, the pattern is identical, and it's all subpoenaable.
They thought they were silencing us. They were building our case.
PhishDestroy