✕
We understand that investors have their own aesthetic preferences and that our cyberpunk design may cause mild cardiac distress in people accustomed to quarterly earnings reports in Excel. We also understand that reading 2,000+ lines of evidence from hackers who destroy phishing for fun is not everyone's idea of a pleasant afternoon. So we've prepared special editions — same facts, different packaging. Choose your level of comfort:
Both versions contain the same evidence. The Win98 edition is our tribute to NameSilo's actual admin panel design, which their CEO admitted needs a "complete UX overhaul" after seven years. We think it's perfect as it is.
Independent anti-scam research. A volunteer movement against phishing and online fraud. This archive exists because they tried to erase us — deleted from Bing, locked on Twitter, DMCA'd on GitHub, reported on every platform. So we moved to IPFS via Ethereum Name Service. No server to shut down. No host to pressure. No "report" button to abuse.
What's inside this archive
Every step documented before it happened. We knew the playbook. We were ready.
Every claim is backed by source material. Every screenshot is SHA-256 fingerprinted. Every external link has at least one immutable archive copy.
View Full Evidence Archive — all screenshots, tweets, victim reports, Wayback links, SEO orders →
"N.R." ([email protected]) → [email protected], Feb 16. Defends site, demands removal. Never claims compromise.
Screenshot →NameSilo's Mar 13 tweet: 4 sentences, 4 lies. Each proven false with operator's own emails + code hashes.
Full analysis →SHA-256 before and after "compromise." Code never changed. IP never changed. NameSilo fabricated it.
Proofs →8 PHP endpoints. session_key = base64(address + viewkey). raw_tx = 0. Server builds its own TX.
View →16 primary + 19 additional + 26 tweets. Emails, victim reports, DNS maps, VirusTotal, GitHub issues, operator taunts. All SHA-256 fingerprinted. Court-usable.
View all →xmrwallet.com, .cc, .biz, .me archived. NameSilo tweet archived. GitHub repos archived. Independent copies.
View all →These are the 16 core exhibits. An additional 19 screenshots (victims, GitHub issues, DNS maps, VirusTotal) and 26 tweet screenshots are shown below. Total: 61 evidence images in this archive.
"We had received no abuse reports" — the internet disagrees.
NameSilo claims in their March 13, 2026 tweet that they had never received abuse reports about xmrwallet.com prior to our contact. This is verifiably false. Public posts on BitcoinTalk (2021) and Reddit (as early as 2018) explicitly discuss filing reports with NameSilo about this domain. These posts are still indexed. They were not hidden, not encrypted, not on the dark web — they were on the two largest crypto forums on the internet. NameSilo's abuse team would have to be either spectacularly incompetent or deliberately lying. We know which one it is.
For regulators: Is there an authority that can audit a registrar's abuse ticket system? Subpoena NameSilo's internal records. Compare the number of reports they actually received vs. what they claimed publicly. The gap between those numbers is measurable, provable, and potentially criminal. They spent enormous effort scrubbing the internet of evidence against xmrwallet — but they couldn't scrub BitcoinTalk and Reddit.
A note about Monero and the victims you can't identify.
Monero is private. That's the point. It means victims can't trace their stolen funds. But it also means something else: the operator doesn't know who he stole from.
Over 8 years and an estimated $100M+, the xmrwallet operator drained wallets indiscriminately. Every user who deposited Monero and clicked "send" had their transaction hijacked. The operator has no idea who those people were. Some were retail crypto users. Some were investors. Some were researchers. And some — statistically, inevitably — were people you really do not want to steal from.
We are researchers. We publish evidence and move on. But not everyone who lost money on xmrwallet.com will respond by writing a report. The operator should consider this. NameSilo should consider this. You helped protect a thief who stole from people he cannot identify, in amounts he cannot calculate, in a currency he cannot trace. Some of those people will find him anyway. That is not a threat — it is arithmetic.
View full bot analysis — 68+ live bot posts vs ~100+ deleted victim warnings →
Warning tweets about xmrwallet — check which survived:
SEO spam bots from 2018 — all still alive:
We estimate 100–200 tweets total have been deleted across all accounts that ever mentioned xmrwallet.com truthfully — our reports from @Phish_Destroy, independent researchers, victim complaints, security warnings. All gone. Meanwhile, the operator purchased a Kwork service: "social media link blast — Twitter 50 posts, 500 rubles" (~$5 USD). He bought multiple packages. Hundreds of spam bot posts promoting xmrwallet.com from 2018 — every single one still live. Not one removed.
X/Twitter's actions demonstrate a clear double standard: bot spam purchased for 500 rubles on a Russian freelance marketplace remains untouched, while victim reports about a $100M+ theft and researchers with SHA-256 verified evidence get locked. X/Twitter should investigate which employees are processing these reports and why.
And to be clear: X/Twitter stole $200 from us. Subscription payments charged for accounts we cannot access. We submitted 5+ data export requests across 3-4 accounts — all denied or ignored. Those accounts contain approximately 200,000 tweets combined, each of which is potential evidence of someone's crime — a phishing site, a registrar's negligence, a victim's report. X is not just silencing us. X is withholding evidence of mass cybercrime and charging us for the privilege.
But NameSilo also managed to get some of our most inconvenient posts removed. For investigators: this is not a problem — request the deletion logs, verify who filed the reports, check the timestamps. Every removal is traceable. Every moderator action has a paper trail. The posts NameSilo wanted gone the most are exactly the ones that matter.
After everything that happened — after the public exposé with 11K views, after 4 lies debunked with the operator's own emails, after ICANN filing, after law enforcement referral, after 3 other registrars suspending the same domains on the same evidence — the site is still live.
Ask yourself: what legitimate registrar would endure this level of public humiliation and regulatory risk for one client? What company would publicly commit to removing VirusTotal detections for a known drainer? What abuse department would fabricate a "compromise" story that contradicts the operator's own emails?
None — unless they own it or profit from it directly.
NameSilo, LLC (IANA #1479) is either the owner of xmrwallet.com, or a direct financial partner in a $100M+ theft operation. There is no third option that explains their behavior. A client-registrar relationship does not produce this level of protection.
And there is a Russian intelligence trail here.
The infrastructure patterns, the operational security methodology, the CIS-marketplace freelance orders, the DDoS-Guard hosting, the suppression playbook — this is not a solo Canadian "volunteer" running a hobby project. This is an operation with institutional backing. The Russian connection is obvious to anyone who has worked in CIS cybercrime investigation. We have evidence. Investigators will receive it upon request.
A message to every moderator, every trust & safety employee, every platform admin who deleted a victim's post, locked an account, or removed a warning about xmrwallet.com:
We ask you to publicly explain why you did it. What rule was broken? What policy was violated? You deleted the truth. You silenced victims. You aided a $100M+ theft operation. That is not moderation — that is complicity. Every deletion is logged. Every removed review is traceable. Every locked account has a paper trail. Investigators can and will request those records.
To ICANN Contractual Compliance:
We submitted the full case file on March 18, 2026. Every screenshot. Every email. Every hash. Every lie debunked. Every victim documented. Every suppression attempt logged. You have it all. NameSilo, LLC (IANA #1479) — your accredited registrar — is actively protecting a Russian-linked scam operation that stole $100M+. The site is still live. The domain is still active. The operator posted a farewell letter and the site is STILL UP. Are you comfortable with this? Is this what ICANN accreditation means? A registrar can publicly lie, help a scammer remove security detections, use paid platform access to silence researchers — and keep their accreditation? We are waiting for your answer. The victims are waiting. The evidence is public. The world is watching.
A message from a victim — and a question about ICANN accreditation:
One of the victims contacted NameSilo and was told something along the lines of their "ICANN license" protecting them. Let's be absolutely clear about what ICANN accreditation is and what it is not:
ICANN accreditation is a license to register domain names. It is not a license to commit fraud. It is not a license to cover up money laundering. It is not a license to protect scam operators. It is not a shield against criminal prosecution. It is not a supreme court ruling that permits NameSilo to help a thief steal $100 million. It does not grant immunity from law enforcement, civil lawsuits, or regulatory action.
An ICANN-accredited registrar is more accountable, not less. The RAA (Registrar Accreditation Agreement) explicitly requires abuse handling. NameSilo signed this agreement. NameSilo violates it every day that xmrwallet.com remains active.
To victims: do not let anyone tell you that "ICANN accreditation" protects a registrar from consequences. It doesn't. Sue them. File criminal complaints. Report to your national cybercrime unit. Report to the Arizona Attorney General. NameSilo is a US company in Phoenix, AZ. They are subject to US law, regardless of what ICANN accreditation they hold. A driver's license doesn't protect you from a murder charge.
The ICANN Accreditation Theater
Here is something that genuinely baffles us. In every single abuse response, in every reply to every complaint, NameSilo cites their ICANN accreditation. Every time. Like a mantra. Like a prayer. Like a magic spell that makes abuse reports disappear.
"As an ICANN-accredited registrar..." — yes, and? Do you understand how absurd this sounds to anyone who works in this industry? Let us translate this into terms everyone can understand:
ICANN accreditation is a commercial license. You pay a deposit. You fill out paperwork. You agree to follow the RAA (Registrar Accreditation Agreement). That's it. It does not make you a regulator. It does not make you untouchable. It is not a fund that covers the actions of fraudsters you protect. It is not a judicial shield. An SSL certificate on a phishing site doesn't make it legitimate — phishers buy SSL certificates every day, including the expensive EV ones. A Cloudflare account doesn't make you safe — every malware distributor has one. And ICANN accreditation doesn't make you honest — it just means you paid the fee.
And it gets better. NameSilo doesn't just cite ICANN accreditation in abuse responses — they put it in their financial filings. In the Q3 2025 earnings release filed on SEDAR+ (November 28, 2025), the company describes itself as: "As an accredited ICANN registrar, Namesilo is one of the fastest-growing domain registrars in the world." This is in an earnings report. For investors. On a securities filing platform. Instead of disclosing that 81.5% of their "domains under management" are phantom registrations with zero traffic, they lead with ICANN accreditation. It's not just a reflex at this point — it's a securities disclosure strategy. Wrap the phantom numbers in the ICANN badge and hope nobody checks. We checked. Source: Stockwatch →
By the time an ICANN complaint is reviewed, processed, and acted upon, the scam domain has already expired, the money is gone, and the victims have given up. The process is slow by design. Filing an ICANN complaint is like calling the fire department after the building has burned down, been demolished, and turned into a parking lot. This is not a check. This is not oversight. This is theater.
Case in point: Trustname.com (IANA #4318) — an ICANN-accredited registrar. "Fastest growing independent registrar." Our investigation found: Estonian tax filings showing €120 in revenue, one employee, negative equity, and a company deletion notice. Both owners are Belarusian. The registrar openly markets bulletproof hosting, serves scam casinos, 18+ content, illegal pharmacies, and fraud operations. ICANN-accredited. Does that accreditation make them legitimate? Does it protect the victims of the scam casinos they host? Of course not. It just means they filled out the same form NameSilo did.
Maybe we should buy ICANN accreditation too. Then we can write it everywhere:
"Hi, this is PhishDestroy. ACCREDITED BY ICANN, CREDENTIALED BY DOMAIN CCK, PAYMENT PROCESSED BY A REGISTRAR AND A HOSTING PROVIDER."
Sounds impressive, right? Sounds like it means something? It doesn't. And when NameSilo writes it in every response to every abuse report they ignore — it doesn't mean anything either. Except that they think it does. And that delusion is part of the problem.
RAA Section 3.18 — the clause NameSilo pretends doesn't exist.
The Registrar Accreditation Agreement — the document NameSilo signed — includes Section 3.18, which explicitly requires registrars to investigate and respond to abuse reports. Not ignore them. Not delete them. Not fabricate cover stories. Not offer to clean VirusTotal detections for the reported domain. Investigate. Respond. Act. We started citing RAA 3.18 in every single report we file. NameSilo's response? The same ICANN accreditation mantra. They invoke the very authority whose rules they violate — in the same sentence where they violate them. It would be comedy if people weren't losing millions.
Maybe NameSilo has a special ICANN — a private edition, issued by the grandfathers from Lubyanka? A bespoke accreditation where 3.18 reads: "The registrar shall ignore all abuse reports, help the scammer clean his record, and cite this accreditation as justification." Because that's how they behave. They use the ICANN badge the way a corrupt cop uses a police badge — not to enforce the law, but to break it with impunity.
ICANN is not the police. It's the DMV.
ICANN was created in 1998 when the internet was an academic project, not a battlefield. Its mandate is technical stability — making sure .com resolves the same in Tokyo, Berlin, and Moscow. It coordinates the root DNS zone, distributes IP addresses (IANA), and maintains protocol standards. Without ICANN, the internet fragments. That's why it exists. Not to police fraud. Not to protect victims. Not to investigate money laundering.
The RAA is a contract, not a law. Violating RAA 3.18 is breach of contract, not a crime. ICANN's ultimate sanction — revoking accreditation — takes years, creates precedent they fear, and risks thousands of domains in limbo. They won't do it. NameSilo uses a DMV certificate as an alibi in a murder trial. ICANN accreditation doesn't protect you from securities fraud, money laundering, or aiding a $100M theft. The real enforcers are FinCEN, SEC, FBI, and the Arizona Attorney General. ICANN is a decoration.
This is not the first time. Artists Against 419 (2018).
Before xmrwallet, before PhishDestroy, another organization tried. In 2018, Artists Against 419 filed ICANN Compliance complaint UNY-783-11184, accusing NameSilo of being a "bullet-proof registrar" for scammers. Their evidence: reseller QHoster (linked to NameSilo) was responsible for 60% of malicious domains they tracked. NameSilo's response: "We are not a hosting provider" and "We cannot determine the legality of content." ICANN's response: closed the complaint. Reason: the registrar "did not receive the report" or the issues "were outside ICANN's scope."
That was 2018. It's 2026. Nothing changed. The same registrar. The same abuse pattern. The same ICANN non-response. An ICANN Notice of Breach will not fix NameSilo — because abuse is not a bug in their business. Abuse IS the business. You don't send a code-violation notice to a building that was designed to be a front. You send law enforcement.
Why ICANN can't act — and why DOJ won't
Abuse, phishing, scam protection, money laundering, FSB connections — all outside ICANN's mandate. They say so themselves. RAA 3.18 requires "investigating abuse," but ICANN has no investigators, no courts, no power to force-close domains, and no mechanism to verify that a registrar actually investigates. For ICANN, "we received the letter and replied" = compliance. Whether the reply says "we'll remove it" or "dismisses the complaint entirely" — ICANN doesn't read it.
NiceNIC, Trustname, NameSilo — all technically compliant: pay fees? Yes. Submit data escrow? Yes. WHOIS works? Yes (via PrivacyGuardian). Their business model is ignoring abuse. But ICANN can't punish that, because ICANN doesn't evaluate the content of abuse responses. For bullet-proof registrars outside the US, ICANN's only option is revoking accreditation — a process that takes years and leaves thousands of domains in limbo. ICANN fears technical collapse more than it fears fraud.
NameSilo is a special case. It's a US company in Phoenix, Arizona — subject to US law (Arizona AG, FBI, FinCEN, SEC). ICANN shouldn't need to handle this. This is DOJ's job. But DOJ is silent too:
This is not a single abuse incident that ICANN can address with a Notice of Breach. This is a systemic business model built on enabling cybercrime — phishing, crypto drainers, darknet services, and what the financial data strongly suggests is money laundering at scale. ICANN compliance letters don't fix that. Federal prosecution does.
njal.la is NameSilo. Period.
NameSilo's favorite defense: "That's our reseller, njal.la. We have no control." WHOIS says otherwise. Look up any njal.la domain — the WHOIS registrar field reads NameSilo, LLC. Not njal.la. Not some independent entity. NameSilo. Whatever internal partnership or reseller agreement they have is their private business. To the outside world — to ICANN, to law enforcement, to victims, to WHOIS — these are NameSilo domains under NameSilo's accreditation and NameSilo's responsibility.
Njalla is a legitimate privacy-focused registrar founded by Peter Sunde (of Pirate Bay). It serves journalists, activists, and privacy-conscious users. But its privacy features — registrant shielding, no public WHOIS, minimal paper trail — were systematically exploited to register crypto scam domains and drainers under NameSilo's accreditation. When abuse reports arrived, NameSilo pointed to njal.la; njal.la pointed to privacy. The domains stayed up. The money disappeared. The privacy shield became an abuse shield. Their internal arrangements do not override WHOIS data, ICANN rules, or the law. You cannot outsource your ICANN obligations to a privacy reseller and then claim innocence when domains under your accreditation steal $100 million.
How other registrars compare — from someone who scans hundreds of thousands of domains.
We are not theorists. We scan, analyze, and report domains at scale — hundreds of thousands of them. We work with registrars every day. Here is what we see:
WebNic (~800K domains)
Improving. They now have a real abuse handler — an actual human who reads reports and takes action. He doesn't yet realize their IPs are being blocked by Cloudflare (sends screenshots of "site not working" instead of "phishing"), but there is visible progress. A registrar that is trying to get better.
NiceNIC (Russian, not Chinese)
Hopeless. Will only improve when they cease to exist. A registrar whose business model is built on not responding to abuse. But even NiceNIC never publicly defended a scammer on Twitter. Even NiceNIC never offered to clean VirusTotal for a drainer. Even they have limits.
NameSilo (IANA #1479)
Invented its own ICANN. Created its own WHOIS. Plays by its own rules. Uses accreditation as a weapon, not an obligation. Even Russian registrars like Reg.ru stopped doing what NameSilo does around 2021. NameSilo is still doing it in 2026. They are not a rogue registrar. They are a criminal enterprise with an ICANN badge.
We are not ICANN experts. We are not lawyers. But we destroy 500,000+ phishing domains and can see what entire regulatory bodies apparently cannot: a registrar that invents its own laws, hides behind its own resellers, cites its accreditation as a defense while violating its accreditation's core requirements, and launders money through phantom domain registrations.
To U.S. federal and state authorities — particularly the State of Arizona:
NameSilo, LLC is incorporated and operates in Phoenix, Arizona. This is your jurisdiction. A company registered in your state is actively protecting a criminal operation with documented ties to Russian-speaking threat actors — an operation that has stolen an estimated $100 million or more from victims worldwide, including U.S. citizens. The evidence is public. The ICANN filing is on record. The operator is identified. The registrar's public lies are archived and debunked. The suppression campaign against researchers and victims is documented down to individual platform reports.
This is not a gray area. This is not a "business dispute." This is a U.S. company facilitating ongoing international fraud — possibly with connections to Russian intelligence services. The infrastructure patterns, the operational methodology, the CIS-marketplace freelance orders, the DDoS-Guard hosting through Russian-jurisdiction providers — this is a textbook state-adjacent cybercrime operation hiding behind a US registrar.
FBI, DOJ Cyber Division, Arizona Attorney General, FinCEN — the evidence package is ready. Contact us and we will provide everything, including materials not published here.
How long will a US-incorporated company be allowed to run interference for a $100M theft operation? Wake up.
A note specifically for the FBI: A US-registered company in Phoenix, Arizona, protecting a Russian-linked cybercrime operation for a decade, fabricating public statements, suppressing security researchers, assisting in VirusTotal delisting — this is not normal registrar behavior. This is the behavior of an asset. Ask them why. Ask them who. Ask them how much. And ask before the evidence trail goes cold — though we've made sure most of it can't be deleted anymore.
We know that European authorities have requested information from X/Twitter regarding related cases. We also know they reportedly received no response. So let's be clear about what's happening: a US company — NameSilo — operating on US soil, with documented connections to Russian-speaking threat actors and infrastructure patterns consistent with FSB-adjacent operations, is using various methods of influence to erase the truth about itself, remove malware detections from VirusTotal, suppress researchers, and silence victims. And everyone looks the other way?
Is this what the United States stands for in 2026?
And if no regulator in the world can verify how many abuse reports were actually filed and ignored — if a registrar can simply say "we received no complaints" and delete the evidence using DMCA requests paid for with stolen money — then what is the point of regulators? If an Arizona-registered company with Russian-linked operators can steal $100 million, suppress every victim report, buy fake reviews, silence researchers through paid platform access, and face zero consequences — then ICANN accreditation is a rubber stamp and the entire abuse handling framework is theater.
Prove us wrong. Investigate. Verify the number of reports NameSilo actually received. Subpoena their abuse ticket system. Compare it to what they claimed publicly. The gap between those numbers is the measure of their complicity.
Open Challenge
Prove that a single word we published is false —
and we will take everything down ourselves.
One word. One claim. One screenshot. Show us what's wrong.
Across hundreds of pages of evidence, dozens of victim reports, and 61 SHA-256 verified screenshots — not the operator, not NameSilo, not X, not anyone has produced a single factual rebuttal. Not one.
But if everything we say is true — then DO SOMETHING.
They are stealing millions. Right now. Today. The site is live. The domain is active. Victims are losing money while you read this. Act now.
We did not spend months of our lives building this archive, and victims did not lose millions of dollars, so that a Russian-speaking scammer could post one lie on Twitter and then cry that we saved it. NameSilo wrote 4 false sentences from an official corporate account. We archived them. They got upset that the archive exists. That is their entire defense: Their entire defense is not it's false — it's that the archive exists at all.
That's not how this works. You said it. We saved it. The world can read it. Deal with it.
NameSilo's response playbook — and our pre-written answers
We've dealt with enough registrars to know exactly what they'll say. Here's the script, and here's why it doesn't work.
🎙 "We are an ICANN-accredited registrar."
Yes. We know. You mentioned it in your abuse responses, your Twitter posts, your Wikipedia page, and your Q3 2025 SEDAR+ financial filing. Trustname.com (IANA #4318) is also ICANN-accredited — with €120 in revenue and a company deletion notice. ICANN accreditation is a commercial license, not a character reference. Next.
🎙 "The domain was compromised."
We have SHA-256 hashes of the site code from before and after the alleged "compromise window." The code never changed. The IP never changed. The operator himself never claimed compromise — he said the site was working normally. You invented this story. We have the receipts.
🎙 "We had received no abuse reports."
20+ from us alone, with delivery receipts. Public posts on BitcoinTalk (2021) and Reddit (2018) explicitly mention filing reports with NameSilo about xmrwallet.com. These posts are still indexed. The real total from all reporters is likely over 100. Would you like us to publish the delivery receipts?
🎙 "Dead domains are normal in our industry."
Correct. 15-21% is the industry baseline across GoDaddy, Hostinger, Tucows, and Network Solutions. You're at 32.2% — 2x the baseline. With a 615% year-over-year spike. And 10,000-17,000/day bulk runs. Namecheap is in the same market at the same price and sits at 32.6%. Explain the gap. We'll wait.
🎙 "njal.la is an independent reseller."
WHOIS says NameSilo, LLC. Not njal.la. Your internal arrangements don't override public registry data, ICANN rules, or the law. If njal.la domains are under your accreditation, they are your responsibility. You cannot outsource accountability.
🎙 "We will pursue legal action."
The operator threatened the same thing in February. It's May. We're on IPFS now. Every claim in this archive is sourced, SHA-256 verified, and backed by your own public statements. Truth is an absolute defense. Sue us — and this archive becomes court exhibit A through Z. Discovery will be fun.
🎙 [Silence]
Also an option. The one they've chosen so far. Every day of silence is another day the evidence sits on a decentralized network, indexed by search engines, archived by researchers, and read by the people who will eventually act. Silence is not a strategy. It's a countdown.
NameSilo & the SEO Grandpa playbook — same tricks:
NameSilo also loves buying reputation. Their Forbes Advisor "review" comes with a disclosure: "We earn a commission from partner links." Sponsored content dressed as editorial. Sound familiar? The operator buys articles on Kwork. NameSilo buys them on Forbes. Same playbook, different budget.
How much does this actually cost? We've researched the purchased-article industry extensively. A placement in Forbes main starts at roughly $50,000. Regional Forbes editions (Forbes Mexico, Forbes India, etc.) are cheaper, and for an additional fee — roughly 2x the base price — the publication will remove the "sponsored" or "partner content" label entirely, making paid content indistinguishable from editorial. NameSilo's article at least still carries a disclosure. The question is: did they pay extra for the main Forbes, or did they settle for the cheaper option with the label? Either way, this is purchased legitimacy at industrial scale — the same industry the xmrwallet operator uses at 500 rubles per article on Kwork. The difference is only the price tag.
And just like the xmrwallet operator deletes negative Trustpilot reviews — NameSilo does the same. Check their Trustpilot page: waves of 5-star reviews from US-based accounts with exactly 1 review each. Classic bot pattern. They delete negative reviews and flood with fake positives. The registrar and the scammer use the same reputation manipulation techniques. Coincidence? At this point — we don't believe in coincidences.
Even Wikipedia noticed: the NameSilo Wikipedia article has a flag on the "Reception and industry coverage" section marking it as promotional content that requires editing for neutral point of view. They can't even keep their Wikipedia page clean of paid PR.
But let's talk about NameSilo itself.
How we stumbled onto this.
We never set out to analyze NameSilo's entire domain portfolio. We work with registrar data constantly — it's part of what we do when tracking phishing infrastructure. We know that a large percentage of domains on the internet are dead. That's normal. People buy domains and forget about them. Companies register names defensively. Speculators sit on inventory. We get it. We never assumed that "dead domain = suspicious."
But when we were scrolling through the NameSilo dataset — 5.18 million rows — something felt off. Not a statistic. Not a number. Just a visual impression. Row after row of gibberish domain names. sdf8k3jx.sbs, x9wqm2.cfd, aaa111bbb.xyz — with no IP, no email, no phone, no Majestic rank. Just... nothing. Thousands of them. Tens of thousands. The sheer density of emptiness was unusual. We've looked at datasets from GoDaddy, Namecheap, Tucows — they all have dead domains, but the ratio of obviously-random-garbage to real-looking names was different at NameSilo. It was visible to the naked eye.
So we decided to count. Not to prove a theory — we didn't have one. Just to see if our gut feeling was backed by numbers. We pulled datasets from 8 registrars, 130 million domains total, applied the same methodology to all of them, and compared.
The gut feeling was correct. NameSilo was 10 percentage points above its closest competitor. The dead domain rate was 2x the industry baseline. And when we dug deeper — the 615% year-over-year spike, the 10,000 domains/day bulk runs, the junk TLD concentration — it stopped looking like neglect and started looking like a pattern. We didn't go looking for money laundering. The data showed it to us.
Suspected Money Laundering Flow
Why are 81.5% of NameSilo domains dead?
DNS scan: 32.2% no IP + 33% parking stubs = 2.82M (54.4%). Full economic analysis (age, MX, content, patterns): 4.22 million dead domains — 81.5% of 5.18M. There are only 3 possible explanations. All of them are damning:
Theory 1: Money Laundering
Stolen funds converted to domain purchases. Registrar gets "revenue." Domains are never used — the transaction IS the purpose. $50.8M/year phantom profit from dead registrations.
Theory 2: Self-Dealing
NameSilo buys domains from itself to inflate revenue. C$65.5M revenue looks great for investors. But 81.5% of domains are dead. Real active-customer revenue is ~C$12M. The stock trades at P/E 143.8x on phantom numbers. Securities fraud.
Theory 3: Front Operation
The registrar was never built for real customers. The Win98 panel, the $15.56 .com price (#96 of 130), the ignored abuse reports — these aren't failures. They're features. The real product is the transaction itself: accept money, register domain, report revenue, never ask questions. A front doesn't need a good UI. It needs a good accountant.
The NameSilo Pyramid — 5.18 Million Domains Deconstructed
What happens when you actually check if anyone uses these domains?
What this means in human terms:
The "dirty ratio" depends on what you compare against:
This is why NameSilo buys phantom domains. When you compare 22,000 malicious domains against 5.18 million total, it's "0.43% — barely anything." But when you strip away the dead weight and compare against domains that actually work, the picture changes completely. The phantom domains are a statistical smokescreen.
Why would anyone choose NameSilo?
A serious question. We looked at every possible reason and tested each one.
Every ICANN-accredited registrar sells the same product — domain names. The TLDs are identical. A .com from NameSilo and a .com from Namecheap point to the same root servers, managed by the same registry (Verisign). There is zero technical difference. So why would a customer choose NameSilo? Let's check every possible reason:
Is it the price?
We checked .com prices across 136 ICANN-accredited registrars using tldes.com (independent price comparison, updated live). Here's where NameSilo actually ranks:
NameSilo's own "vs Other Registrars" page compares their $17.29 against Squarespace ($20), GoDaddy ($23.98), and Name.com ($17.99) — cherry-picked expensive competitors with inflated prices. They conveniently forgot the 95+ that are cheaper. Here's the comparison they didn't want you to see:
95 ICANN-accredited registrars sell .com cheaper than NameSilo. Not 5. Not 20. Ninety-five. Namecheap is 2.2x cheaper. Spaceship is 5.4x cheaper. Cloudflare is 1.5x cheaper. All sell the exact same product — a .com domain from the same Verisign registry. All include free WHOIS privacy. All are ICANN-accredited. So why does NameSilo have 5.8 million domains?
Their own comparison page is deliberately misleading.
On namesilo.com, the "NameSilo vs Other Registrars" comparison shows their $17.29 .com against Squarespace ($20.00), GoDaddy ($23.98), and Name.com ($17.99). But wait — those aren't even the real prices. On tldes.com, GoDaddy is $5.19 (not $23.98) and Name.com is $11.24 (not $17.99). NameSilo used inflated renewal/promo-excluded prices for competitors while showing their own registration price. Both GoDaddy and Name.com are actually cheaper than NameSilo at registration. They didn't just cherry-pick expensive competitors — they inflated the competitors' prices too. And they excluded Spaceship ($2.90), Namecheap ($6.99), Cloudflare ($10.46), Porkbun ($10.08), Dynadot ($8.99), and 100+ other cheaper registrars. This is not a comparison — it's marketing fraud. And they highlight "BULK DISCOUNTS" as a unique feature — because of course they do. Bulk discounts for bulk phantom purchases.
They also advertise "Over 150+ Payment Options Accepted". We counted. Their checkout page lists: Visa, Mastercard, Amex, Discover, JCB, Elo, UnionPay (7 cards), PayPal, Alipay, Venmo (3 web wallets), Bitcoin (1 crypto), and NameSilo Account Funds (1 internal). That's 12 payment methods. Not 150. We looked everywhere — no bank transfers, no wire, no other crypto, no invoice billing. Twelve. They inflated the payment count by 12.5x on their own website. The same way they inflate domain counts, revenue figures, and competitor prices. It's a pattern.
Source: tldes.com/com — independent price comparison, 136 ICANN-accredited registrars, live prices. Also cross-referenced with tld-list.com. Verify yourself — the data is public.
"Cheapest on the Internet" — across 12 TLDs
NameSilo's own claim: "we have the cheapest domain name registration prices on the Internet." Here's every TLD checked.
The Renewal Trap — cheap registration, predatory renewal
NameSilo's "cheap" TLDs are a bait-and-switch: .shop $1.99 → $38.99 (19.6x), .tech $7.99 → $68.99 (8.6x), .xyz $1.79 → $15.79 (8.8x), .info $3.75 → $29.49 (7.9x). Register cheap, renew expensive. But dead domains don't renew — which is exactly the point. If you're buying domains to wash money, you only care about the $0.99 registration price. The $14.95 renewal never happens because the domain expires after 1 year. This is why 98% of dead .buzz domains are 1-year registrations.
NameSilo owns 19.8% of ALL .sbs domains on Earth
374,910 out of 1,895,100 global .sbs registrations are at NameSilo. One registrar holds one-fifth of an entire TLD. For context: NameSilo holds 1.1% of .com. The expected share for a "top 10 registrar" is 2-5% of any TLD. 19.8% in a single junk TLD from their named partner ShortDot is not market success — it's a captive pipeline.
Is it the UX?
Is it the support?
We tested it. We sent the same abuse report (xmrwallet.com) to multiple registrars. Namecheap: responded and acted. WebNic, PDR, Key-Systems: responded and acted. NameSilo: ignored 20+ reports, publicly lied, offered VT delisting for the scammer, used Gold Checkmark to silence researchers. Their "24/7 Customer Service" (investor deck, slide 6) apparently does not extend to abuse victims.
Is it the ICANN accreditation?
Every registrar in this comparison is ICANN-accredited. That's literally the requirement to sell gTLD domains. There are ~2,500 ICANN-accredited registrars worldwide. NameSilo is not special. Trustname.com (IANA #4318) is also accredited — with €120 in revenue. ICANN accreditation is the domain equivalent of having a business license. It means you filled out the form. It does not mean you are trustworthy, affordable, or competent.
Is it the design? The brand? The reputation?
Their Wikipedia page is flagged as promotional. Their Forbes review is paid placement. Their Trustpilot has bot review patterns. Their admin panel looks like it was designed by the same person who orders SEO articles on Kwork for 500 rubles. Their CEO admitted they need a "complete UX overhaul" after seven years. Their Q1 and Q2 2025 press releases are identical copy-paste.
So why does NameSilo have 5.18 million domains?
Not price. Not UX. Not support. Not reputation. Not ICANN (everyone has it). Then what? The only explanation left is that most of these domains are not bought by real customers making rational choices. They are bought in bulk by unknown actors for unknown purposes — or by NameSilo from itself. Either way, the "5.8M active domains" number that drives the stock price is not what investors think it is.
Lying is not just their cover-up strategy. It's their business model.
Let's step back and look at what we've documented. Every single public-facing claim NameSilo makes is inflated, fabricated, or misleading:
This is not a company that lied once to protect a scammer and got caught. Lying is the operating principle. Every metric, every comparison, every public statement is engineered to show a number larger than reality. The xmrwallet cover-up wasn't an anomaly — it was the same reflex applied to an abuse report. Inflate, deny, deflect, cite ICANN accreditation, move on.
And this answers the original question: why does anyone "choose" NameSilo? Real customers making rational decisions don't choose NameSilo. 95 registrars are cheaper for .com. The UI is from 2008. The support ignores abuse. The only "customers" who need NameSilo are those who need: bulk registration with no questions asked, junk TLDs at $0.99, a privacy service that shields 109K malicious domains, and a registrar that will publicly defend you when you get caught. That's not a customer base. That's an arrangement.
The money comes from phantom domains. The phantom domains come from bulk buyers who don't exist as real businesses. The "revenue growth" comes from counting phantoms. The stock price comes from the revenue growth. Everyone in this chain gets paid. Except the investors. And the victims.
The Numbers Don't Lie
NameSilo (suspicious)
• 1.67M no IP at all + 1.15M on parking stubs = 2.82M DNS-dead
• Full economic analysis (age, MX, content, patterns): 4.22M dead
• Combined: ~4.22M out of 5.18M (81.5%) are dead domains
• $50M+ phantom revenue from dead registrations
• 96% no contact email
• 18% junk TLDs (.sbs/.cfd/.xyz)
• 7x spike in dead registrations 2023→2024
• P/E 143.8x (industry: 21x)
• Forbes: PAID review
• Wikipedia: PROMO flagged
• Trustpilot: bot reviews
Namecheap (how a real registrar works)
• 32.6% dead domains (industry baseline)
• Similar pricing, same market, same state (AZ)
• 93.5% no email (lower)
• 54% .com (legitimate TLD mix)
• Steady growth, no spikes
• Responds to every abuse report
• We worked with them directly — showed cloaked scam, they acted
• Modern, clean design
• Significantly larger — 24M+ domains
• No criminal resellers. No FSB connections.
• Organic press, clean Wikipedia, real reviews
• This is what a registrar looks like when it's not a front
NameSilo is 10 percentage points dirtier than its closest peer. This is not a business model difference. This is a red flag.
"But NameSilo is cheaper!" — Is it?
NameSilo's only selling point is price. Their own comparison page shows $17.29 .com against Squarespace and GoDaddy. Let's check the real numbers from tldes.com (independent comparison, 136 registrars):
NameSilo is 2.2x more expensive than Namecheap for .com registration. Not 37 cents cheaper — $8.57 more expensive. Namecheap is #6, NameSilo is #96 out of 130 ICANN-accredited registrars. The only place NameSilo is cheap is junk TLDs (.sbs $0.99, .cfd $0.99) — the exact TLDs from their ShortDot partner that fill the dead domain graveyard. The cheap price isn't for customers. It's for bulk phantom purchasing.
Who owns .sbs and .cfd? Follow the money.
Registry ↔ Registrar — a partnership worth examining.
The junk TLDs filling NameSilo's dead domain graveyard — .sbs, .cfd, .icu, .cyou, .bond, .buzz, .qpon — are all owned by a single company: ShortDot SA, a Luxembourg-registered Société Anonyme (9 Rue Louvigny, L-1946). ShortDot operates 7 TLDs through CentralNic (London) as technical backend.
On their own website (shortdot.bond/about), ShortDot lists their key registrar partners. Out of "over 400 registrar partners", they name exactly six by name:
NameSilo is one of six named partners of the company that owns the exact TLDs dominating their phantom domain portfolio. Now look at the timeline:
The economics of this partnership:
NameSilo's ShortDot TLD share vs other registrars:
Why does NameSilo have 55x more ShortDot TLD concentration than GoDaddy? Both are ShortDot partners. Both sell .sbs and .cfd. But only NameSilo has 11% of their entire portfolio in ShortDot extensions. The same extensions that dominate their dead domain graveyard and malicious domain blocklists.
These are not accusations. These are questions that demand answers:
A named partnership. A synchronized timeline. A 55x concentration anomaly. A 615% spike in phantom registrations. If this is a coincidence, it is the most expensive coincidence in the history of domain registration.
Sources: shortdot.bond/about (partner list), IANA .sbs delegation, IANA .cfd delegation, PhishDestroy 130M domain analysis.
And then there's njal.la (Njalla) — a privacy-focused registrar whose domains resolve under NameSilo's ICANN accreditation (check any WHOIS). Their pricing: €15/year for .com, €30/year for junk TLDs (.sbs, .cfd, .cyou, .xyz, .homes — the exact TLDs filling NameSilo's dead domain graveyard). That's 2× to 30× more than what NameSilo charges retail for those same TLDs. Why would anyone pay €30 for a .sbs that costs $0.99 direct? You wouldn't — unless the point isn't the price. The point is the privacy layer. Njalla registers on your behalf, their name on WHOIS, your identity hidden. For legitimate privacy? Maybe. For scam domains that need to survive abuse reports? Perfect. And when the abuse report arrives, NameSilo says "that's njal.la, not us" — while WHOIS says NameSilo, LLC on every single domain.
Namecheap — 24M+ domains
• 2.2x cheaper for .com ($6.99 vs $15.56)
• Modern panel, 2FA, real-time DNS
• Abuse reports: same-day action (we verified)
• Clean Trustpilot, organic Wikipedia
• No dead domain spikes
• No FSB connections
• 4.6x more total domains (~19x more active)
• Lower dead rate (32.6% vs 81.5%)
• Real customer base: ~18.6M active
NameSilo — 5.18M domains
• 2.2x more expensive for .com ($15.56)
• Panel from the Win98 era (see recreation)
• Abuse reports: auto-deleted (100+ ignored)
• Bot Trustpilot, promo Wikipedia
• 615% spike in phantom registrations
• VT delisting service for scammers
• 81.5% dead domains
• 99.65% zero confirmed traffic
• Real customer base: ~958K active
Namecheap is 2.2x cheaper for .com (#6 vs #96), 4.6x bigger, has a modern UX, responds to abuse, and doesn't trade at P/E 143.8x. Adjusted for phantoms, Namecheap's real customer base is ~19x larger. The "NameSilo is cheaper" narrative is not just wrong — it's the opposite of reality. NameSilo is one of the most expensive registrars in the world for .com. Where they ARE cheapest is .sbs at $0.99, .cfd at $0.99 — their ShortDot partner's TLDs that fill the dead domain graveyard.
If NameSilo really is just a discount registrar — where are the customers? Same market, similar pricing, one has 19x more real users. The answer is in the pyramid above: 99.65% of NameSilo's portfolio has zero confirmed traffic. 58 domains in Tranco top 10K. Fifty-eight. The price isn't the product. The phantom domains are the product.
Why would a registrar buy domains from itself?
1. Money laundering. Stolen crypto → Bitcoin → domain purchases at your own registrar. The registrar reports "revenue." The money is clean. Up to $50.8M/year in phantom profit. No questions asked because who audits domain registrations?
2. Ranking inflation. ICANN rankings, industry reports, and press coverage use "domains under management" as the primary metric. More domains = bigger registrar = more trust = more real customers. NameSilo claims "top 10 registrar" status with 6.26M domains. How many are real? If 81.5% are dead, the real active base is ~958K. That's not top 10. That's mid-tier at best.
3. Revenue inflation for stock price. NameSilo Technologies trades at P/E 143.8x. Revenue grew 18.5% in 2025. But how much of that growth is phantom domains? Inflated revenue = inflated stock = real money for insiders selling shares. This is textbook securities fraud if the domain purchases are self-dealing.
4. Diluting the scam ratio. This is the clever part. If 5% of your domains are involved in scam/phishing/fraud, that looks terrible. But if you buy 2 million dead domains from yourself, suddenly scam domains are only 0.5% of your total. "We have 6 million domains and only a tiny fraction are problematic." The dead domains are a smokescreen — statistical noise to make the abuse percentage look smaller than it is.
All four benefits come from the same action: buy domains from yourself. Launder money. Inflate rank. Inflate stock. Dilute the scam ratio. One move, four wins. Who's checking?
A question for NameSilo Technologies investors
CSE: URL · OTC: URLOF · C$1.44 · Market cap: C$133M · Shares: 92.6M · CEO: Paul Andreola
Q3 2025: Revenue C$16.9M (+17.9%) · Net income C$1.15M (+135%) · Cash: C$2.4M · Deferred rev: C$33M
For NameSilo shareholders:
You bought shares in a company with a P/E of 143.8x — 7x the industry average. Do you know that 81.5% of the domains you're paying for are dead or empty? 4.2 million domains that nobody uses. Your company's "6.26 million domains under management" is really about 958,188 active domains. The rest is either phantom registrations or parking page filler. The "18.5% revenue growth" in 2025 — how much of that is real customers, and how much is bulk dead-domain purchases that inflate the top line?
Your company publicly defended a $100M+ theft operation. Your company offered to remove VirusTotal security detections for a known crypto drainer. Your company used paid platform access (X Gold Checkmark) to silence the researchers who exposed it. Your company's CEO signed off on a tweet containing 4 verifiable lies. Is this what you invested in? Did you know? Do you know now?
If the dead domain purchases are self-dealing — which the data strongly suggests — then the revenue figures in NameSilo's financial statements are materially misleading. That's not a registrar problem. That's a securities fraud problem. CSE, OSC, and SEC should be asking questions. Shareholders should be demanding an independent audit of domain registration sources. Who is buying 10,000+ domains per day with no intent to use them? Where is the money coming from? Follow the money.
5. The affiliate excuse. NameSilo will claim their Forbes and other "reviews" are affiliate partnerships — just like the xmrwallet operator claims "donations" fund his operation. Technically, some links in those articles use affiliate tracking. But others link directly — no tracking, no commissions. Someone is buying reviews of themselves without even bothering to earn referral fees. The point isn't the affiliate cut. The point is purchased legitimacy.
Adjusted Financials
Strip the Phantoms — What Is NameSilo Actually Worth?
Take the reported numbers. Remove 81.5% dead domains. See what's left.
Methodology: "Adjusted revenue" = reported revenue × (active domains / total domains). Active = 958,188 (HTTP alive with content). This is conservative — some "alive" domains are still speculative or parked. Net income adjusted proportionally. P/E = market cap / adjusted net income. Revenue/domain increases because real customers pay more than bulk junk TLD buyers.
REPORTED TO INVESTORS
C$65.5M
"Fastest growing registrar"
REAL BUSINESS (PHANTOMS STRIPPED)
~C$12M
A small mid-tier registrar, overvalued 10x
C$53.5M per year — the gap between reported and real. That's not rounding error. That's not market fluctuation. That's not "different accounting methods." That's either the biggest bulk-buying customer in registrar history who generates zero traffic — or it's fraud. There is no third explanation. CSE, OSC, SEDAR+ — this gap should trigger an independent audit. It hasn't. Yet.
Corporate Structure
Why Canada? Why CSE? Why is the business in Arizona?
The corporate structure is not an accident. It's a feature.
NameSilo Technologies Corp
Canada — holding company
Trades on CSE: URL (Canadian Securities Exchange)
OTC: URLOF
CEO: Paul Andreola
CFO: Natasha Tsai (signs the phantom numbers)
NameSilo LLC
Phoenix, Arizona — actual registrar
ICANN-accredited (IANA #1479)
CEO: Kristaps Ronka (18.5% owner)
Accepts Bitcoin. No KYC. Generates the "revenue."
Why this structure exists:
Al Capone kept his business in one state and his banks in another. Same logic, different century.
Canada's regulatory gaps — by design
Crypto & Registrars
Canada tightened AML for crypto exchanges (FINTRAC, Travel Rule from 2026). But an ICANN registrar accepting Bitcoin for domains is not an MSB (Money Services Business). Buying a domain is a goods transaction, not a financial service. The registrar is not required to run exchange-level KYC or file SARs (Suspicious Activity Reports) per BTC transaction.
Privacy Laws (PIPEDA + Quebec)
In Canada — especially Quebec — personal data protection is stronger than in the US. Until recently, there was no public beneficial ownership registry. You couldn't simply look up who's behind a company. To deanonymize a "private citizen" you need a criminal subpoena, not a civil discovery request or regulatory inquiry.
The Corp + LLC structure is legal — thousands of companies use it. FINTRAC/OSC are real regulators, but their resources are dwarfed by SEC/FBI. The risk appears only when you combine legal corporate structures with phantom operations — which is exactly what the data shows.
"Nathalie Roy" — not a brand for victims. A regulatory shield for the operator.
The xmrwallet operator chose a specific identity construction: a Canadian female volunteer running a non-commercial open-source project. This is not random. It's a regulatory strategy:
In 2014–2019, crypto wallets operated by "private individuals" did not fall under MSB regulations. Canadian/Quebec privacy laws shielded personal identity without corporate transparency. The "volunteer" + "non-commercial" combination provided exemption from AML/KYC obligations. A "donation-based volunteer project" was a regulatory grey zone that FinCEN and FINTRAC did not aggressively cover.
If the operator had registered as "XMRWallet Ltd." or used a male Eastern European name — regulators would have investigated by 2016–2017. A "Canadian female volunteer" was a status that regulators ignored until it was too late. The identity doesn't exist as a business. That's exactly why the scheme worked for 10 years.
"Nathalie Roy" is not a person. It's a legal construct optimized for regulatory evasion.
Integration Phase
Why Sewer Pipes? Why Underwater Cameras? Why Mexican Taxi Ads?
NameSilo's "diversification" makes no business sense — unless you understand the three phases of money laundering.
Phase 3 is the EXIT. You can't sit on $50.8M phantom profit forever. You need to convert paper money into real assets:
And the more random the acquisitions, the better the cover. If they only bought domain companies, the pattern would be obvious. But sewer pipes + underwater robots + Mexican taxi ads? That looks like an eccentric CEO "diversifying." Nobody investigates a sewer pipe company for money laundering connections. That's the point.
Al Capone had laundromats. NameSilo has sewer pipes.
Different century, same logic: push dirty money through a business, buy real assets, look legitimate.
Prosecution Brief
The Case for Money Laundering
Not a theory. Not speculation. A chain of evidence that leads to one conclusion.
STEAL
xmrwallet.com hijacks Monero transactions for 8+ years. Estimated $100M+ stolen. Funds are in XMR — untraceable by design.
CONVERT
XMR → BTC via DEX/mixers/OTC. Untraceable step. Output: Bitcoin in anonymous wallets.
WASH
Buy domains in bulk at NameSilo. NameSilo accepts Bitcoin. No identity verification required. 10,000-17,000 domains/day. Junk TLDs at $0.99 each from their ShortDot partner. No WHOIS contact. No email. No phone. The domains are never activated — the purchase IS the purpose.
REPORT
NameSilo books the purchases as legitimate revenue. C$65.5M/year. "Fastest growing registrar." "6.26M domains under management." Files quarterly earnings on SEDAR+. Stock trades on CSE (URL) and OTC (URLOF). P/E 143.8x. Phantom domains become phantom revenue becomes real stock price.
CASH OUT
Insiders sell shares on a public exchange. Clean money. Kristaps Ronka (18.5% owner, LLC CEO) holds ~17M shares. Paul Andreola (parent company CEO) has board control. The stolen crypto has been transformed into Canadian stock market equity. The laundry is complete.
The Bitcoin On-Ramp
NameSilo accepts Bitcoin as payment. This is not a technical detail — this is the on-ramp. The laundering pipeline is: stolen XMR → BTC (via DEX/mixers) → domain purchases at NameSilo → "revenue." The entire chain from theft to clean money requires zero identity verification. No KYC. No bank. No wire transfer. Just Bitcoin to domains to stock price. They don't even accept Monero — which is strange for a registrar that protects the world's largest Monero theft operation. Or maybe not strange at all: accepting XMR directly would be too obvious. The BTC step is the mixer.
The Math
Someone is spending millions of dollars per year to buy domains they never use, from a registrar that accepts Bitcoin and asks no questions, and nobody knows who they are. This is either the worst investment in internet history or a money laundering operation. There is no third option.
10 Questions for the Investigation
For FBI, FinCEN, Arizona AG, CSE/OSC, ICANN Compliance — and anyone with subpoena power.
Every one of these questions can be answered with a single subpoena.
The only reason they haven't been answered is that nobody has asked.
Updated Analysis
The Money Laundering Machine — How It Actually Works
A car wash that washes 10 cars a day but reports 100. Where does the money for 90 phantom cars come from? NameSilo is the same — except instead of cars, it's domains. 4.2 million phantom "washes" that don't exist.
How the scheme works — step by step
Why this works perfectly:
1. PrivacyGuardian hides the buyer
Every domain registered to pw-{hex}@privacyguardian.org. Impossible to prove the "client" = NameSilo itself. 3M+ PG-protected domains.
2. Domains are the perfect product
Digital, no warehouse, no shipping, no trace. Cheap wholesale, expensive retail. Millions of units — easy to hide thousands of "your own" among real ones.
3. Cheap TLDs = maximum multiplier
.cyou: $0.48 → $14.95 = 31x
.sbs: $0.68 → $14.95 = 22x
.cfd: $0.68 → $14.95 = 22x
.icu: $0.98 → $14.95 = 15x
4. Scale makes it invisible
5.18M domains — who checks each one? Real customers mixed in as cover. 4,260 new dead domains per day in 2025.
The economics of laundering through NameSilo
The dead domains dominate the economics. At estimated retail prices, dead domain registrations represent $77.3M in value (wholesale cost: $26.5M, paper margin: $50.8M). NameSilo's actual reported revenue is C$65.5M (~US$48M) — the gap reflects bulk discounts and junk TLD pricing. Either way, the vast majority of revenue comes from domains nobody uses. The tail wags the dog.
Evidence that this is exactly what's happening
NameSilo is a digital car wash.
4.2 million phantom cars. $50.8 million in phantom profit.
And the only "soap" they use is a $0.68 wholesale domain from their own partner.
Financial Analysis
Follow the Money — Who Pays and For What?
C$65.5M revenue. 5.18M domains. Let's see how much is real.
The Client Problem
If NameSilo's 5.18M domains belong to real customers making real purchases — where are they?
Real customers would have:
• Working websites (only 18.5% respond to HTTP)
• Contact emails (96% have none)
• Business identity (1.06% have org name)
• Measurable traffic (0.35% in top-million)
• Reason to pick NameSilo over 95 cheaper options
NameSilo's "customers" have:
• No website (81.5%)
• No email (96%)
• No business name (98.9%)
• No traffic (99.65%)
• Gibberish domain names on .sbs/.cfd
• Registered 10,000-17,000/day in bulk runs
Who are these "customers"? They have no website. No email. No business. No traffic. They buy domains they never use, on TLDs nobody wants, at a registrar that's more expensive than 95 alternatives. They register in bulk — 10,000-17,000 per day — in patterns consistent with automated purchasing. And they pay with Bitcoin, which requires no identity verification.
These aren't customers. Customers use what they buy. These are transactions. The domain is not the product — the transaction is the product. The purpose of buying 585,000 dead domains per year is not to have 585,000 websites. It's to move money from point A (anonymous crypto wallet) to point B (NameSilo revenue line) and make it look like a legitimate business transaction.
Revenue per real domain — the smoking gun
NameSilo makes $20.34 per active domain. Namecheap makes $9.68. NameSilo generates 2.1x more revenue per real customer than Namecheap — while being a smaller, more expensive (for .com: $15.56 vs $6.99), less popular registrar with worse UX. How? Because the phantom domains aren't free. Someone is paying $8-10M/year for domains that generate zero value. That money inflates the revenue line while the "customer" gets nothing — because the customer doesn't exist, or the customer IS NameSilo.
Baseline Comparison
Domains Born Dead — NameSilo vs Namecheap
Same methodology, same data format. Namecheap (24M domains) as industry baseline. If NameSilo's dead domains were "normal" — the rates would match. They don't.
Namecheap (normal registrar)
Fresh: 26% dead
Mid-life: 38% dead
Mature: 32% dead
LOW → HIGHER → LOWER — normal lifecycle. Domains start alive, some die mid-life from abandoned projects, survivors stabilize.
NameSilo (anomaly)
Fresh: 56% dead
Mid-life: 59% dead
Mature: 46% dead
HIGH → HIGH → HIGH — flat across all ages. Domains are born dead and stay dead. The gap narrows with age only because older cohorts predate the 2024-2025 bulk ramp-up.
This is not "normal dead domain rates." We controlled for it. Even if you accept that every registrar has dead domains — NameSilo has 1.2 million MORE dead domains than you'd expect from a registrar this size. Those 1.2M excess dead domains generate $22M/year in fake revenue. That's not neglect — that's a 23 percentage-point gap above the baseline, concentrated in domains under 2 years old.
The killer stat: NameSilo's dead rate for domains under 30 days old is 59.5%. Namecheap's is 25.4%. At NameSilo, 6 out of 10 domains are dead within their first month of life. These domains were never intended to be websites. They were born dead. They exist only as revenue line items.
New domain registrations per year (all NameSilo)
1.5M new domains in 2025 (4,260/day) — 99%+ have no traffic. Growth correlates with spending on registry fees, not customer acquisition. This is not organic growth. This is a budget increase.
What Do These "Domains" Look Like?
We analyzed 1,669,111 dead domains from the 5.1M dataset. Here's what "customers" are buying:
The registration spike is not gradual growth — it's an explosion:
These are not domain names. These are transaction IDs. 0499777com06xl03.sbs is not a business. 000000004.xyz is not a brand. 1xbet-djjj.buzz is a gambling phishing domain. 378,547 gibberish names. 522,288 bought for exactly one year and abandoned. No real customer buys 02g740c6.sbs for $0.99, uses it for zero days, and lets it expire. This is automated purchasing with no human intent behind it — except the intent to move money.
C$65.5M revenue with 58 domains in the global top 10,000.
Namecheap has 24M domains and thousands in top-10K. GoDaddy has 80M+. NameSilo has 58.
Where is the money coming from? Not from the 58 real websites. Not from the 17,875 with measurable traffic.
$48M/year from a customer base that is 99.65% invisible.
And a final question: a company with C$65.5M revenue and C$133M market cap can't afford to update a UI that looks like Windows 98? Actually — in their Q3 2025 earnings release, NameSilo LLC CEO Kristaps Ronka admitted they "began a complete UX/UI overhaul using seven years of customer learning." Seven years. It took seven years of customers fleeing to Namecheap before someone noticed the panel looks like a GeoCities page from 1998. But here's what they did with the money instead of fixing UX: they acquired SewerVUE Technologies — a company that inspects sewer pipes with radar. A domain registrar that protects $100M theft operations and inspects sewage. You cannot make this up. See our faithful Win98 recreation of the NameSilo experience →
And then there's the parking IP problem.
Of the domains that DO have an IP address, 36.7% point to just 10 IP addresses — all parking/stub pages. The top IP alone (Sedo parking: 91.195.240.123) hosts 522,466 NameSilo domains. Another 646,381 domains sit on known parking infrastructure. These aren't websites. These are placeholder pages displaying generic ads.
So: 1,668,355 domains (32.2%) have no IP at all — completely dead. Of the 3.51M that DO resolve, 1,153,281 (33%) point to parking/stub IPs. Combined total: ~2,821,636 domains (54.4%) out of 5,179,405 are not real websites. More than half. And that's just DNS. Our full economic analysis—factoring in age, MX records, content, and registration patterns—puts the real dead rate at 81.5% (4,221,217 domains). Over $50M in phantom revenue.
The real active customer base of NameSilo is approximately 958,188 domains — not 5.18M as they claim. Their "top 10 registrar" status is built on phantom registrations. We're not the tax authority. But this is textbook money laundering infrastructure — anonymous buyers, cryptocurrency payments, zero activation, inflated revenue. FinCEN has issued guidance on exactly this pattern. Nobody is following it.
The operator phishes himself. Yes, really.
A note before we continue: many security colleagues wanted to join this investigation. We deliberately refused all help. We saw how the registrar and operator reacted to a simple technical analysis — whining emails, then deletion, then lawyers (never materialized), then suppression. We didn't want to expose anyone else to this. PhishDestroy is nobody. We're nothing. Spending money to destroy us is an unoriginal game, and we've been playing it for a very long time. But every move they make creates more evidence and another line on their criminal resume.
Now — the self-phishing scheme. When we presented our technical analysis, the operator's first response was: "you visited a phishing site." Yes. We know. His site IS the phishing site. But here's the twist: the operator creates phishing copies of his own scam site and then blames victims for visiting "phishing."
The active self-phish right now: xmrwallet.app — check the code yourself. The wallet creation logic and transaction handling is nearly identical to the main xmrwallet.com code. Across 10 years of "phishing" copies — xmrwallet.homes and others — the code structure is the same everywhere. Same processing logic. Same wallet generation. Only difference: the "phishing" copies don't encrypt. Because they're not really phishing copies made by attackers. They're the operator's own mirrors, designed to create plausible deniability: "oh, you must have used a phishing copy, not the real site."
And where were these self-phishing domains hosted? On njal.la — a NameSilo reseller. The same njal.la whose API NameSilo disabled. The same ecosystem. When the "blockchain syncing" excuse got debunked by the official Monero project, these geniuses pivoted to: "it's not us, it's phishing copies targeting us!" Except the phishing copies are hosted on their own partner's infrastructure, use the same code, and connect to the same DDoS-Guard / IQWeb backend.
The Russian-speaking scammer behind this is known in the community — check keplr.at and related domains. Same actor, same methodology, multiple sites. We always do public scans (we noticed they started using URLscan — but for users with a Pro subscription, everything is accessible). Compare the code of xmrwallet.app with xmrwallet.com. Compare the wallet creation flow. Compare the transaction handling. Then tell us again that one is "phishing" and the other is "legitimate."
To be precise: there is exactly one independent actor we identified who made actual phishing copies of xmrwallet — a known Russian-speaking scammer operating primarily on .at domains (keplr.at and similar), who phishes multiple crypto wallets. He created copies of xmrwallet as one of many targets. Every other "phishing copy" of xmrwallet over the past 10 years was created by the operator himself.
Why would a scammer phish his own scam? Two reasons. First: to create a narrative. "Look, people are making phishing copies of our legitimate service — we must be important, we must be real." It's reputation theater. A legitimate wallet gets phished. A scam wallet doesn't — unless the scammer does it himself. The self-phishing copies let the operator claim credibility he never had. Second: to deflect blame. When victims complain that their funds disappeared, the operator points to the "phishing copies" and says: "You must have used a fake site, not ours." The victim blames the phishers. The operator keeps stealing. The registrar nods along. Everyone wins — except the people losing their money.
The xmrwallet.homes, xmrwallet.app, and dozens of other "phishing copies" that the operator conveniently blames — all trace back to the same origin. Same code. Same logic. Same hosting. Same operator playing both sides. The only real phishing actor (keplr.at) simply copied what was already a scam. Everyone else who got blamed for "phishing xmrwallet" was the operator himself, running mirrors of his own theft operation and pretending they were attacks.
Self-phishing through your own reseller network, blaming victims for your own mirror infrastructure, while your registrar helps you clean VirusTotal detections. This isn't a scam anymore. This is an industrial operation.
This is the admin panel of a company that people trust with their businesses. Look at the design. Look at the UI. Does this look like a modern, well-funded technology company? Or does it look like something built by the same person who orders SEO articles on Kwork for 500 rubles?
Now compare it to fd.nic.ru — a Russian registrar. Remarkably similar aesthetic, isn't it? Same era, same design philosophy, same target audience.
NameSilo claims to manage 6.26 million domains. Our analysis of 5.18 million shows 81.5% are dead — 4.22 million domains with no website, no email, no purpose. Bulk domain registration at scale with anonymous Bitcoin payment and zero activation is not a business model — it is a washing machine.
The Forbes Advisor Article — A Case Study in Purchased Legitimacy
Forbes Advisor published a "review" of NameSilo ("Audited & Verified: May 6, 2024"). It contains the affiliate disclosure: "We earn a commission from partner links." The article recommends NameSilo as the "best registrar for low-cost domains." Let's fact-check it against reality:
Forbes also includes this disclaimer: "Information may have changed since publication. Past performance is not indicative of future results." and "Forbes Advisor adheres to strict editorial integrity standards."
"Editorial integrity" that recommends a registrar as "best for low-cost .com" when 95 registrars are cheaper. That says "24/7 support" when the site shows business hours. That compares with a dead competitor. That shows fake screenshots of a panel that doesn't exist. Same playbook as Kwork SEO articles — different budget, same result. A $500 Kwork article and a Forbes Advisor "review" serve the same purpose: purchased legitimacy.
And it doesn't stop at Forbes. NameSilo's "news" on Yahoo Finance carries this label: "This is a paid press release." Every "article" about NameSilo in financial media is purchased. The Forbes review. The Yahoo Finance press releases. The Trustpilot ratings. The Wikipedia page (flagged as promotional). There is no organic positive coverage of NameSilo. It is all bought.
FTC Warning Letter — December 20, 2024
The U.S. Federal Trade Commission sent NameSilo an official warning letter on December 20, 2024, signed by Lois C. Greisman (Associate Director, Bureau of Consumer Protection, Division of Marketing Practices). The letter states:
Think about what this means: a federal agency had to send an official letter to get NameSilo to act on a domain impersonating the FTC itself. Not a random phishing site. Not a crypto drainer. A domain pretending to be the Federal Trade Commission. If even the FTC needs to send formal correspondence to get a phishing domain removed — what chance does a regular victim have? The answer: none. Read the full FTC letter (PDF) →
BBB Complaints — Pattern of Abuse Denial
NameSilo's Better Business Bureau page contains complaints from real victims. A pattern emerges: victims report phishing domains, NameSilo deflects:
Victim complaint (BBB):
"NameSilo did not remove the domain that was proven to be used for phishing and allowed it to continue impersonating our company. Their phishing abuse form does not work. When I tried emailing them, they only had an auto-responder. We filed a complaint with ICANN since their abuse reporting system is essentially non-functional. We are considering filing a lawsuit under ACPA."
NameSilo response (March 18, 2024):
"We cannot confirm phishing — it appears to be SPAM. As a domain name registrar, we do not have any control over the content of emails... It is too easy to spoof domain names for us to investigate complaints."
Translation: "We can't confirm phishing" (we won't look). "We don't control email content" (not our problem). "Too easy to spoof" (we won't investigate). This is the same playbook we documented with xmrwallet — deflect, minimize, refuse. The difference: these aren't our reports. These are real businesses, filing on the BBB, getting the same non-answers. Read all BBB complaints →
Trustpilot — Bot Farms Competing with Bot Farms
NameSilo's Trustpilot rating looks impressive — until you think about it. Their real customer base is ~958K active domains. How many of those customers would voluntarily write a glowing review of a registrar with a Win98 admin panel, $15.56 .com pricing (#96/130), and support that responds to phishing reports with "we can't confirm phishing"?
The pattern is complete:
We tested Trustpilot ourselves. We left a 3-star review for NiceNIC — not even negative, just honest. No profanity, no accusations, just facts. Deleted after one complaint. A verified account. A real review. Gone. Meanwhile, NameSilo's page is full of suspiciously enthusiastic 5-star reviews from accounts with US geolocation — because the geo matters. American reviewers = "look, real American customers buy our domains" (not "we launder stolen crypto by buying domains from ourselves"). The reviews serve the same purpose as the phantom domains: creating the appearance of a legitimate American customer base that does not exist.
Example: "Patty Johnson" (Trustpilot profile) — US-based, 2 reviews total. One 5-star review for NameSilo (Jan 2026): "Leonid was very helpful... 5 stars!" The other review? For Otrium — a company with reviews alleging fraud and stolen money. One bot account writing for two different scam-adjacent businesses. And the reviews share a pattern: they name specific support agents ("Leonid"), praise response time, and read like templated customer service surveys — not like someone who just bought a $10 domain. Real domain buyers review prices and panel UX. Bot reviews praise "Leonid."
TRUSTPILOT DATA ANALYSIS — 2,280 NameSilo vs 2,480 Namecheap reviews
We understand the support obsession, by the way. Have you seen their admin panel? (we recreated it). With that interface, we'd need support too — or an ambulance. Half the functions don't work, the UI was last updated when Clinton was president, and the CEO himself admitted it needs a "complete UX overhaul" after seven years of promises. So yes: if you somehow became a NameSilo customer, you would indeed contact support. Constantly. Because nothing works without it.
But here's the tell: real frustrated users write about how terrible the interface is. That's what the 1-star reviews say — broken DNS, locked accounts, suspended domains, phishing reports ignored. Real pain, real detail, 265 characters average. The 5-star reviews? "Great support! Leonid helped. 5 stars." — 84 characters median. Real users complain about the product. Fake users praise the people.
And about those people — Leonid appeared from nowhere on April 13, 2025. Zero mentions before. Then 65 reviews in his first two months. That's not a popular support agent. That's a KPI. The timing coincides exactly with our investigation going public. The pattern is clear: investigation starts → negative coverage appears → bot farm activates → "Leonid was amazing!" fills the page. May 2025: 106 reviews (5x normal), 95% five-star, zero one-star. Not one unhappy customer in 106 reviews. For a registrar ranked #96 in .com pricing with a panel from 1998.
Independent AI Forensic Analysis — 2,480 vs 2,480 reviews
We scraped 2,480 NameSilo and 2,480 Namecheap Trustpilot reviews and submitted them to an independent Claude API analysis, anonymized as "Company A" and "Company B." The AI had no knowledge of which company was which. Its conclusions:
From the AI report: "Company A exhibits extensive, multi-dimensional evidence of systematic review manipulation through coordinated artificial generation. The probability of these patterns occurring organically approaches zero."
Everything is self-referential. The domains inflate the revenue. The revenue funds the articles. The articles build the Trustpilot. The Trustpilot convinces investors. The investors fund the stock price. The stock price justifies the acquisitions. The acquisitions launder the money. And 81.5% of it is built on domains that nobody uses, reviews that nobody wrote, and articles that nobody commissioned organically. It's turtles all the way down — and every turtle is NameSilo.
Domain Registration Anomaly Report — 130M+ domains analyzed
We analyzed 5.1 million NameSilo domains against 7 other registrars (130M+ total). 32.2% of NameSilo domains are dead — never activated, no IP, no email, no web presence. Industry baseline: 15-21%. That's $12 million spent on domains that were never used. Dead registrations spiked 7x between 2023 and 2024. Bulk registration runs of 10,000-17,000 domains/day throughout 2025. Disproportionate use of junk TLDs (.sbs, .cfd, .xyz). 96% of domains have no contact email. Consistent with money laundering, self-dealing, or systematic revenue inflation.
For context: NameSilo Technologies Corp. (CSE: URL, OTC: URLOF) has a market cap of C$133M (~US$98M), revenue of C$65.5M, and a net margin of 1.7%. They trade at P/E 143.8x vs industry average 21x. A company valued at C$133M is protecting a $100M+ theft operation. The math doesn't add up — unless the theft operation IS part of the business model.
Corporate structure — public record:
NameSilo Technologies Corp. — parent company. Incorporated in British Columbia, Canada. Listed on the Canadian Securities Exchange (CSE: URL). Also trades OTC in the US as URLOF. Subject to Canadian securities regulation (BCSC).
NameSilo, LLC — operating subsidiary. Registered in Phoenix, Arizona, USA. ICANN-accredited registrar, IANA ID #1479. Subject to US law, ICANN RAA, and Arizona state jurisdiction.
This means two regulatory jurisdictions have authority: Canadian securities regulators (BCSC/OSC) over the parent company and its stock, and US authorities (FBI, DOJ, Arizona AG, FinCEN) over the operating entity. Neither has acted.
PrivacyGuardian.org — NameSilo's built-in scam shield
PhishDestroy scan of NameSilo's WHOIS privacy service — April 2026
PrivacyGuardian.org is not a third-party service. It is owned and operated by NameSilo. Every domain that uses PrivacyGuardian has its registrant email replaced with a pw-{hex}@privacyguardian.org address — making the real owner invisible to abuse reporters, law enforcement, and victims. Privacy is legitimate. Using your own privacy service to shield 109,000+ malicious domains from identification is not privacy — it's infrastructure for fraud.
How we got these numbers: We extracted 4,974,265 candidate domains from the NameSilo customer dataset by matching PrivacyGuardian.org WHOIS markers. We then validated each domain via RDAP against rdap.namesilo.com. Of those validated, 109,195 were HARD confirmed as PrivacyGuardian-protected. We cross-referenced the full list against Spamhaus DBL, SURBL, PhishTank, PhishingArmy, CERT-PL, AlienVault OTX, Hagezi, uBlock, AdGuard, ThreatFox, and our own internal blocklist of 130K+ domains.
Top blocklist sources
What these domains do
Top TLDs (malicious PG domains)
Same junk TLD profile as the dead domain analysis. .sbs, .cfd, .xyz, .top — the same abuse-prone TLDs dominate both datasets.
Top targeted brands
Ledger, Coinbase, OKX, Ethereum — real financial brands being impersonated through NameSilo's own privacy service.
Hosting geography (malicious PG domains)
VirusTotal breakdown
The bottom line: NameSilo operates its own WHOIS privacy service. That service shields 109,000+ confirmed malicious domains from identification. These domains impersonate Coinbase, Ledger, OKX, Ethereum, Google, and dozens of other brands. They run Angel Drainer, Solana Drainer, and wallet-connect phishing at industrial scale. 77,522 of them are flagged by Spamhaus. And NameSilo — the ICANN-accredited registrar that operates PrivacyGuardian — tells every abuse reporter: "As an ICANN-accredited registrar..."
This is not negligence. This is a business model. The privacy service exists to make abuse reporting harder. The junk TLDs exist because they're cheap and disposable. The dead domains exist to inflate revenue. And the ICANN accreditation exists to wave at anyone who asks questions. 109,000 malicious domains protected by your own service, NameSilo. How many more do you need before someone calls this what it is?
[email protected] — we share what we know with any victim, investigator, or prosecutor.
Drive owner: [email protected] (last modified Oct 2023)
Exhibit — Operator's Farewell Letter
The operator ran. The site is still live. NameSilo still hasn't suspended the domain.
On May 5, 2026, the xmrwallet operator posted a farewell letter on the site and GitHub repository — announcing complete closure. He signed it "The Creator of xmrwallet.com" without using his real name. This letter is direct evidence: it proves the operator was aware of the investigation, it contains verifiable lies about the theft mechanism, and it confirms the site was operated by a single individual from 2018 to 2026. We saved a copy immediately. As of today, the domain xmrwallet.com is still active and NameSilo still has not suspended it.
Lie #1 — "View key cannot give access to spend your funds"
"A view key does not, and cannot, give the service access to spend your funds."
Reality: The theft mechanism does not use the view key to spend. It uses session_key exfiltration — the wallet address and private view key are base64-encoded into a session identifier, sent to the server, where the server constructs its own transaction using 8 PHP endpoints. The operator knows this because he wrote the code. He is deliberately misdirecting victims toward a view-key debate while the actual exploit is server-side transaction hijacking. This is consciousness of guilt.
Lie #2 — "Unfunded" and "cannot afford server costs"
"This project is unfunded and maintained in my spare time, I simply cannot afford the server costs."
Reality: The operator stole an estimated $100M+ in Monero over 8 years. Server hosting on DDoS-Guard costs ~$550/month. He pre-paid 5-10 year domain registrations across 6+ registrars. He purchased 50+ SEO articles, social media spam packages, and maintained multiple mirror domains simultaneously. The "unfunded volunteer" narrative is for victims who don't read the technical evidence.
Admission — "The person who attacked us"
"We have recently been the target of sustained attacks... The person who attacked us did so under the accusation that our service requires a view key."
What this confirms: The operator acknowledges PhishDestroy's investigation forced the closure. He frames security research as "attacks." He does not deny any specific finding. He does not produce counter-evidence. He redirects to the view-key strawman. An innocent operator would publish the server logs proving no theft occurred. He didn't.
Evidence value — "Thank you to everyone who sent donations"
"A special and sincere thank you to everyone who sent donations throughout the years. Your immense generosity is what kept the servers running."
For investigators: The operator claims donations funded the servers. This is falsifiable. Subpoena the donation address transaction history. Compare total received donations vs. total funds that "disappeared" from user wallets. The gap between those numbers is the theft volume. The operator just told you where to look.
Captured from xmrwallet.com on May 5, 2026. The letter was published as the site's index page. We archived the complete HTML including all CSS, scripts, and metadata. The operator signed as "The Creator of xmrwallet.com" — not as "Nathalie Roy", not by any name. But the email headers from February say N.R. And the WHOIS records say the rest.
Why did he "leave"? Not guilt. Evidence destruction.
The operator — who registered under the name "Nathalie Roy" (a woman's name; the actual operator is male and elderly, nicknamed "SEO Grandpa" by us for his love of buying spam links and junk articles on Kwork for 500 rubles a pop) — did not shut down out of remorse. He redirected the xmrwallet.com domain to GitHub Pages, where the farewell letter is now hosted. This is not a shutdown. This is a calculated move to:
1. Erase URLscan evidence. When the domain points to GitHub Pages, previous URLscan scans of the malicious site become stale. New scans show a benign GitHub-hosted page. The forensic record of what the site actually did — the 8 PHP endpoints, the session_key exfiltration, the server-side TX hijacking — gets buried under clean scans of a static farewell letter.
2. Automatically reduce VirusTotal detections. When security vendors re-scan xmrwallet.com and see a GitHub Pages site instead of a malware-laden wallet, they remove their detections. The operator has been filing regular VT appeals and re-scan requests — we observed this pattern. Each re-scan with the domain pointing to GitHub lowers the detection count. This is exactly what NameSilo promised to help with: "working with the registrant to remove the website from VT reports." They found a way.
3. NameSilo got nervous. The ICANN filing, the law enforcement referral, the public exposure with 11K views — and then US authorities apparently started asking questions. The farewell letter appeared shortly after. Coincidence? The operator didn't suddenly develop a conscience after 8 years and $100M. Someone told him to cool down. Someone with a vested interest in making the problem go away quietly.
4. The DNS history confirms this was deliberate — and clumsy. The domain xmrwallet.com was never pointed to GitHub before this. For years it resolved to DDoS-Guard/IQWeb infrastructure — the real scam backend. The redirect to GitHub Pages was recent, intentional, and it took the operator 3 attempts to get the DNS configuration right. A "developer" who built a "sophisticated open-source wallet" needed three tries to set up a GitHub Pages CNAME. This level of technical skill is consistent with: the NameSilo admin panel design, the Kwork article ordering, and everything else about this operation. These are not sophisticated actors. They are persistent ones.
The "farewell" is not an exit. It's a cleanup operation. The domain is still registered. The DNS is still active. The operator is still out there. And the evidence destruction is ongoing — every day the domain points to GitHub, another security vendor removes their detection. This is why we archived everything before they could erase it.
Exhibit — Suppressed Social Media Evidence
@Phish_Destroy — 26 tweets that got us silenced
Every tweet posted by @Phish_Destroy was screenshotted and archived before the account was locked via X Gold Checkmark corporate support. These 26 screenshots are the complete record of our public communication about xmrwallet and NameSilo. X/Twitter deleted the originals. We kept the receipts.
For investigators: Request X/Twitter's deletion logs for @Phish_Destroy. Compare what was removed vs. what survived. Cross-reference with the timestamps in these screenshots. Every moderator action has a paper trail. The reports that triggered the lock were filed by NameSilo or the operator — request the reporter identity.
Click any screenshot to view full size. All 26 images are part of the IPFS archive. Original posts were deleted from X/Twitter after Gold Checkmark corporate intervention — these are the only surviving copies outside of X's own servers.
Exhibit — xmrwallet Victim & Technical Evidence
Additional Evidence Screenshots
Victim theft reports, deleted GitHub issues, DNS infrastructure maps, VirusTotal detections, and the operator's CIS-origin indicators. All SHA-256 verified in ALL_EVIDENCE_HASHES.txt.
The operator's entire strategy depends on victims giving up after being silenced. This section is for those who refuse.
We know it feels hopeless. Monero is private. Your money seems gone. They deleted your reviews, your posts, your warnings. They want you to believe there's nothing you can do. That's not true.
The operator's power was making victims disappear. This archive makes that impossible.
"Feel free to dismiss all of this. We've been dismissed before — usually right before we turned out to be correct."
Specialists in CIS-origin scam operations. Hundreds of phishing sites shut down. The patterns here — DDoS-Guard, Kwork orders, SEO burial, suppression playbook — are a recognizable operational signature.
There is a direct connection between the operator and the registrar beyond a standard client relationship. The operator invited us to prove he was a thief. We did. Then they tried to erase us.
Initial estimate: $20M. Actual figure: very likely north of $100 million. We use the conservative number publicly. But we know.
Every suppression attempt is traceable. Subpoena Trustpilot (100+ deleted reviews) and GitHub (21+ deleted issues). The suppression campaign is evidence of the operation.
To the victims who lost their Monero over the last decade:
This archive exists for you. The operator is identified. The registrar is on record. Criminal cases are open in Europe. You are not alone and you are not powerless.
Every repository, every page, every screenshot. GitHub goes down, domains get seized, accounts get locked — it's all still here.
Real-time phishing & scam domain blocklist. 130,000+ curated threats. Plain text, hosts, AdBlock Plus, dnsmasq. Threat intelligence API. All raw data included.
The registrar's tweet, operator emails, X Support contradictions, SHA-256 verified screenshots, full technical breakdown. Filed with ICANN and law enforcement.
Private key theft, server-side TX hijacking, 8 PHP endpoints, Google Analytics tracking. Deleted GitHub Issues #35 & #36 — cached copies included.
Scam operator infrastructure analysis. Phishing kits, panel configs, affiliate networks, crypto drainer source code. Raw intelligence.
Full directory of this IPFS archive. Every page, every document, every piece of evidence — linked and described.
Machine-readable datasets for investigators, journalists, and forensic analysts. Every file is SHA-256 verified. Download everything — check our work.
Complete NameSilo registrar dump: domain URL, registration/expiry dates, Majestic rank, contact email, phone, IP address, geolocation. The dataset behind the anomaly report.
Download CSV.GZ ↓SHA-256 hashes for all 61 evidence screenshots (16 primary + 19 additional + 26 tweets). Generated at capture time — any mismatch = tampering.
Download Hashes ↓Complete mirror of external evidence: Reddit threads, Wayback Machine snapshots, VirusTotal reports, URLscan results, Trustpilot reviews, SecurityTrails DNS history. Saved before deletion pressure.
SHA256SUMS ↓Complete A/NS/MX/TXT/CNAME history, RDAP live status, subdomains, associated domains. Proves: Namecheap(2014) → DigitalOcean(2018) → Cloudflare(2021) → DDoS-Guard(2024) → GitHub Pages(2026).
Browse JSONs ↓Scan results for xmrwallet.com and .app. Transaction logs, DOM snapshots, link analysis. API JSON with full HTTP headers, certificates, and resource hashes.
Browse Scans ↓Detection, details, relations, community tabs for every xmrwallet domain (.com, .app, .cc, .biz, .me, .net, .homes) plus njal.la and associated IPs.
Browse VT ↓ICANN complaint, evidence report, victim advisory, deleted evidence timeline. Formatted for legal proceedings.
Browse PDFs ↓8-registrar comparison: dead domain rates, TLD profiles, IP concentration, cost analysis. NameSilo at 32.2% dead vs 15-21% baseline. $50M+ phantom revenue from dead registrations.
Read Report ↓Complete list of Twitter/X bot posts promoting xmrwallet. Three waves: 2018 Kwork batch, 2023 Google Drive match, 2025-2026 still active. All live, none removed.
Download URLs ↓
sha256sum -c SHA256SUMS.txt — run this on any downloaded directory. Every file's integrity is independently verifiable. If a hash doesn't match, the file was tampered with after publication. Open an issue or contact [email protected].
The operator kept victims silent for a decade. Then he tried it on us. We documented it all before it happened.
Gold Checkmark corporate support used to lock @Phish_Destroy. X reviewed: "no violation." Still locked.
All phishdestroy.io results removed from Bing. Complete erasure from Microsoft search.
False DMCA takedowns against repos. Operator deleted Issues #35 & #36 with victim reports.
100+ victim reviews removed through automated moderation abuse.
DMCA requests against Google search results, domains, hosting. Anything reportable gets reported.
50+ paid articles via Kwork, Freelancehunt, intermediaries. Orders indexed on Google Drive.
Technical analysis videos reported and removed. Researchers demonstrating the theft silenced.
Coordinated reporting against warning threads. Community discussion suppressed.
Government email addresses used to file fraudulent abuse reports on platforms.
"Open source" wallet on bulletproof hosting. GitHub code ≠ production code. Anti-analysis infrastructure.
Every platform with a "report" button has been weaponized. Every search engine accepting DMCA requests has been abused. Every freelance marketplace used to buy burial. This is a decade-long strategy — not an accident. The operator and NameSilo are on the same side. The case file is with ICANN Contractual Compliance and federal law enforcement.
Every file is SHA-256 fingerprinted at capture time. Any byte changed = hash mismatch = tampering detected. This is a court-grade evidence chain.
61 Evidence Images — Complete Breakdown
16 Primary Screenshots
Operator emails, NameSilo tweet (4 lies), @Phish_Destroy rebuttals, X Support "no violation", GhostArchive copies, VT delisting evidence. All in evidence/
11 Additional Screenshots
Victim reports (BitcoinTalk, bits.media), deleted GitHub Issues #13/#15/#35, DNS infrastructure maps, VirusTotal, Trustpilot, operator taunts. All in screenshots/
26 Tweet Screenshots
Complete @Phish_Destroy archive. Every tweet captured before Gold Checkmark lock. The posts X/Twitter tried to erase. All in tweets/
How to verify integrity
Download any file from this archive. Run sha256sum <filename> and compare the output against the hash shown here or in ALL_EVIDENCE_HASHES.txt. If any hash doesn't match, the file was tampered with after publication. All hashes were generated at the time of capture — before any party could modify the originals. Report any mismatch to [email protected].
phishdestroy.io
github.com/phishdestroy
codeberg.org/phishdestroy
phishdestroy.eth
phishdestroy.medium.com
@PhishDestroy
mastodon.social/@phishdestroy
[email protected]
[email protected]