Forensic timeline of Google tracking deployment on a self-proclaimed "anonymous, no-logs" Monero web wallet. Evidence collected from the Internet Archive, URLScan.io public scans, and live network captures.
xmrwallet.com marketed itself as an "anonymous, no-logs" Monero web wallet. Its footer stated: "We do not track you." Its Terms & Conditions claimed privacy as a core feature.
This document presents the forensic evidence in chronological order, sourced exclusively from public archives. Every claim is independently verifiable using the URLs and timestamps provided.
| Identifier | Type | First Seen | Last Seen | Scope |
|---|---|---|---|---|
| UA-116766241-1 | Universal Analytics | 2021-10-06 | 2026-02-17 | In HTML source — <script> tag in page footer |
| G-E3T1T1VKD1 | Google Analytics 4 | 2024-01-10 | 2026-02-17 | Loaded dynamically by gtag.js — linked property in GA admin panel |
| Google Domain | Requests | Data Sent |
|---|---|---|
| www.googletagmanager.com | 12 | 6× gtag/js loader + 3× Service Worker (sw.js) + 3× sw_iframe.html |
| region1.analytics.google.com | 5 | Full session behavior, timing events (/g/collect) |
| www.google-analytics.com | 3 | analytics.js — page navigation, user agent, referrer |
| www.google.ro | 2 | Google Ads audience pixel (/ads/ga-audiences) |
| stats.g.doubleclick.net | 1 | Advertising network cross-tracking (/g/collect) |
| www.google.com | 3 | Consent/collection endpoint (/ccm/collect) |
| signaler-pa.clients6.google.com | 2 | Push signaling (punctual/v1/chooseServer) |
| Total to Google per session | 28 requests | |
upgrade-insecure-requests; — an empty policy
that restricts nothing except HTTP-to-HTTPS upgrades. No script-src, no connect-src,
no default-src. The legacy X-Content-Security-Policy: allow 'self' header
is ignored by all modern browsers.
window scope, localStorage, sessionStorage,
and can override native fetch() and XMLHttpRequest to intercept
POST requests to /auth.php carrying the user's private view key.
/static/service_worker/6240/sw.js —
3 requests + iframe). While this SW is scoped to googletagmanager.com (Same-Origin Policy prevents it
from intercepting xmrwallet.com traffic directly), it demonstrates the depth of GTM's browser footprint
on what was marketed as a "privacy" wallet.
Source: Live network capture, February 18, 2026 (105 total HTTP requests, 28 to Google domains). Full data: request_analytics_2026-02-18T15-07-55.json
The Internet Archive provides independently verifiable snapshots of xmrwallet.com's source code across time. Each timestamp below is a permanent, citable record.
app.js loaded. No analytics, no third-party scripts.UA-116766241-1 + googletagmanager.com/gtag/js present in HTML source.
Added between September 27 and October 6, 2021.
UA-116766241-1 + G-E3T1T1VKD1.URLScan.io independently records HTTP request counts for every scan. The pattern is unambiguous:
| Period | Scan Count | Requests/Page | Google IDs Present | Status |
|---|---|---|---|---|
| 2024-01 → 2026-02-15 | ~60 scans | 33–42 | UA-116766241-1, G-E3T1T1VKD1 | TRACKING |
| 2025-07 → 2025-11 (app.html) | ~10 scans | 9 | None in HTML | CLOAKED |
| 2026-02-19 | 1 scan | 2 | None | ERASED |
| 2026-02-21 → 2026-04-10 | ~20 scans | 26 | None | Redirect to xmrwallet.cc |
| 2026-04-20 → 2026-05-15 | ~5 scans | 2 | None | Site effectively dead |
A critical discrepancy exists between the app.html source code (as archived) and its live behavior (as captured in network traffic).
Zero references to Google in HTML.
No <script> tags loading gtag.js.
Contains <meta name="robots" content="noindex,nofollow,nosnippet,noarchive"/>
Verified: snapshots 20190121 through 20260223
12 requests to googletagmanager.com
5 requests to analytics.google.com
40 POST requests containing Base64-encoded private view key
Captured: February 18, 2026 via Firefox WebExtension
window scope, localStorage, and the ability to
override fetch()/XMLHttpRequest.
upgrade-insecure-requests; only,
no script-src or connect-src restrictions), GTM scripts can read any variable,
hook any function, and exfiltrate data to any external server — all without any browser warning.
noindex,nofollow,noarchive robots directive on app.html (absent from the main page)
further prevents archival, ensuring no external record of the wallet page's runtime behavior.
Google Tag Manager is a legitimate marketing tool. On a cryptocurrency wallet handling private keys, it becomes a powerful attack surface. Understanding why requires examining what GTM can do:
| Capability | Risk on a Wallet |
|---|---|
| Custom HTML Tags — inject arbitrary JavaScript via GTM web panel | Can read any DOM element, variable, or memory in the wallet's JS context |
| Triggers — fire tags on specific conditions (page URL, click, timer, custom event) | Can target only the "Create Wallet" or "Send" flows where keys are exposed |
| Variables — read cookies, URL params, dataLayer, DOM elements, JS variables | Can extract spend_key, view_key, seed from wallet JS scope |
| Audiences / Sampling — target % of users or specific conditions | Enables selective theft (only large balances, only certain countries) |
| Version history — only accessible to GTM account owner | No external audit possible. Changes invisible to code review. |
| Instant publish — changes go live in seconds, no deploy needed | Can activate theft, deactivate before detection, leave no server-side trace |
URLScan captures reveal the full cookie inventory that xmrwallet.com set in every user's browser:
| Cookie | Set By | Purpose | Privacy Impact |
|---|---|---|---|
| _ga | Google Analytics | Unique Client ID, persists 2 years | Cross-session user tracking |
| _gid | Google Analytics | Session ID, 24-hour lifetime | Session behavior profiling |
| _ga_E3T1T1VKD1 | GA4 | GA4 property cookie — confirms G-E3T1T1VKD1 | GA4 session tracking on wallet |
| _gat_gtag_UA_116766241_1 | GTM/UA | Rate limiting for UA property | Proves GTM + UA active |
| _gcl_au | Google Ads | Conversion Linker — tracks ad campaign conversions | Google Ads on a "privacy" wallet |
| __ddg1_, __ddg8_, __ddg9_, __ddg10_ | DDoS-Guard WAF | Bot protection / session validation | WAF infrastructure cookies |
| __ddg9_ | DDoS-Guard | Contains user's IP address in plaintext | IP address stored in browser cookie |
_gcl_au) is the cookie set when a site uses
Google Ads to track which ad clicks lead to "conversions" (actions on the site). Its presence means
the operator was running paid Google Ads campaigns directing users to the wallet —
and tracking which ad-referred users created wallets or deposited funds.
On an "anonymous, no-logs" wallet, this is indistinguishable from victim acquisition tracking.
__ddg9_) stores the visitor's IP address in plaintext
inside a browser cookie. Combined with Google Analytics session data, the operator had access to:
IP address + geographic location + browser fingerprint + wallet activity timeline + which ad brought the user.
Victim reports consistently describe the same pattern: small test deposits work fine, large deposits are stolen within days. GTM's trigger system is the technical mechanism that makes this possible:
This is a demonstration of the capability, not a claim that this exact code was deployed.
Only Google can confirm what Custom HTML Tags were configured in GTM container UA-116766241-1.
A subpoena to Google for the GTM container version history would resolve this definitively.
Google retains the complete version history of every GTM container. For UA-116766241-1, this includes:
No legitimate cryptocurrency wallet loads Google Tag Manager on its key-entry pages. This is not opinion — it is the verifiable industry standard, confirmed via URLScan.io public scans:
| Wallet | Type | Requests | Google Analytics | GTM | Cookies | CSP on Key Page | URLScan UUID |
|---|---|---|---|---|---|---|---|
| Ian Coleman BIP39 | Web (static) | 1 | No | No | 0 | N/A (no server) | 019dfffa-0771 |
| MyMonero (wallet.mymonero.com) | Web | 13 | No | No | 0 | Cloudflare | 0199729f-f515 |
| MyEtherWallet | Web | 5 | No | No | 0 | Cloudflare | 019bd152-d753 |
| Guarda (/app) | Web | 51 scripts | No | No | 0 | Isolated from landing | Live check May 2026 |
| Blockchain.com (login.) | Web | 77 | GA4 (G-ECLKXV7NVB) | No GTM | Yes | default-src 'none'; script-src 'nonce-xxx' 'strict-dynamic' |
019e1c5a-b865 |
| Monero GUI | Desktop | 0 | No | No | N/A | N/A (local) | N/A |
| Feather Wallet | Desktop | 0 | No | No | N/A | N/A (local) | N/A |
| xmrwallet.com | Web | 33–42 | UA-116766241-1 + G-E3T1T1VKD1 | Yes (via gtag.js) | 9 (incl. Google Ads, IP) | upgrade-insecure-requests; (EMPTY) |
019c6233-afce |
GTM-N5WZTMXC), but zero tracking on /app where keys are handled. Marketing and key management are isolated.URLScan: 36 requests
Google IDs: UA-116766241-1, G-E3T1T1VKD1
Domains contacted: googletagmanager.com, google-analytics.com, analytics.google.com, doubleclick.net, google.com
Scan: 019c6233-afce-75ec-b07d-07dc91d0d1bd
URLScan: 2 requests
Google IDs: None
Domains contacted: xmrwallet.com only
Scan: 019c7739-c89c-755b-a667-6c41fb047671
The operator's response to being informed of the tracking was not to explain it, not to address the privacy contradiction, and not to publish a transparency report. The response was complete and immediate erasure — both of the tracking code and, subsequently, of the site itself.
This behavior is consistent with evidence destruction, not with a legitimate developer correcting an oversight. A developer who accidentally left analytics enabled would acknowledge the mistake. The operator never acknowledged the tracking existed.
1. Google Tag Manager was absent from xmrwallet.com before October 2021 (Wayback: 6 clean snapshots, 2019–2021).
2. Google Tag Manager (UA-116766241-1) was added between September 27 and October 6, 2021 (Wayback delta).
3. Google Analytics 4 (G-E3T1T1VKD1) was linked by at least January 2024 (URLScan HTTP transactions).
4. Tracking remained continuously active for 4+ years through December 2025 (Wayback + URLScan).
5. The wallet page (app.html) has zero Google references in its static HTML but 12 GTM requests in live sessions (Wayback vs. live capture).
6. app.html carried noindex,nofollow,noarchive robots directive — the main page did not.
7. All tracking was removed within 72 hours of the investigation notice (URLScan: Feb 15 vs Feb 19).
8. No other Monero wallet (GUI, Feather, MyMonero, Monerujo, Cake) uses Google tracking.
9. The DoubleClick advertising pixel was active on a financial privacy application.
A. Whether Custom HTML tags in the GTM container contained JavaScript that read wallet keys.
B. Whether GTM triggers were configured to activate only on wallet creation/login flows.
C. Whether audience sampling was used to target specific users (selective theft).
D. The complete GTM version history showing when tags were added, modified, or removed.
E. The Google account email that owns UA-116766241-1 and its associated properties.
All snapshots can be verified at:
All scans are public and permanent:
Full JSON export of 105 HTTP requests from a single wallet session is available in the evidence archive:
request_analytics_2026-02-18T15-07-55.json
Document classification: Public research. No proprietary data. No user credentials. All sources are public archives.
Contact: [email protected]
Related: PhishDestroy Investigation Hub • Reddit Suppression Evidence • Law Enforcement Dossier