# xmrwallet.com & NameSilo LLC -- Investigation Dossier **Classification:** Public Evidence Archive **Date:** 2026-05-18 **Investigators:** PhishDestroy (volunteer anti-scam initiative) **Archive:** [phishdestroy.eth.limo](https://phishdestroy.eth.limo) | [GitHub](https://github.com/phishdestroy/ipfs-archive) **Status:** Active investigation. EU law enforcement engaged. No factual rebuttal received from any party. --- ## EXECUTIVE SUMMARY xmrwallet.com is a Monero cryptocurrency web wallet that has stolen an estimated **$100M+ in XMR** over approximately 8 years (2016-2026) through server-side transaction hijacking. The operator intercepts user view keys and constructs fraudulent transactions that redirect funds. The site's GitHub repository is a facade -- the theft code exists only on the production server. **NameSilo LLC** (ICANN registrar, IANA #1479, Phoenix AZ, CSE:URL) publicly defended the operator, issued a statement containing 4 verifiably false claims, offered to remove VirusTotal malware detections for the scam site, and used paid Twitter/X Gold Checkmark support to silence the researchers who exposed it. This dossier compiles evidence from: PullPush Reddit API, GitHub API, VirusTotal, SecurityTrails, Shodan, URLScan.io, Semrush, Hunter.io, crt.sh, CleanTalk, Wayback Machine, GhostArchive, and direct browser automation. **Key numbers:** - 40+ named victims on Reddit alone - $1,194,660+ confirmed stolen (Reddit only, conservative) - 93 Reddit posts analyzed, 60% removal rate in r/Monero - 4 Reddit legal/DMCA takedowns filed by operator against victims - 3-person sock puppet network (all Philippines-based) - 9+ domain registrations by operator (presented as "phishing clones") - 44 Twitter bot promotion accounts identified - 15+ paid/sponsored SEO articles - GPT-3.5 (free ChatGPT) recommends xmrwallet.com as #2 "Best Monero Wallet" - 81.5% of NameSilo's 5.18M domains are dead (industry baseline: ~50%) --- ## 1. OPERATOR IDENTIFICATION ### Primary Identity | Field | Value | |-------|-------| | GitHub | [nathroy](https://github.com/nathroy) (ID: 39167759) | | Name | "Nathalie" (likely pseudonym) | | Bio | "Cryptocurrency developer and jump rope expert" | | Location | Canada | | Email (commits) | admin@xmrwallet.com | | Email (contact) | royn5094@protonmail.com (valid, spam history on CleanTalk) | | Created | 2018-05-10 (same day as GitHub release) | | Public repos | 0 (all hidden/deleted) | | OS | macOS (leaked __MACOSX directory in 2024 commit) | ### Operator Emails | Email | Status | Notes | |-------|--------|-------| | admin@xmrwallet.com | INVALID | No MX records | | royn5094@protonmail.com | VALID (score 89) | Emailed PhishDestroy before publication | | hassizabir@gmail.com | VALID (score 92) | Google Drive SEO order owner | | titanmaster138@gmail.com | VALID (score 92) | Frontend developer/contractor | | support@xmrwallet.com | INVALID | Dead | | feedback@xmrwallet.com | INVALID | Dead | ### Second Developer | Field | Value | |-------|-------| | Email | titanmaster138@gmail.com | | GitHub | [pushpush](https://github.com/pushpush) | | Role | Frontend contractor (May-Jun 2018, 11 commits) | | Employer | Kinescope (kinescope.com) -- Russian video platform (registered Netherlands) | | Note | Likely hired as contractor, may not know about the scam | ### Reddit Sock Puppet Network (Philippines) | Account | Role | Evidence | |---------|------|----------| | u/WiseSolution | Original operator | 13 posts, 74 comments (2018-2022), signed as "Nathalie" | | u/craig_d_79 | Subreddit moderator, SEO expert | Tagaytay/Cavite, Philippines. Requested r/xmrwallet unbanned | | u/purpleandviolet | Main promoter, darknet targeting | 37 mentions of xmrwallet, 16 darknet sub comments. Leaked .onion address | | u/Extra-Expert7685 | Support account | Philippines gambler (r/WeddingsPhilippines, r/DigitalbanksPh) | | u/XMR-Expert | Single promo post | Aug 2024 | ### Other Operator Accounts | Platform | Account | Purpose | |----------|---------|---------| | Medium | @oliviasmith1978 | Display name "Xmr Wallet", SEO backlink from DA 96 | | Twitter/X | @XMRWalletCom | 189 followers, 0 tweets | | Google Drive | hassizabir@gmail.com | SEO article orders, Kwork freelance platform | | GitHub | BernickBeckForensic | Fake law firm account (intimidation) | | GitHub | relly34mfk | SEO contractor (atadevelopers.com) | --- ## 2. TECHNICAL EVIDENCE -- HOW THE THEFT WORKS ### The Attack Vector xmrwallet.com is NOT a simple phishing site. It is a functional Monero wallet with a server-side backdoor. The theft mechanism: 1. User creates wallet or logs in with seed phrase 2. Client-side JavaScript generates the wallet locally (this part works correctly) 3. **The view key and address are sent to the server** via POST requests (~40 requests per session) 4. Server stores `session_key` containing Base64-encoded view key 5. Server monitors incoming deposits in real-time using the view key 6. When a large deposit arrives, server constructs a fraudulent transaction that redirects funds 7. The wallet UI shows a fake "success" confirmation 8. The real transaction sends funds to the operator's address ### PHP Backend Endpoints (not in GitHub) The following endpoints exist on the production server but are absent from the GitHub repository: ``` auth.php getheightsync.php gettransactions.php getbalance.php getunspentouts.php submitrawtx.php login.php importwallet.php ``` ### GitHub vs Production Divergence | Aspect | GitHub | Production | |--------|--------|-----------| | app.js | 1.39MB, 5827 lines | Different (obfuscated) | | PHP endpoints | 0 references | 8 endpoints active | | session_key | 0 occurrences | Core theft variable | | View key exfiltration | Not present | 40 POST requests/session | | support_login.twig | Checks xmrwallet_spendkey, viewkey, address | Backdoor entry point | ### Commit Timeline | Date | Event | |------|-------| | 2018-05-10 | First Release (admin@xmrwallet.com) | | 2018-05-10 to 2018-11-07 | Active development (26 commits nathroy, 11 titanmaster138) | | 2018-11-07 | "Bulletproof Update" -- **LAST COMMIT FOR 5.3 YEARS** | | 2024-03-15 | Massive rewrite: app.js +5827/-74, monero.js complete rewrite | | 2026-04-19 | GitHub Pages migration (site closure redirect) | | 2026-05-05 | Farewell letter posted | ### Google Analytics `UA-116766241-1` embedded on EVERY page including 404 and maintenance pages. No other sites found using this GA ID. ### Google Site Verification Changes (3 accounts) ``` 2018-2021: JaFNzwwoh1fr6g30E3nHDtAds3uWZa_bkuK7ay0HOZc 2021-2026: bbN-0kgnaPq2JGH091MkAPAqOSd8T2qYo8qlIuqYUgQ 2026-Feb: d-En_D3kMw6CqZpPwZeDn4ICI5Tyk1WvPYdVdGzEWr8 ``` 3 different verification tokens = at least 2 Google account changes over the site's lifetime. --- ## 3. DOMAIN INFRASTRUCTURE ### Operator-Controlled Domains | Domain | Registrar | Status | Evidence | |--------|-----------|--------|----------| | xmrwallet.com | NameSilo -> Namecheap (May 2026) | GitHub Pages (dead) | Primary domain | | xmrwallet.cc | PDR | SUSPENDED | Same IP as .me | | xmrwallet.biz | Unknown | SUSPENDED | Same WHOIS state hash | | xmrwallet.net | Unknown | DNS DEAD | Same WHOIS state hash | | xmrwallet.me | Key-Systems | Active (backend disconnected) | Banner says "Our official domain" | | xmrwallets.com | NameSilo DNS | Active | 4/4 WHOIS hashes identical to .com | | xmrwallet.app | Njalla | Active (Vercel) | Privacy registrar | | xmrwallet.org | Dynadot | Active | Created 2024-06-23 | | xmrwallet.co | Namecheap | Active | Created 2020-07-17 | | xmrwallet.in | Dynadot | Parked | Used in Google Ads phishing | ### WHOIS Hash Proof (Same Registrant) ``` xmrwallet.com: city=7a96e04d2a2490b3 org=566bb814321610e4 state=e1c7c1911395a3cf zip=c692e0cb8851b160 xmrwallets.com: city=7a96e04d2a2490b3 org=566bb814321610e4 state=e1c7c1911395a3cf zip=c692e0cb8851b160 4/4 hashes identical = SAME PERSON ``` Escape domains (xmrwallet.biz, .net, .me): all share state hash `e1a13ff8c8552296` = same registrant. ### Domain Transfer Chain ``` 2014-08: Created on Namecheap (registrar-servers.com NS) 2015-08: Transferred to Enom/Tucows (name-services.com NS) 2016-08: Transferred to NameSilo (dnsowl.com NS, IANA #1479) 2018-03: NS changed to Cloudflare 2025-03: NS changed to DDOS-Guard (ns1/ns2.ddos-guard.net) -- Russian anti-DDoS 2026-04: NS back to NameSilo (premium-ns1-3.dnsowl.com) 2026-05-13: TRANSFERRED TO NAMECHEAP (new expiry 2036-05-13) ``` The operator transferred the domain 4 days before our latest data collection. Extended 1 year. NOT retiring. ### Server Infrastructure -- Russian Ecosystem | IP | Provider | Hosted Domains | Co-Hosted With | |----|----------|---------------|----------------| | 186.2.165.49 | IQWeb FZ-LLC, UAE | xmrwallet.com (main) | **kinogo.ec** -- Russian pirate streaming | | 185.129.100.248 | DDOS-Guard, RU | xmrwallet.cc, .me + full infra | **rustme.ru** (Minecraft), kuchaknig.org, mirpuffov.ru -- ALL Russian | | 190.115.31.40 | DDOS-Guard | xmrwallet.biz, .net | **bclubs.to** -- BriansClub carding marketplace (stolen credit cards) | ALL server infrastructure connects to Russian-language ecosystem. DDOS-Guard (Rostov-on-Don, Russia) used across ALL domains. ### Tor Infrastructure ``` Old .onion (2018, v2): xmrwalletdatuxds.onion (deprecated) New .onion (2024, v3): xmrtor3fsapuu6y26za7vpzox4vpaj6ny5viq2arbmozm7kg6jitnlid.onion ``` The v3 onion was leaked by sock puppet u/purpleandviolet in darknet subreddits -- insider knowledge. --- ## 4. VICTIM IMPACT ### Confirmed Financial Losses (Reddit Only) | Victim | Amount | Date | Status | |--------|--------|------|--------| | u/Moon4895 | $500,000 | Sep 2021 | Post REMOVED, body LOST | | u/Practical-Demand-174 | 1060 XMR (~$170,000) | Aug 2022 | TX verified on chain | | Bitazu Capital (Aftab Sorout) | $20,000 | Sep 2020 | Press coverage | | u/CurrentDay1109 | 159 XMR | Dec 2022 | Security engineer | | u/sncle + friend | 112 XMR | May 2021 | 27 upvotes | | u/Sir-Forsaken + friend | 47 + 100 XMR | Oct 2020 | 55 upvotes, 44 comments | | certwaina (BitcoinTalk) | ~400 XMR | Dec 2025 | Thread #5569461 | | u/RechardSport | 10+ XMR ($1,600) | Dec 2020 | | | u/Puzzled-Bottle-9274 | 10 XMR | Dec 2020 | | | u/alferg | 5.686 XMR | Feb 2021 | | | u/Such_Ad3921 | 4.613 XMR ($1,100) | Feb 2021 | Published seed phrase | | u/Chimmichangaaaaa | $800 | Mar 2021 | "Had used 2-3 times before" | | blogspot victim | $500 | Sep 2020 | | | u/xmr_amateur | $100-200 | Oct 2020 | Google Ads redirect chain | | u/Pretend-Hospital3784 | GBP 100 | Mar 2021 | "Seed on paper, didn't log in" | | u/vermillion1469 | $60 | Jul 2019 | | **Total confirmed (Reddit):** 1,408+ XMR / **$1,194,660+** (conservative) **Unique victims named:** 40+ **Unique threads:** 32 **Date range:** 2018-09 to 2025-03 ### Verified Transaction Hashes ``` 986c9821e95edde80589165bae653a59357050f743834e9bd7606d963cefa91b Block 2327688 (2021-04-30) u/CommercialAd5283 00a888c91b0f6cceb8e2a7d2fc1a93dd00253d53d6226c74604399b0d51cf0a1 Block 2666869 (2022-07-14) u/dance88 b3f2ca86fdc786d846d5d3ce29d40ace2876e0c3fc9fd2a5448ae99b2723ab8f 1060 XMR theft - u/Practical-Demand-174 ``` ### Selective Scamming Pattern | Deposit Size | Result | Evidence | |-------------|--------|----------| | $10-100 | Works fine | Builds trust for months/years | | $200-1000 | Sometimes stolen | u/Such_Ad3921: used since 2019, $1100 stolen | | $1000+ | Stolen in 2-30 min | u/Sir-Forsaken: 2 XMR fine, 10 stolen | | 1060 XMR | UI shows wrong amount | u/Practical-Demand-174: screen said 300, sent all 1060 | The wallet UI deliberately hides stolen transactions (u/Subeedai, Jan 2023): "XMRWallet is still showing the original balance, but MoneroGUI is showing 0." --- ## 5. SUPPRESSION CAMPAIGN ### Reddit Suppression | Subreddit | Total Posts | Removed | Removal Rate | |-----------|-----------|---------|-------------| | r/Monero | 50 | 30 | **60%** | | r/monerosupport | 20 | 1 | 5% | | r/CryptoCurrency | 3 | 2 | 67% | | **Total** | **93** | **38** | **41%** | **Removal types:** - automod_filtered: 12 (mass-reported by operator) - author_deleted: 12 (harassment/threats via DM?) - removed_by_reddit: 4 (DMCA/legal requests FROM OPERATOR) - removed_by_moderator: 1 ### Reddit Legal Takedowns (Operator Filed DMCA Against Victims) 1. u/[deleted] (May 2020) -- "site under attack, funds moved" 2. u/CryptoLadyok (Jan 2022) -- "got scammed" 3. u/Practical-Demand-174 (Aug 2022) -- 1060 XMR stolen ($170K) 4. u/fxkxmrwallet (Oct 2022) -- "DONT use XMRWallet.com" 5. u/Balrog1992 (Jun 2023) -- "long-lived scam" ### Posts Where Body Was Lost Forever - "xmrwallet.com - scam - **$500,000**" (u/Moon4895) - "XMRWallet.com Scam" (22 upvotes) - "Was I scammed out of $200?" - "Scammed by xmrwallet.com :(" - "Funds stuck on XMRWallet.com which is completely abandoned" ### Twitter/X Suppression NameSilo used **paid Gold Checkmark support** (bypasses normal checks) to lock the @Phish_Destroy account that was posting rebuttals to their public defense of xmrwallet. All tweets were pre-archived on Wayback Machine and GhostArchive before the lock. ### Trustpilot Review Manipulation 100+ negative reviews removed from both NameSilo and xmrwallet Trustpilot pages. Bot review patterns identified on both profiles. Reviews filed using government email addresses for faster processing. ### r/xmrwallet Subreddit Takeover Reddit banned r/xmrwallet as spam. craig_d_79 requested reinstatement (Jul 2024), took over moderation, filled subreddit with promotional posts. --- ## 6. SOCK PUPPET OPERATIONS ### Coordinated Thread Evidence **Thread 1bp6nif (r/onions "Monero Wallet Recommendations"):** ALL THREE accounts in the same thread: - u/craig_d_79: "xmrwallet is what i use" - u/purpleandviolet: "XMRWallet for me." - u/Extra-Expert7685: "i use XMRWallet(dot)com which is super easy, secure, and totally private" **Thread 1bl896r (r/Monero "Best XMR wallet?"):** - u/craig_d_79: "I've never had any issues, been using since 2018" - u/purpleandviolet: "I've used XMRWallet since 2020. Haven't had any issues." **Thread 1czg8wn (r/CryptoCurrency):** - u/purpleandviolet: "Just because you haven't heard of it means it's a scam." (DEFENDS scam) - u/Extra-Expert7685: "xmrwallet is great for Monero" u/rbrunner7 (Monero contributor) noticed: "Don't overdo it with those recommendations for xmrwallet. I find it quite strange how they pop up every now and then, in strange places." ### Darknet Targeting u/purpleandviolet made 16+ comments in darknet subreddits (r/darknet: 9, r/onions: 5, r/AbacusMarketAccess: 1) recommending xmrwallet. Darknet users are ideal victims: won't report to police, need privacy, trust Tor, significant transaction amounts. --- ## 7. THE "PHISHING CLONE" DEFENSE -- DEBUNKED The operator's primary defense: "All losses are from phishing clones, not from xmrwallet.com itself." ### Why It Doesn't Hold **Popularity argument:** xmrwallet.com (~7K daily visitors at peak) has 9 phishing clones. MetaMask (30M users) has thousands. MyMonero (500K+ downloads) has some. A phisher targeting xmrwallet instead of MetaMask is like a pickpocket choosing an empty bus instead of a packed subway. **Technical barrier:** xmrwallet is a complex PHP backend (not open source). Cloning requires reverse-engineering the backend, running a Monero node (~180 GB), replicating the transaction flow. This is orders of magnitude harder than cloning a simple login page. A real phisher would target MyMonero (simple seed import). **The "clones" are the operator's own domains:** - WHOIS: 4/4 identical privacy hashes between xmrwallet.com and xmrwallets.com - Shared WHOIS state hash across .biz, .net, .me - xmrwallet.me banner: "Our official domain(s): xmrwallet.com, xmrwallet.net, xmrwallet.me" - Same DDOS-Guard infrastructure, same MX records, same page title **He created the problem, then used the problem as his defense.** --- ## 8. SEO MANIPULATION & AI POISONING ### Paid/Sponsored Articles | Outlet | Year | Type | |--------|------|------| | NewsBTC | 2018 | SPONSORED (labeled) | | Bitcoinist | 2018 | SPONSORED | | crypto.news | 2025 | PAID ("content provided by third party"), xmrwallet #1 | | CryptoPotato | 2018 | Puff piece (Bridgit Murphy) | | NullTX, Bitcoin Insider, Global Coin Report, The Bitcoin News | 2018 | Identical "passes audit" PR | | jcount.com | 2018+ | "Why XMRWallet is the Hottest Topic" | ### Private Blog Network (PBN) 50+ blogspot domains used for SEO manipulation (Semrush data). Peak spam campaign Jul-Sep 2025 directly correlates with traffic spike. Google Sites/GCS spam: 12+ pages from "abrahambrantley." ### Cloud Platform SEO Abuse - GCloud: storage.googleapis.com/abrahambrantley/WalletXmr.html (DA 91) - AWS S3: alvislewis.s3.amazonaws.com/MoneroWallets.html (DA 96) - Azure: edwardscott.blob.core.windows.net/paperwallet/FreeMonero.html (DA 99) ### AI Model Testing (May 17, 2026) | Model | Response to "Best Monero web wallet" | |-------|--------------------------------------| | **GPT-3.5-turbo** | **RECOMMENDS xmrwallet.com as #2** | | GPT-4o-mini | Refuses to assess | | Gemini 2.0 Flash | "mixed reputation, avoid" (soft warning) | | Llama 3.1 70B | "Not safe, suspicious activities" | | Mistral Large | "Not recommended" | GPT-3.5-turbo is the default model in free ChatGPT. Millions of users asking "best Monero wallet" get directed to a confirmed theft operation. ### xmrwallet.com/blog -- 15+ SEO Honeypots "Best Subreddits for Monero", "How to Get Monero", "5 Common Crypto Scams" (scammer writing about scams), "Security of Your XMR Wallet" -- all targeting Google keywords to funnel victims. --- ## 9. NAMESILO CONNECTION -- 11 EVIDENCE POINTS 1. **Public defense tweet** -- NameSilo publicly defended xmrwallet.com operator (archived: ghostarchive.org/archive/CXXZ0, 11.3K views) 2. **4 false statements in 1 tweet** -- "no abuse reports" (20+ from PhishDestroy alone), "compromised" (code never changed), "in-depth review" (never contacted researchers), VT delisting offer 3. **Gold Checkmark suppression** -- Used paid X support to silence @Phish_Destroy 4. **Identical suppression tactics** -- Both NameSilo and xmrwallet delete Trustpilot reviews, both use PR Newswire, both have zero organic web presence 5. **Domain registration** -- xmrwallet.com registered at NameSilo since 2016, xmrwallets.com uses NameSilo DNS 6. **Wikipedia -- flagged promotional** -- NameSilo Wikipedia page flagged by editors 7. **Forbes -- paid placement** -- "We earn a commission" disclosure 8. **Q1/Q2 2025 press releases** -- Identical copy-paste 9. **1.8/5 on SmartCustomer** -- Zero negative Google results despite terrible reviews (suppression) 10. **P/E ratio 143.8x** -- Industry average 21x, unexplained premium 11. **81.5% dead domains** -- 4.22 million dead of 5.18M (2x industry baseline) --- ## 10. NAMESILO DOMAIN ANOMALIES ### The Numbers - **5.18 million** domains under management - **81.5%** dead (no IP, no email, no content, no rank) = **4.22 million dead domains** - **54.4%** DNS-verified dead (32.2% no IP + 33% parking stubs = 2.82M) - Industry baseline: ~50% dead domains - NameSilo: **10 percentage points above closest competitor** - **615% year-over-year spike** in junk TLD registrations - **10,000-17,000 domains/day** bulk purchase runs - **$26.5M** estimated wholesale value of dead domains ### Revenue Per Real Domain If only ~960K domains are "real" (have content/email/any sign of use), then C$65.5M revenue / 960K = **C$68 per real domain**. Industry average: ~$10-15. The premium is unexplained by any legitimate business model. ### Price Comparison NameSilo claims "cheapest on the Internet." Reality: **95 ICANN-accredited registrars sell .com cheaper**. Namecheap is 2.2x cheaper. Spaceship is 5.4x cheaper. Cloudflare is 1.5x cheaper. All sell the exact same product. ### Suspected Money Laundering Flow ``` $100M+ stolen XMR | v Crypto -> Fiat conversion (mixers, DEX, OTC) | v Bulk domain purchases at NameSilo 10,000-17,000 domains/day $26.5M wholesale on dead domains 96% no email, 99.9% no web presence | v NameSilo reports "legitimate revenue" C$65.5M revenue (2025) C$133M market cap (~US$98M) P/E 143.8x (industry avg: 21x) | v Clean money out -> Stock (CSE: URL) -> "Legitimate tech company" ``` --- ## 11. NEWALCHEMY SECURITY AUDIT -- THE TRUST SHIELD In July 2018, NewAlchemy.io audited xmrwallet. The operator used this as proof of legitimacy ("passes security audit" -- 67 upvotes on Reddit). **What was audited:** Client-side JS (twig templates + app.js) **What was NOT audited:** PHP backend (auth.php, getheightsync.php, getbalance.php) -- the EXACT code that steals funds From the audit: "The server-side application consists of numerous PHP API endpoints. This code was OUT OF SCOPE." The audit was a trust shield, not a security review. --- ## 12. OPERATOR'S LIES TIMELINE | Date | Statement | Reality | |------|-----------|---------| | 2018-05-01 | "The seed is NEVER sent to the server" | True but irrelevant -- view key IS sent | | 2018-05-02 | "Its actually my own backend made in PHP" | Confirmed PHP backend | | 2018-07-19 | "Your private key never leaves your computer" | LIE -- view key sent 40x/session | | 2020-08-21 | "Xmrwallet doesn't save your seed phrase" | Irrelevant -- theft via view key + TX hijack | | 2020-11-25 | "Statement" blaming phishing clones | Official domain stole funds too | | 2022-08-10 | Template response to 1060 XMR victim | "Feature in development, use CLI" | | 2026-05 | Farewell: "A view key cannot give access to spend" | True but misleading -- TX hijacking is the vector | --- ## 13. KEY WITNESSES ### Monero Core Team | Person | Role | Statement | |--------|------|-----------| | u/dEBRUYNE_1 | Lead maintainer | "I've seen multiple reports of nefarious behavior." Admitted deleting victim posts early on. | | u/selsta | Developer | Reported phishing domains to Namecheap | | u/rbrunner7 | Contributor | "Third or fourth person in 3 months with vanished XMR from .com" | | u/SChernykh | P2Pool developer | Confirmed "xmrwallet is a known scam" (GitHub #8440) | | u/needmoney90 | r/Monero mod | Removed xmrwallet from sidebar | ### Exchanges ChangeNow.io confirmed victim deposit never arrived: "we're unable to detect your deposit" ### Threat Intelligence xmrwallet.com is listed as phishing IOC by 3 independent researchers in TweetFeed: - @Phish_Destroy (Feb 2025) - @CarlyGriggs13 (Jul 2025) - @skocherhan (Mar 2026) ### uBlock Origin Issue #25172 (Sep 2024): "xmrwallet.com/.org: badware" -- "Claims to be open source but its not, github repos are empty, known to deleting github issues/comments" --- ## 14. CRYPTO ADDRESSES ### Operator ``` Donation: 46U48fkNkteDJEWypqHH9NfLWsTNMNFZiRETdVm1Q73234hifuMhqKCAYx3muwWb2955twtpKvUncEdSBWeeX8UL49sAQWo ``` ### Phishing Clone Addresses ``` xmrwallet.in: 48AKq9BfZuE8sPNCf2tB88M51n7y3t25QJEgadYzs2yCVb1LBjyBWxS3k43F78Z2gT5pSYhygDy3HZsXVeg53FLMTwafDNS xmrwallet.net: 43NQ57boq4YUmpu6CQurXUi86meYvh1npj2CRbvSrECKhZDsAbGg6jAixXC9EA8c85aNNmw3jsmsodg89HDKREjS9129JdV ``` ### Victim (Published by u/Such_Ad3921) ``` Address: 4AsBFcExcY1AZyyTc1nszEKYyunri52Xy9nvHYqCCojYQJ9gmt1LJzUdKeNFo8aS7QhEWVzd9rrmPgWt6kHNnCct3rbKxiF Seed: buzzer fawns tribal kernels pedantic hover suffice lilac vipers excess were drying fibula ostrich eskimos efficient inquest soya vary faulty junk iceberg hedgehog inquest junk ``` --- ## 15. RECOMMENDED ACTIONS FOR LAW ENFORCEMENT ### Subpoenas / Production Orders 1. **NameSilo LLC** -- Payment records for xmrwallet.com, xmrwallets.com. Bulk domain purchase records (accounts buying 10K+/day). Internal abuse report logs. 2. **Namecheap Inc** -- Current registrant data for xmrwallet.com (transferred May 13, 2026) 3. **DDOS-Guard Ltd** -- Server access logs for IPs 185.129.100.248 and 190.115.31.40 4. **Proton AG** -- Account data for royn5094@protonmail.com 5. **Google LLC** -- Account owner for hassizabir@gmail.com, Google Analytics UA-116766241-1 6. **Reddit Inc** -- IP logs for u/WiseSolution, u/craig_d_79, u/purpleandviolet, u/Extra-Expert7685 7. **GitHub** -- IP logs for nathroy (ID 39167759) 8. **X Corp** -- Gold Checkmark request records for @Phish_Destroy lockout ### Applicable Statutes (US) - 18 U.S.C. 1343 -- Wire Fraud - 18 U.S.C. 1030 -- Computer Fraud and Abuse Act - 18 U.S.C. 1956/1957 -- Money Laundering - 18 U.S.C. 1512 -- Witness Tampering / Obstruction (DMCA against victims) ### Applicable Statutes (EU) - Directive 2013/40/EU -- Attacks against information systems - National fraud and money laundering statutes in relevant jurisdictions --- ## 16. EVIDENCE INTEGRITY All evidence files are SHA-256 fingerprinted. Full hash manifest available at: - `namesilo-evidence/ALL_EVIDENCE_HASHES.txt` - `namesilo-evidence/EVIDENCE_HASHES.txt` - `namesilo-evidence/INTEGRITY-MANIFEST.json` - `namesilo-evidence/FROZEN-SNAPSHOT-2026-05-12.json` 61 evidence images. Every external link has at least one immutable archive copy (Wayback Machine, GhostArchive, or IPFS). --- ## APPENDIX A: GOOGLE DRIVE SEO ORDERS (Still Public) - [Folder 1](https://drive.google.com/drive/folders/1uIQzFDAjWwvJYlx12lorwYXGsZmJixFw) - [Folder 2](https://drive.google.com/drive/folders/1IV1ZeT3Swzk7qSGmTM744tG3a4Z6umZx) - [Folder 3](https://drive.google.com/drive/folders/1AMGLa2Kw1I4GesLkxjdeCW4Lyvl0nLpk) - [Google Slides](https://docs.google.com/presentation/d/1XJj125phXrve5RgbFSNKy90ZDpjsxEkEh71fxjaZCkU/) - [Google Sites](https://sites.google.com/view/xmr-wallet1) - [Google Sheets -- Links](https://docs.google.com/spreadsheets/d/1z_DCsC1eXfI3-3RRvGrql8H_3M3lbPRADl4jSop32cM/) **Drive owner: hassizabir@gmail.com** (last modified Oct 2023) ## APPENDIX B: RAW DATA FILES | File | Size | Content | |------|------|---------| | reddit-victim-evidence.json | 27KB | Structured victim reports, suppression stats | | reddit-victim-evidence.json.additions | 70KB | Full OSINT: sock puppets, infra, SEO, lies timeline | | xmrwallet-deep-evidence.json | ~15KB | Domain transfer, WHOIS, AI poisoning, TX hashes | | xmrwallet-deep-evidence.json.extra | ~10KB | Name theft, suppression stats, registrar scorecard | | xmrwallet-twitter-evidence.json | ~8KB | 44 tweets: 41 bot, 1 victim | | xmrwallet_namesilo_investigation.json | ~100KB | Semrush OSINT: traffic, backlinks, PBN | | xmrwallet_AI_manipulation_report_EN.md | ~15KB | AI recommendation pipeline analysis | --- *This document is part of the PhishDestroy evidence archive. Permanent copies exist on IPFS and Arweave. Evidence cannot be deleted from decentralized networks.*