Behavioral Pattern Analysis: xmrwallet Operator vs NameSilo

We weren't looking for this. While investigating xmrwallet.com's fraud infrastructure and NameSilo's role in protecting it, we noticed something unexpected: both entities use the same premium PR distribution service (PR Newswire/Cision), both have almost no organic web presence, and both respond to evidence with threats instead of facts. We followed the evidence. This is what it shows.

How We Got Here

xmrwallet.com steals Monero for ~8 years. Server-side transaction hijacking. Hundreds of victims. GitHub issues, Reddit PSAs, BitcoinTalk warnings, Trustpilot reviews — all documenting theft since 2018.

Victims report to NameSilo. 31+ abuse reports since 2018 from multiple researchers and victims. NameSilo's response: "We had received no abuse reports."

PhishDestroy enters. Professional abuse report with technical evidence: viewkey exfiltration, code analysis, victim transaction IDs. We contact the operator directly.

Operator responds — with lies. Feb 16: "We don't store seeds or keys." Feb 17: "This is the data we need." (Contradicts himself in 24 hours.) Then: "Feel free to subpoena the domain registrar." [Emails archived]

We respond professionally. Technical analysis published. Domains suspended through other registrars (.cc, .biz — registrars that actually read reports). Operator loses 4 domains registered for 5-10 years each.

Operator escalates to threats. Feb 23: "I've hired a lawyer and a private investigator." No lawyer ever appeared. He deletes GitHub issues #35 and #36 (evidence destruction). [Email archived]

NameSilo joins the defense. Publicly declares operator innocent. Fabricates "compromise" story. Offers to remove VirusTotal detections. Uses X Gold Checkmark to lock our account. [Tweet screenshot]

We go deeper. Domain analysis (5.18M domains, 81.5% dead). Trustpilot forensics (deletions proved by Wayback). PR Newswire connection discovered. SERP analysis. Financial audit. Everything archived on Arweave, IPFS, GitHub. This page is the result.

Their response: threats, doxxing, silence. NameSilo tweets: "halt your falsehoods or face legal action." An insider tries to doxx our researcher by country. Zero facts addressed. Zero evidence disputed. Predictable. Documented. Permanent.

Evidence Map — Every Claim, Every Proof

xmrwallet steals Monero
GitHub Issue #35 (deleted by operator, archived by us). 80+ Trustpilot reviews. Reddit PSAs. BitcoinTalk. Code analysis: viewkey exfiltration.
[Trustpilot reviews] [Twitter evidence]

NameSilo refuses to ban them
31+ abuse reports since 2018. FTC sent an official warning letter (Dec 2024). ICANN complaints. BBB complaints. NameSilo: "we had received no abuse reports." Domain still active today.
[Lies debunked] [Proofs]

Operator lies in emails
Feb 16: "we don't store keys." Feb 17: "this is the data we need" (contradiction). Feb 17: "subpoena the registrar." Feb 23: "hired a lawyer" (never appeared).
[3 original .eml files + 2 extracts]

Both buy paid articles
xmrwallet: Kwork (500 rub), cryptopotato, newsbtc, captainaltcoin, PR Newswire ($500-1500). NameSilo: PR Newswire (12 releases), Forbes ($50K+), Yahoo Finance ("paid press release").
[Yahoo paid label] [Forbes disclosure] [15 cached pages]

NameSilo launders through phantom domains
$65.5M revenue. 81.5% domains dead. 99.65% zero traffic. Serial patterns (37K groups). Bulk spikes (25 days with 10K+ registrations). First profit ever in 2025 ($2.2M).
[Domain anomaly report] [Financial filings]

Both delete Trustpilot reviews
xmrwallet: 7+ deleted (Wayback proof). Victim Erma Powell's verified review deleted as "guideline breach." NameSilo: 129 deleted in 4 months (2,609 → 2,480). Rating artificially recovered 4.5 → 4.7.
[Victim screenshot] [Wayback xmrwallet 2024] [Wayback NameSilo 2023] [Wayback NameSilo 2026] [Full data]

They deleted our Twitter account
@Phish_Destroy locked after tagging ICANN. X's own automation cleared us: "no violation found, account restored." Still locked. Gold Checkmark override = paid censorship.
[X Support email] [Full pressure campaign]

NameSilo publicly defends the scammer
Official tweet: "claims are false, libelous and defamatory... undergo legal action." Offered to help remove VirusTotal detections. Fabricated "compromise" story contradicted by operator's own emails.
[Tweet screenshot] [GhostArchive]

Same PR platform (PR Newswire)
"Volunteer wallet" and publicly-traded registrar both use Cision/PR Newswire. xmrwallet releases posted 1 day before NameSilo's. Same platform, same week. Fake phone (+1 300-227-473).
[Connection data] [SERP evidence]

Zero organic coverage for both
xmrwallet: 94 referring domains (crypto-spam). NameSilo: 102 (exchange filings, coupons). Google + Bing SERP scraped. Neither has independent journalism. Both exist on paid placement only.
[xmrwallet Google] [NameSilo Google] [xmrwallet Bing] [NameSilo Bing]

Insider tried to doxx researcher
@bhabhiezayn (Paul Andreola associate) screenshotted researcher's country, posted as taunt, then deleted tweet. Archived before deletion.
[Screenshot 1] [Screenshot 2]

Operator wrote farewell letter
May 5, 2026: posted closure announcement. Signed "The Creator." Admits investigation forced shutdown. Contains verifiable lies. Domain still active. NameSilo still hasn't suspended it.
[Full farewell letter]

Matching Patterns

Shared PR Platform

xmrwallet Referring Domains

102

NameSilo Referring Domains

Organic Coverage

The Pattern

When confronted with evidence of fraud, both the scam operator and the registrar protecting them respond the same way: not with facts, not with transparency, not with action — but with paid press releases, legal threats, and manufactured legitimacy.

Both use PR Newswire (Cision) — the same premium PR distribution platform. Both have almost no organic web presence: xmrwallet has 94 referring domains (almost all paid crypto-spam sites), NameSilo has 102 (mostly exchange filings and coupon sites). Neither entity has real organic coverage. Both rely entirely on paid placement. One buys Kwork SEO spam for 500 rubles. The other buys PR Newswire releases for $500+. Same approach. Different budget. Or the same budget.

A "volunteer open-source wallet" publishing press releases on a platform designed for publicly-traded companies is not normal. It's someone with access to a corporate PR account — or the same PR agent.

Side-by-Side Comparison 8 matching behavioral patterns

xmrwallet.com / "Nathalie Roy"

NameSilo Technologies Corp

Pattern 1: Paid PR Instead of Transparency

Uses PR Newswire ($500-1500/release) to publish press releases about "charity support", "Tor integration", and "privacy access". An anonymous "volunteer project" spending thousands on premium PR distribution. Service: PR Newswire (Cision)

Uses PR Newswire for investor relations, milestone announcements ("6 Million Domains"), and year-end results. When confronted with abuse evidence, responds with PR — not with action. Service: PR Newswire (Cision)

Pattern 2: Threats Instead of Arguments

"Nathalie Roy" sends threatening emails to PhishDestroy volunteers. Instead of addressing the evidence of stolen funds, threatens legal action. No substantive response to any technical finding.

NameSilo's Twitter/X response (May 11, 2026): "Your claims are false, libelous and defamatory... halt your falsehoods towards us or we will be forced to undergo legal action." Instead of addressing the FTC warning letter, BBB complaints, and documented abuse — legal threats. Zero engagement with specific evidence. [Screenshot] [Original tweet]

Pattern 3: Manufactured Legitimacy

Buys Kwork services (500 rubles) for SEO spam. Buys PR Newswire releases. Runs coordinated Twitter bot campaigns (44 bot tweets documented). Creates appearance of legitimate crypto project.

Uses PR Newswire releases on investor pages (CSE: URL). Touts domain count milestones while hosting documented phishing infrastructure. Uses "in-depth review" claims without evidence of actual review.

Pattern 4: Zero Engagement With Evidence

GitHub Issue #35 documents the theft mechanism with code analysis. Trustpilot reviews (80+) document stolen funds. Zero response from operator to any technical evidence.

FTC sent 2 warning letters. BBB complaints filed. ICANN complaints submitted. PhishDestroy provided detailed abuse report with evidence. Response: "we had received no abuse reports" and "in-depth review found no issues."

Pattern 5: Trustpilot Bot Farms — Both Delete Negatives, Both Buy Positives

xmrwallet Trustpilot — Wayback Machine proves deletions: May 2024 snapshot shows 45 reviews, rating 3.6 (27% one-star). Current scrape: 80 reviews, rating shifted to 51% five-star (22.5% one-star). We compared names: 7 reviews deleted from page 1 alone, including:
• "Elmo T. Johnson" — "XMRWallet swindled my funds. 1200 monero was vanished" — DELETED
• "B.Costa" — "Nathalie solved it" — DELETED (mentions operator by name!)
• 2 verified reviews (with Trustpilot checkmark) — DELETED
• 3 bot reviews ("Thomas", "Jabari Rivera", "Evelyn Malik") — their own bots, deleted after serving purpose
Victim testimony: "Erma Powell" (verified Trustpilot account, green checkmark) posted a 1-star review on Apr 22, 2024: "I'm in a panic, I created a wallet on the official site, put money in and the developers took everything, the code on github has nothing to do with this site. Do something about it." An unprompted, verified victim report. Trustpilot removed it: "This review was removed for breaching Trustpilot's Guidelines for Reviewers." The victim sent us the screenshot of her deleted review. A verified user reporting stolen funds — deleted as a "guideline breach." Wayback Machine confirms: May 2024 snapshot shows 45 reviews — today there are 80, but at least 7 names from that snapshot are gone. Erma Powell's review doesn't appear in any snapshot because it was removed within days of posting. We know because she told us. We have more.

Victim Erma Powell - deleted Trustpilot review

Wayback Machine - xmrwallet Trustpilot May 2024 - 45 reviews

Pages 2-3 (25 more reviews) were not cached by Wayback. Actual deletion count is far higher. The result: a scam wallet maintained a rating higher than top crypto exchanges. [Browse 80 surviving] [Deletion evidence JSON]

NameSilo Trustpilot — Wayback Machine proves deletions: Jan 2026 snapshot shows 2,609 reviews. Current scrape (May 2026): 2,480 reviews. That's 129 reviews deleted in 4 months. Rating trajectory: 4.7 (2023) → 4.5 (2024) → 4.7 (2025) — rating recovered despite adding 600+ reviews. This only happens when negatives are deleted faster than they arrive. 92% bot manipulation probability (independent AI analysis). Low-quality 5-star from single-review accounts praising "Leonid." 57 perfect reviews from Hong Kong. [Browse 2,480 surviving] Both delete reviews. xmrwallet: 7+ confirmed deleted (Wayback proof). NameSilo: 129 deleted in 4 months (Wayback proof). Same platform. Same manipulation.

Pattern 6: Deny, Deflect, Disappear

Zero engagement with evidence. GitHub Issue #35 documents the theft mechanism with code analysis. 80+ Trustpilot reviews document stolen funds. Reddit PSAs, BitcoinTalk warnings. Operator response: silence, then threats, then evidence destruction (deleted GitHub issues).

"In-depth review" with zero documentation. No abuse report acknowledgment despite an FTC warning letter. Claims to have reviewed domains that are documented phishing infrastructure. When pressed: "halt your falsehoods or we will be forced to undergo legal action."

Pattern 7: Disproportionate Spending

"Volunteer project" that spends $1,500+ on PR Newswire, buys Twitter/X Gold ($200/month), runs coordinated bot campaigns, purchases Kwork SEO services. Where does the money come from for a "free volunteer wallet"?

Publicly-traded company (CSE: URL) spending on PR Newswire for investor relations while refusing to invest in basic abuse prevention. Revenue from domain registrations, including phishing domains, funds the PR machine.

Pattern 8: Same Response to DDoS/Attack Claims

xmrwallet.com disappears periodically. Resurfaces at new hosting. Uses Tor as "privacy" justification. No transparency about infrastructure changes.

phishdestroy.io hit with DDoS through njal.la-registered domains after publishing investigation. NameSilo's response: silence. No investigation into who registered the attack domains.

Link Footprint Analysis What Google and Bing actually return

Neither Entity Has Organic Coverage

We scraped the top 100 results from Google and Bing for both "xmrwallet" and "namesilo". The results are revealing: neither entity has meaningful organic web presence. Both survive entirely on paid placement, platform profiles, and auto-syndicated PR releases.

xmrwallet Google results: 100 links — almost all are paid crypto-spam sites (cryptopotato, newsbtc, captainaltcoin, forexcrunch, beincrypto), Kwork-seeded articles, and scam warnings
xmrwallet Bing results: 122 links — same pattern, plus guru99 affiliate pages in 5+ languages, ChatGPT results (Bing hallucination)
NameSilo Google results: 97 links — exchange filings (CSE, Yahoo Finance), coupon sites (couponfollow), review blogs, DNS tutorials, and PR Newswire syndications
NameSilo Bing results: 121 links — same pattern plus BBB complaints, FTC warning letter, Forbes review

Key finding: Neither entity has earned organic media coverage. No independent investigative journalism (until PhishDestroy). No industry analyst coverage. No technical community recognition. Both exist in a bubble of paid placement and auto-syndicated PR.

xmrwallet's Paid Link Network

The xmrwallet SERP results reveal a purchased link network across crypto-spam sites:

cryptopotato.com — paid "review" article positioning xmrwallet as "convenient and simple"
newsbtc.com — sponsored article: "The First Web-based Anonymous Monero Wallet"
captainaltcoin.com — paid inclusion in "Best Monero Wallets" listicle
forexcrunch.com — paid announcement of Tor browser launch (2018)
beincrypto.com — paid inclusion in wallet comparison articles
medium.com/@oliviasmith1978 — fake "review" by sock puppet account (appears twice)
peakd.com, steemit.com, spark.ru — blog-spam on free platforms
prnewswire.com — paid press release ($500-1,500 per release)
Various weebly.com sites — auto-generated spam microsites

Total estimated spend on SEO/PR: $5,000 — $15,000+ for a "free volunteer project."

NameSilo's PR Infrastructure

NameSilo uses PR Newswire as its primary investor relations channel. The full PR distribution chain:

PR Newswire (prnewswire.com) — primary distribution, 10+ releases documented. All quarterly reports, acquisitions, corporate updates
Newswire.ca — Canadian distributor, mirrors PR Newswire releases (NameSilo is Canadian-incorporated)
CSE (thecse.com) — Canadian Securities Exchange mandatory filings
SEDAR+ — Canadian equivalent of SEC EDGAR
Stockwatch — financial news syndication
Yahoo Finance / Nasdaq / Moomoo — auto-syndicated from PR Newswire
Placera.se — Swedish financial news site. NameSilo buys placement for press releases, writes about itself in third person. [Cached page]
Morningstar.com — financial data platform, auto-syndicated from PR Newswire

All quarterly reports, acquisitions, and corporate updates flow: PR Newswire → newswire.ca → Yahoo Finance/Nasdaq automatically. PR Newswire is their primary and most used PR channel. NameSilo's stock page on Yahoo Finance (URLOF) and Morningstar cite these PR Newswire releases directly as the source of company news. It's their corporate voice.

We discovered this connection by accident. While reviewing NameSilo's CSE listing and stock exchange page, we noticed all their press releases were distributed via PR Newswire. Then we checked xmrwallet's PR releases — same platform. A "volunteer open-source Monero wallet" uses the same premium corporate PR distribution service as a publicly-traded Canadian registrar. With a fake phone number (+1 300-227-473) and a persona ("Nathalie Roy, Founder"). This is either someone with access to NameSilo's corporate PR Newswire account, or someone using the same PR agent. A volunteer does not independently discover and purchase $500-1,500 PR Newswire distribution.

PR Newswire Releases All cached, 15 pages archived

Archived Evidence

All PR Newswire pages for both entities have been downloaded and preserved in our archive. 15 HTML files totaling ~3MB. These pages may be modified or removed — our copies are permanent.

xmrwallet releases: 3 pages archived (browse)
NameSilo releases: 12 pages archived (browse)
Google SERP dumps: xmrwallet (100 links) · NameSilo (97 links)
Bing SERP dumps: xmrwallet (122 links) · NameSilo (121 links)

xmrwallet.com

XMRWallet Expands Privacy Access with Full Tor Network Integration

January 21, 2026

Published on PR Newswire. Announces Tor integration as a "privacy" feature. Positions the scam wallet as a legitimate privacy tool.

Contact listed: Nathalie Roy (Founder), [email protected], +1 300-227-473

xmrwallet.com

XMR Wallet Upgrade Website to Support Charities and Developing Countries

April 19, 2023

"Support Charities" — a wallet that steals user funds publishes a PR release about charity. The irony would be funny if real people weren't losing real money.

xmrwallet.com

Companies Embrace Cryptocurrency to Grow Business in 2023

September 26, 2023

Generic crypto-industry PR release. Designed to make xmrwallet.com appear as a legitimate industry participant rather than a documented scam operation.

NameSilo Technologies Corp

NameSilo Technologies Corp. Announces 2025 Year-End Results

May 1, 2026

Investor relations release on PR Newswire. Revenue from managing 6M+ domains, including those hosting phishing operations they refuse to act on.

NameSilo Technologies Corp

NameSilo Surpasses 6 Million Domains Under Management

January 22, 2026

Published one day after xmrwallet's Tor integration release. Same platform, same week. Celebrates domain count milestone. Doesn't mention what percentage of those 6M domains are used for fraud.

NameSilo Technologies Corp

NameSilo Technologies Corp. Closes Strategic Acquisition of Reach Systems

February 2026

Corporate acquisition announcement. PR Newswire is NameSilo's primary channel for all investor communications.

NameSilo Technologies Corp

NameSilo Technologies Corp. Announces Q3 2025 Results

November 2025

Quarterly financial results. All syndicated automatically to Yahoo Finance, Nasdaq, Moomoo, Morningstar via PR Newswire → newswire.ca pipeline.

NameSilo Technologies Corp

+ 9 More NameSilo Releases on PR Newswire

2025 — 2026

Q1/Q2/Q3 results, Sewervue acquisition (LOI + definitive agreement), CommerceHQ acquisition, subsidiary $560K sale, Reach Systems LOI + close. All 12 releases archived in our evidence folder. Browse all cached pages →

Response Timeline How both entities respond to evidence

xmrwallet operator

2023 — 2025

GitHub Issue #35 filed documenting theft mechanism. Trustpilot reviews accumulate (80+). Reddit PSA warnings posted. BitcoinTalk alerts. YouTube exposures. Operator response: silence. Zero engagement with any evidence.

NameSilo

December 2024

FTC sends official warning letter about domains registered through NameSilo impersonating the FTC itself. BBB complaints filed. ICANN complaints submitted. NameSilo response: "we had received no abuse reports."

xmrwallet operator

Early 2026

"Nathalie Roy" sends threatening emails to PhishDestroy volunteers. Instead of addressing stolen funds evidence — threats. Pattern: threats replace arguments.

xmrwallet operator

January 21, 2026

Publishes PR Newswire release about "Tor Network Integration" — $500-1500 for manufactured legitimacy instead of addressing theft reports.

NameSilo

January 22, 2026

Publishes PR Newswire release: "Surpasses 6 Million Domains." One day after xmrwallet's PR release. Both using the same platform, same week.

NameSilo

April 2026

PhishDestroy submits detailed abuse report with evidence. NameSilo claims "in-depth review" found no issues. Zero documentation of review process.

NameSilo

May 11, 2026

Responds on Twitter/X: "Your claims are false, libelous and defamatory. NameSilo takes action and reviews all abuse reports submitted to us... halt your falsehoods towards us or we will be forced to undergo legal action." 107 replies, 417 views. Threats of legal action instead of addressing a single piece of evidence. Same pattern as "Nathalie Roy." [Screenshot]

The Improbability Argument Statistical and behavioral coincidences

Three Improbable Coincidences

Consider these three facts together:

1. The operator invites us to subpoena the registrar — and the registrar helps him. On February 17, 2026, the xmrwallet operator emailed PhishDestroy: "Feel free to subpoena the domain registrar for my information." A guy running a ten-year crypto drainer, on $550/month bulletproof hosting in Belize, behind Russian DDoS-Guard, calmly invited a security research organization to subpoena his own registrar. Nobody behaves like that with a registrar that might shut them down. He already knew how NameSilo would react. And he was right — NameSilo not only refused to act, they publicly offered to help him remove VirusTotal security detections. The operator later escalated: "I've hired a lawyer and a private investigator" (February 23). No lawyer ever appeared. No PI ever made contact. But the confidence was real — because NameSilo had his back. This is not an adversarial relationship. This is a partnership.

2. A registrar ignores 10 years of theft reports — while laundering millions through phantom domains. xmrwallet.com has been documented stealing funds since at least 2018. GitHub issues, Trustpilot reviews, Reddit PSA threads, BitcoinTalk warnings, an FTC warning letter, ICANN complaints — all publicly available. NameSilo claims "we had received no abuse reports" and their "in-depth review found no issues." Meanwhile, the same registrar manages 5.18 million domains of which 81.5% are dead, with 615% registration spikes and serial-pattern bulk purchases (37,375 groups of sequential domains like 3967a.app/3967b.app/3967c.app). The revenue from these phantom registrations is millions of dollars annually. A company actively processing millions in suspicious domain registrations has a financial interest in not investigating fraud — because investigation leads to questions about their own revenue.

3. Both entities have nearly identical web footprints — almost no organic presence. xmrwallet: 94 referring domains, almost all purchased crypto-spam articles and Kwork-seeded links. NameSilo: 102 referring domains, mostly exchange filings, coupon affiliates, and DNS tutorials. Neither has earned organic media coverage. Both rely entirely on paid placement. Both use the same PR distribution platform (PR Newswire/Cision). The probability of a random "volunteer wallet" independently choosing the same premium corporate PR service as one specific publicly-traded Canadian registrar is vanishingly small.

Each coincidence alone might be explained away. Together, they describe a single operation: a scam wallet generates stolen crypto, the registrar launders it through phantom domain registrations, and both entities protect each other from scrutiny using threats, paid PR, and coordinated silence.

Why Does a "Volunteer Wallet" Behave Like a Corporation?

xmrwallet.com claims to be a free, volunteer-run Monero wallet. Yet the operator:

• Pays $500-1,500 per PR Newswire release (at least 3 releases = $1,500-4,500)
• Pays $200/month for Twitter/X Gold verification
• Runs coordinated bot campaigns on Twitter (44+ bot accounts documented)
• Buys Kwork SEO services for link spam
• Lists a contact phone number (+1 300-227-473) and named founder on PR releases
• Has zero organic coverage — 94 referring domains, almost all purchased

This spending pattern is not consistent with volunteer work. It is consistent with an operation that has a revenue source — and the documented revenue source is stolen Monero from wallet users.

Why Does a Registrar Respond Like a Scam Operator?

NameSilo Technologies Corp (CSE: URL, ICANN #1479) is a publicly-traded company managing 6 million domains. Yet when confronted with evidence of abuse, they:

• Deny receiving abuse reports that were demonstrably submitted
• Claim "in-depth review" with zero documentation or transparency
• Respond with "halt your falsehoods or we will be forced to undergo legal action" instead of facts
• Use PR Newswire releases to project legitimacy while refusing basic abuse prevention
• Ignore FTC warning letter (Dec 2024) without public acknowledgment
• Have 102 referring domains with almost no organic coverage — same void as the scam they protect

A registrar managing 6 million domains should respond to abuse evidence with transparency and action. Instead, NameSilo responds with the same playbook as the scam operator they protect: deny, deflect, threaten, buy PR.

What a Normal Response Looks Like

For comparison, here's how legitimate registrars respond to documented fraud:

Namecheap: Acknowledges reports, provides ticket numbers, suspends confirmed abuse domains within 24-48 hours
Cloudflare: Published transparency reports, dedicated abuse team, automated takedown workflows
Porkbun: Responsive abuse handling, proactive communication, transparent process
Normal response: Acknowledge → Investigate → Document → Act → Report back
NameSilo response: Deny → "In-depth review" → Threaten legal action → PR release
xmrwallet response: Silence → Threaten volunteers → PR release → More bot tweets
The pattern is identical.

NameSilo Financials Follow the money

The Numbers: $65.5M Revenue, $2.2M Net Income, 6.26M Domains

NameSilo Technologies Corp (CSE: URL, OTC: URLOF) reported 2025 year-end results via — of course — a paid PR Newswire release. Key figures:

Annual Revenue: $65,468,311 (up 18.5% from $55.2M in 2024)
Net Income: $2,192,261 (first profit ever — 2024 was a loss of -$304K)
Operating Cash Flow: $9,736,395
Cash on hand: $3,600,332
Domains under management: 6.26 million from ~160 countries
Deferred revenue: $32,750,108 (prepaid domain registrations)
Debt: $0 (recently paid off)
CEO: Paul Andreola — CEO NameSilo LLC: Kristaps Ronka
Growth: From $10.6M revenue / 1.85M domains (2017) to $65.5M / 6.26M (2025)

Where Does $65.5M Come From?

NameSilo's revenue is domain registrations. At an average of ~$10 per domain per year, 6.26 million domains = ~$62.6M. The math checks out. But here's the question:

• 81.5% of their domains are dead (our analysis of 5.18M sample). That's ~5.1M dead domains generating ~$51M in revenue annually.
• 99.65% show zero confirmed traffic. Who pays $10/year to renew a domain nobody visits?
• Serial registration patterns: 37,375 groups of sequential domains (3967a.app/3967b.app/3967c.app). Not organic registrations.
• Bulk spikes: 25 days with 10,000+ registrations each. Not organic growth.
• Net income of $2.2M on revenue from mostly-dead domains. This is the first year they turned a profit. The business model runs on volume — millions of domains that nobody uses, renewed year after year.

A company whose revenue depends on millions of phantom domain registrations has a financial incentive to not investigate abuse — because investigation reveals that most of their "customers" aren't real.

PR Newswire as Fake Journalism

Every NameSilo "news article" on Yahoo Finance, Morningstar, Nasdaq, Moomoo, and Placera.se is the same PR Newswire press release — written by NameSilo, about NameSilo, in third person, distributed as "news." The PR Newswire label says "This is a paid press release." But the syndication makes it look like media coverage.

The pipeline: NameSilo writes a press release about itself → pays PR Newswire $500-1,500 → PR Newswire syndicates to Yahoo Finance, Morningstar, newswire.ca → these appear as "news articles" on financial platforms → NameSilo cites them on their CSE listing page as "media coverage." It's a company paying to cite itself as a source.

The platforms themselves say so:

• Yahoo Finance shows a grey banner: "This is a paid press release. Contact the press release distributor directly with any inquiries." With CISION logo. The platform has no editorial involvement — NameSilo writes the content, pays for distribution, Yahoo publishes it unedited.

• Forbes Advisor shows: "We earn a commission from partner firms" + "Advertiser Disclosure." This is not independent journalism — it's a paid review placement (~$50,000+). Forbes provides the template, NameSilo pays for the slot.

• Placera.se (Swedish financial site) publishes NameSilo press releases verbatim — company writing about itself in third person, syndicated as "financial news." [Cached page]

xmrwallet does the exact same thing. Same platform. Same trick. Different budget. Or the same budget.

What Does Canada Get?

NameSilo Technologies Corp is incorporated in British Columbia, Canada. Listed on CSE (Canadian Securities Exchange). Their contribution to the Canadian economy:

Net income of $2.2M — first profitable year ever. Prior years: losses. Tax contribution: minimal.
Employees: Not disclosed in filings. The LLC operates from Phoenix, Arizona (US).
Canadian presence: A Vancouver mailing address and a CSE listing. The actual domain business (NameSilo LLC) is a US entity.
Acquisitions: SewerVue Technologies (robotic sewer inspection), Reach Systems, CommerceHQ, ShortURL. Diversifying away from domains — or building a conglomerate to obscure the core business?
What Canada gets: A company that brings zero tax revenue (losses until 2025), operates from the US, hosts documented phishing infrastructure, ignores FTC warning letters, and uses a CSE listing for legitimacy while managing 5+ million dead domains.

The Falsification Test

Run any registrar through these criteria. Only one matches.

Take Namecheap, Porkbun, Tucows, GoDaddy — any registrar on Earth — and compare it to xmrwallet.com using the criteria below. You will find zero matches. Now run NameSilo. Every single line lights up.

1. Operator invites subpoena of his own registrar. Not afraid. Registrar fabricates a cover story he never asked for.

2. Registrar offers to remove VirusTotal detections. No registrar in history has done this.

3. Same response style: threats instead of arguments. Same arrogance. Same void where substance should be.

4. Same PR pipeline. PR Newswire costs $195–249/yr membership + $805–3,000+ per release. Built for publicly-traded companies. Free alternatives exist. Yet a "volunteer wallet" (zero donations, fake phone, $550/mo DDoS-Guard in Russia, deleted source code) publishes there — same platform where NameSilo files CSE quarterly earnings. Contact listed: "Nathalie Roy, +1 300-227-473" (fake — area code 300 doesn't exist), [email protected] (PR Newswire enterprise relay), promoting "discreet financial tools for charitable organizations." A $100M theft operation posing as charity infrastructure on a stock-price platform. The release announces "Tor Network Integration" for an "open-source" project whose last GitHub commit was Nov 6, 2018 — 7+ years before the release. No Tor code was ever committed. The "open-source" repo is a 2018 audit prop. They paid $800+ to advertise a feature that doesn't exist in their codebase.

5. Same Trustpilot playbook. Both delete negatives. Both plant bots. Victim reporting theft = deleted. Bot writing "Leonid was very helpful" = approved.

6. Same suppression: DMCAs, mass-reporting, evidence destruction. Not disproval — erasure.

7. Zero organic coverage for both. 94 vs 102 referring domains. Namecheap has thousands. GoDaddy tens of thousands. Every NameSilo "article" is self-written and paid to syndicate.

8. C$5.9M in "digital currency" on the balance sheet. 81.5% dead domains. $50.8M phantom revenue. Then they bought a sewer inspection company.

9. When cornered: evidence destruction. Operator deletes GitHub code. NameSilo locks Twitter via Gold Checkmark. Insider doxxes researcher, deletes tweets. Farewell letter posted. Domain still active.

Run this on Namecheap. On Porkbun. On Tucows. How many match?

Zero. Only NameSilo. Every line. Every time.

Note on methodology: All SERP dumps are provided as raw text files. If you believe our analysis is not objective — replicate it. We also provide all 2,480 surviving NameSilo Trustpilot reviews. Pay attention to how many 5-star reviews mention "Leonid" by name — and how many verified victims were deleted as "guideline breaches."

The PR pipeline: NameSilo writes about themselves in third person → pays PR Newswire $805+ → Yahoo Finance publishes with label "paid press release" → CSE stock page shows "media coverage" → investors see "news." Nobody wrote about them. Every "fastest-growing registrar" headline is their own copywriter. And the same pipeline publishes releases for a "volunteer wallet" with zero donations, a fake phone, and a codebase frozen since 2018. Same pipeline. Same copywriter. Same entity.

SERP proof — PR Newswire in search results

We scraped Google + Bing for all four entities (SerpAPI, same methodology). PR Newswire column:

xmrwallet: 3 PR Newswire results (222 total, 94 unique domains)

NameSilo: 38 PR Newswire results (218 total, 102 unique domains)

Namecheap: 0 PR Newswire results (178 total)

NiceNIC: 0 PR Newswire results (77 total)

Wallet test

We also scraped SERP for Cake Wallet and getmonero.org. If xmrwallet is a real wallet, it should look like them:

PR Newswire: xmrwallet=3 CakeWallet=0 getmonero=0 NameSilo=37

Crypto spam: xmrwallet=10 CakeWallet=0 getmonero=0

Legit news: xmrwallet=0 CakeWallet=2

No legitimate wallet uses PR Newswire or buys crypto-spam articles. xmrwallet's SERP matches NameSilo, not Cake Wallet. It's not a wallet — it's a PR operation with a theft backend.

Registrar test

Namecheap is the 6th largest registrar. NiceNIC is one of the worst. Neither uses PR Newswire. Only xmrwallet and NameSilo. Raw dumps: NC Google · NC Bing · NiceNIC Google · NiceNIC Bing

A Note From PhishDestroy

We have a victim's own screenshot of her deleted review. We have Wayback Machine snapshots proving reviews disappeared — 7 confirmed from xmrwallet, 129 from NameSilo in four months. We have PR Newswire releases from both entities on the same platform. We have the operator's email inviting us to subpoena his own registrar. We have NameSilo's public tweet threatening legal action instead of addressing a single piece of evidence. We have Yahoo Finance's own label: "This is a paid press release." We have Forbes' own disclaimer: "We earn a commission."

We are fully confident in every claim on this page. Every screenshot is real. Every Wayback Machine link is publicly verifiable. Every PR Newswire page is archived. Every deleted review name can be cross-referenced. We did not fabricate a single data point. We did not need to.

And we have more. Much more. What you see here is what we chose to publish today. There is evidence we are holding back — not because it's weak, but because we release it when it matters most. Every time they lie, we publish another layer. Every time they threaten, we add another mirror. Every time they delete, we've already archived.

Ask yourself — honestly — can there really be this many coincidences?

A scam operator invites you to subpoena his own registrar — and isn't afraid of the answer. Then he threatens you with lawyers who never appear. A "volunteer" running a "free open-source wallet" spends $500–1,500 per press release on the same corporate PR platform where his registrar files quarterly earnings. The registrar — a publicly-traded company — goes on Twitter and declares this client innocent, publicly commits to helping him remove VirusTotal detections, and tells researchers to "halt your falsehoods or face legal action." Not a word about the evidence. Not a single fact addressed.

Both entities maintain Trustpilot pages that nobody organically reads — and both obsessively clean them. Both delete negative reviews. Both plant low-quality bots. Both buy paid articles to prop up products that can't earn organic coverage on their own. Look at NameSilo's website — a registrar managing 6 million domains with a UI their own CEO admits needs a "complete UX overhaul" after seven years. Now look at xmrwallet's promotional materials — SEO articles ordered on Kwork for 500 rubles, bot tweets from accounts with anime avatars, PR Newswire releases about "charity support." The same level of taste. The same contempt for the audience. You think this is a coincidence? Or do they simply not ban themselves?

We have documentation of 31+ abuse reports submitted since 2018. Eight years of reports. NameSilo says they received none. We killed four of the operator's domains — domains registered for five to ten years each. He had paid for a decade of infrastructure because he believed it was untouchable. When we took them down, one by one — .cc through one registrar, .biz through another, each time through registrars that actually read abuse reports — the operator understood that the game had changed. But the real asset in this operation was never xmrwallet.com. xmrwallet is the storefront. The bank — the laundromat — has always been NameSilo.

We'll be direct: we have a good nose for this particular type of operator. Untalented. Predictable. Russian-speaking, based on the forensic trail. We haven't identified them by legal name yet — but we are close, and they know it. Every threat they send leaves a trace. Every review they delete confirms the pattern. Every false DMCA they file adds another exhibit. The psychology of deception is remarkably consistent: when cornered, fraudsters do not produce evidence — they produce threats. And these two entities, when cornered, produce exactly the same threats, in exactly the same tone, through exactly the same channels.

So I'll ask the question plainly: what is our motive?

PhishDestroy is a volunteer initiative. We do not sell domains. We do not compete with NameSilo. We do not hold short positions on their stock. We have no commercial interest in this investigation whatsoever. We have spent months — thousands of hours — documenting evidence, building archives, deploying to permanent immutable storage. For free. Nobody pays us. Nobody asked us to do this. We do it because people are losing money and the systems designed to protect them are failing.

So you have two options. Either we are deranged individuals who have dedicated an unreasonable amount of time to fabricating elaborate evidence against a random Canadian domain registrar, for no discernible personal gain — or they are exactly what eight years of evidence says they are: a registrar that profits from fraud, shelters a theft operation, deletes criticism, manufactures reviews, threatens researchers, ignores regulators, and hides behind press releases it writes about itself in third person.

What Happened When We Tested Them May 11–12, 2026

We tagged NameSilo on Twitter. Not by accident — deliberately. We wanted to see how they would respond when confronted publicly with the evidence. We already knew the answer, because fraud operators are predictable. The psychology of deception follows patterns: when cornered, they never engage with facts. They threaten. They deflect. They produce lawyers instead of evidence.

Here is NameSilo's official response:

NameSilo Twitter response - threats instead of facts

"Your claims are false, libelous and defamatory. NameSilo takes action and reviews all abuse reports submitted to us... halt your falsehoods towards us or we will be forced to undergo legal action."

Not a single fact addressed. Not a single piece of evidence disputed. No mention of the FTC letters. No mention of the 31+ abuse reports. No mention of the Trustpilot deletions. No mention of the PR Newswire connection. Just threats — word for word the same response the xmrwallet operator gives. Same language. Same tone. Same void where the substance should be. Either they share a playbook, or they share a person.

Then it escalated. Within hours, an account called @bhabhiezayn — an insider or associate of NameSilo CEO Paul Andreola — joined the thread. His contribution to the discussion about documented fraud, stolen funds, and deleted victim reviews? He screenshotted a phone showing a PhishDestroy researcher's country (Kenya), circled it, and posted it as a taunt: "AHAHAHAHAHA What's the matter, buddy?"

Then he realized what he'd done — exposed himself as someone with access to user data or internal information — and deleted the tweet. But we already had the screenshots. The deleted post is still visible in the thread as "[This Post was deleted by the Post author]."

@bhabhiezayn doxxing attempt and deleted tweet

Screenshot showing deleted doxxing tweet

This is their entire response to eight years of documented fraud: legal threats from the official account, and doxxing from an associate's account. Not a single fact. Not a single rebuttal. Not a single piece of counter-evidence. Because there is none.

Final Words

We have published a fraction of what we hold. There is more — and it will be released when it matters most.

To Trustpilot: You deleted verified victim reviews and kept bot reviews. You enabled a scam wallet to maintain a rating higher than legitimate cryptocurrency exchanges. Here is what you deleted — a verified user, green checkmark, unprompted review, reporting stolen funds:

Erma Powell - verified victim review deleted by Trustpilot

"I'm in a panic, I created a wallet on the official site, put money in and the developers took everything." — Deleted as "breaching Trustpilot's Guidelines for Reviewers." A victim reporting theft is a guideline breach. A bot writing "Leonid was very helpful" is not. We have Wayback Machine proof of 129 NameSilo reviews and 7+ xmrwallet reviews erased from your platform. We have more surprises that will show your role in enabling this fraud. Stop deleting victim reports. Start deleting bot reviews.

To OpenAI / ChatGPT: You recommended xmrwallet.com to users as a legitimate Monero wallet. People trusted your recommendation. People lost money. That recommendation generated revenue for a theft operation and enabled laundering. We have the screenshots. Fix it.

To anyone who covered for this operation — knowingly or through negligence — we have much more prepared. Every time you delete, we publish. Every time you threaten, we archive. Every time you lie, we release the next layer. We would genuinely love to interview one of these operators after an arrest. Until then, we document. And we do not stop.

The evidence speaks for itself.