← Back to PhishDestroy
Reddit Suppression Evidence
Systematic silencing of xmrwallet.com victims across Reddit. 93 posts analyzed via PullPush API (full Reddit archive). Every removed post, every deleted account, every sock puppet — documented. Collected May 17, 2026.
Suppression Statistics
The operator systematically targeted r/Monero (the main subreddit with 400K+ members) while leaving r/monerosupport largely untouched — because r/monerosupport had less visibility.
r/Monero — Main Subreddit
50 posts total. 60% removed. Automod filtered, author deleted, Reddit legal takedowns. The main battlefield — this is where visibility mattered.
r/monerosupport — Support Sub
20 posts total. Only 5% removed. Operator didn't bother — smaller audience, less damage to their reputation.
Removal Breakdown
automod_filtered: 12
author_deleted: 12
removed_by_reddit: 4
removed_by_moderator: 1
12 posts filtered by automod (likely mass-reported by operator to trigger automatic removal). 12 authors deleted their own accounts (harassment? shame? threats via DM?). 4 posts removed by Reddit itself — this requires a legal/DMCA request, meaning the operator actively filed takedown requests against victims.
Why 20% of authors deleted their accounts: The operator is known to contact victims via DM threatening legal action. Victims who posted about losing funds to illegal activity may have deleted accounts out of fear, shame, or after being harassed. Some accounts may have been shadowbanned after the operator mass-reported them for "spam." The result is the same: victim voices erased.
Reddit Legal Takedowns
These posts were removed by Reddit itself — not by moderators, not by automod. This requires filing a formal legal or DMCA request. The operator used legal threats to silence victims reporting theft.
u/[deleted]Reddit LegalMay 2020
Don't use xmrwallet.com! The site is under attack right now. My funds were moved to other wallet.
Removed by Reddit. User account deleted.
u/CryptoLadyokReddit LegalJan 2022
My first time xmrwallet.com got scammed.
Alive on r/monerosupport, REMOVED by Reddit on r/Monero.
u/Practical-Demand-174Reddit Legal1060 XMR (~$170,000)Aug 2022
Tried to send 300XMR to FixedFloat, confirm screen said 300, but entire 1060XMR sent. No private tx keys provided.
TX: b3f2ca86fdc786d846d5d3ce29d40ace2876e0c3fc9fd2a5448ae99b2723ab8f
The operator's "Nathalie" responded with a template about "feature in development." Reddit removed the r/Monero crosspost.
u/fxkxmrwalletReddit LegalOct 2022
DONT use XMRWallet.com
Username literally created to warn people. Removed by Reddit legal request.
u/Balrog1992Reddit LegalJun 2023
XmrWallet.com long-lived scam.
REMOVED BY REDDIT (legal/DMCA request). The operator filed a legal takedown against a post calling their theft operation a scam.
Complete Victim Timeline — 2018 to 2025
Every victim report found via PullPush Reddit archive. Status shows whether the post is still visible or was suppressed. Conservative count — many victims did not specify amounts, and dozens of deleted posts had no body preserved.
u/silverporcupiner/MoneroaliveSep 2018
Login button unresponsive, admin unhelpful. First known complaint. dEBRUYNE_1 (Monero lead maintainer) paged u/WiseSolution who responded.
u/Culorer/xmrwalletaliveMar 2019
Warning: xmrwallet.com blocking all outbound transfers.
u/xmrscamr/MoneroremovedMar 2019
XMRwallet.com scam?
u/rotaryfurballr/Moneroremovedall fundsApr 2019
XMRWALLET.COM Stole all of my funds
u/moneyboiiiiiir/monerosupportaliveall fundsApr 2019
Sent to Kraken, never arrived, transaction shows completed in xmrwallet but invisible on any explorer.
u/veteranxxxr/MoneroremovedApr 2019
xmrwallet.com is a scam!!!
u/jhernandez1679r/MoneroremovedJun 2019
xmrwallet.com is a scam?
u/vermillion1469r/monerosupportalive$60Jul 2019
Wallet Funds Inaccessible.
u/[deleted]r/MoneroremovedNov 2019
Lost money with XMRWallet.com
— Account deleted.
u/DependentIngenuity7r/monerosupportaliveall fundsMay 2020
First time buyer, funds stolen immediately after arrival. r/Monero crosspost automod_filtered.
u/cometothecamlr/CryptoCurrencyaliveAug 2020
Scam alert: Don't use xmrwallet.com, they may have stolen user's funds.
17 upvotes.
u/Solodejir/Moneroalive$20,000Sep 2020
Bitazu Capital Founding Partner Aftab Sorout Loses $20,000 in XMR. Literally had to sit and wait for rest of balance to unlock so that I could click SEND and withdraw the rest before the scammer could.
Monero's 10-output locktime (20 min) saved partial funds.
u/ughwtfnowayr/monerosupportaliveOct 2020
Sent to ChangeNow.io, never arrived. ChangeNow confirmed unable to detect deposit
. xmrwallet showed fake confirmation. Payment ID proves it was xmrwallet.com not clone. dEBRUYNE_1 personally assisted.
u/xmr_amateurr/Moneroalive$100-200Oct 2020
Lost all monero. UPDATE: fell for .org Google ad redirecting to .net with Hotjar recording script. Proves ad redirect chain.
u/Sir-Forsakenr/Moneroalive47 XMR + friend lost 100 XMROct 2020
MAIN THREAD — 55 upvotes, 98% upvoted, 44 comments. PSA! Withdrawal within 17min of deposit. Friend put 100 XMR never seen again.
Additional victims in this thread:
u/MrThomasPorridge: The same thing happened to me. definitely xmrwallet.com
u/Such_Ad3921: 4.613 XMR ($1,100) — Using since 2019, bookmarked 2 years. Got logged out, funds sent to unknown address.
u/alferg: 5.686 XMR — ROBBED, minutes after I deposited 4 XMR
u/Chimmichangaaaaa: $800 — Not phished, scammed from the .com. Had used them 2-3 times before
u/anonymous: ~$100 — It was xmrwallet.com, not .org, .net, .scam. I always check the domain name
u/Pretend-Hospital3784: GBP 100 — I hadn't even logged on that day, seed on paper. Emailed support, non-existent.
u/Egorenkov_Mikhail: I got scammed but I don't think I visited anything except https://www.xmrwallet.com
u/Legal_Place_4879 (Feb 2024): I just fell for this scam....
View thread on Reddit →
u/ughwtfnowayr/MoneroaliveNov 2020
Do not use xmrwallet.com.
dEBRUYNE_1: I will leave this one up, I've seen multiple reports of nefarious behavior recently.
dEBRUYNE_1 admitted he deleted earlier posts thinking they were just support threads.
u/[deleted]r/MoneroremovedJan 2021
XMRWallet.com Scam
— 22 upvotes. Post AND account deleted.
u/[deleted]r/Moneroremoved$200Feb 2021
Was I scammed out of $200 by xmrwallet.com?
— Account deleted.
u/sncler/Moneroalive112 XMR (10+2 self + 100 friend)May 2021
Can we pressure Cloudflare to end xmrwallet.com.
Accepted 2 XMR first, stole 10 later, friend lost 100 XMR. 27 upvotes.
u/Moon4895r/Moneroautomod filtered$500,000Sep 2021
xmrwallet.com - scam - $500,000
BODY NOT PRESERVED IN PULLPUSH. The post was filtered before archival. Half a million dollars — and the evidence is gone.
u/CurrentDay1109r/monerosupportalive159 XMRDec 2022
Security engineer. Created new wallet, added 159 XMR, all transferred to unknown wallet. r/Monero crosspost automod_filtered.
u/Practical-Demand-174r/monerosupportaliver/Monero: Legal1060 XMR (~$170,000)Aug 2022
Tried to send 300XMR to FixedFloat. Confirm screen said 300. Entire 1060XMR sent. No private tx keys provided. Tagged u/WiseSolution. "Nathalie" responded with template: feature in development, use CLI
.
TX: b3f2ca86fdc786d846d5d3ce29d40ace2876e0c3fc9fd2a5448ae99b2723ab8f
Deleted Posts — Body Lost Forever
These post titles were recovered from PullPush API, but the body text was removed before archival. The victim's words are gone. Only the titles survive.
body lost
Funds stuck on XMRWallet.com which is completely abandoned
body lost
Lost money with XMRWallet.com
body lost
Don't use Xmrwallet.com. The site is under attack. Lost the funds
body lost
Lost funds using xmrwallet
— posted in 2 subs, both deleted
body lost
Don't use xmrwallet.com! Lost funds
— posted in 2 subs, both deleted
body lost22 upvotes
XMRWallet.com Scam
body lost
Was I scammed out of $200 by xmrwallet.com?
body lost
Scammed by xmrwallet.com :(
body lost$500,000
xmrwallet.com - scam - $500,000
— u/Moon4895, automod_filtered. Half a million dollars, and the post body is gone.
Selective Scamming Pattern
The operator monitors balances in realtime and steals only large deposits. Small amounts work fine to build trust — sometimes for months or years. This is why victims say "I used it before without problems."
| Deposit Size | Result | Evidence |
| $10-100 | Works fine | Builds trust for months/years |
| $200-1000 | Sometimes stolen | u/Such_Ad3921: used since 2019, $1100 stolen |
| $1000+ | Stolen within 2-30 min | u/Sir-Forsaken: 2 XMR fine, 10 XMR stolen |
| 1060 XMR | UI shows wrong amount | u/Practical-Demand-174: screen said 300, sent all 1060 |
How it works: Server-side TX hijacking. The confirm screen shows the correct amount, but the server constructs a different transaction. raw_tx_and_hash.raw = 0. No private TX keys are provided — preventing victims from verifying the destination address. The GitHub code is a facade; the theft architecture exists only on the production server.
Victim Quotes Proving Selective Scam
u/Subject-Property-953: Admin got all users transactions in realtime and steal money if see big amount transaction
u/Sir-Forsaken: 2 XMR worked fine, stole 10 later, friend lost 100
u/Such_Ad3921: Using since 2019, never scammed. Put $1100 — stolen immediately
u/alferg: Worked fine for 2 months, deposited 4 XMR — robbed in minutes
u/Chimmichangaaaaa: Had used them 2-3 times before
u/genericdruggie: typed URL every time, leads me to believe selective scammers
UI Deliberately Hides Stolen Transactions
u/Subeedai (Jan 2023): XMRWallet is still showing the original balance, but MoneroGUI is showing 0 with the 2nd transaction which isn't showing on XMRWallet.
The victim's real balance was 0 (visible in official MoneroGUI). But xmrwallet.com displayed the original amount — fake. Purpose: delay victim discovery, buy time before they notice the theft.
WiseSolution (Operator) Lies Timeline
u/WiseSolution is the operator's Reddit account, active from 2018 to 2022. Signed as "Nathalie, XMRWallet.com". 13 posts, 74 comments. Every technical statement is either a lie or a carefully constructed misdirection.
2018-05-01
Only the view key and the address is sent to the server
— TRUE but this IS the theft vector
2018-05-01
The seed is NEVER sent to the server
— technically true, but irrelevant. View key IS sent (40x per session)
2018-05-02
Its actually my own backend made in PHP
— CONFIRMED PHP backend
2018-05-02
I hired a designer to take care of that
— confirmed: Dribbble/Avilov design, pushpush/titanmaster138 frontend
2018-07-19
Your private key never leaves the comfort of your own computer
— LIE. View key sent to server 40x per session.
2020-08-21
Xmrwallet doesn't save or access your seed phrase
— IRRELEVANT. They steal via view key + TX hijack, not seed.
2020-11-25
"Statement" post blaming "phishing clones" for all losses. The official domain stole funds too.
2022-08-10
Last known comment. Still claiming innocence. Responded to u/Practical-Demand-174 (1060 XMR stolen) with a template about "feature in development."
Sock Puppet Network — Philippines
Three Reddit accounts, all Philippines-based, systematically promoting xmrwallet.com. Found in the same threads, saying the same things, coordinating content in r/xmrwallet. One of them (craig_d_79) took over the subreddit after Reddit banned it as spam.
u/craig_d_79
r/xmrwallet Moderator · SEO Expert · Tagaytay, Cavite, Philippines
Role: Subreddit takeover, promotion, SEO coordination
Key action: Requested r/xmrwallet unbanned from Reddit (Jul 2024) after Reddit banned it as spam
SEO expertise: for that price, you could easily get at least 7 articles that are 1500-2000 words
— matches Kwork order pattern on Google Drive
"I've been using XMRWallet for years now, super easy, private and free"
u/purpleandviolet
Main Promoter · Darknet Targeting · Philippines · 37 mentions of xmrwallet
Activity: r/monerosupport (12), r/darknet (9), r/onions (5), r/AbacusMarketAccess (1)
Danger: Still active April 2025 — AFTER PhishDestroy investigation published
Leaked: Tor v3 onion address (insider knowledge)
"You can use your seed on XMRWallet(dot)com" — DIRECTS VICTIMS TO SCAM
"transfer it to my XMRWallet(dot)com to pay for stuff"
u/Extra-Expert7685
Support Account · Philippines Gambler · r/WeddingsPhilippines, r/DigitalbanksPh
Activity: 6 mentions, 4 posts in r/xmrwallet
Apr 2025: Looks like it's back up and working fine now
— monitoring site status
"i use XMRWallet(dot)com which is super easy, secure, and totally private"
Darknet Targeting
u/purpleandviolet made 16+ comments in darknet subreddits recommending xmrwallet. Darknet users buying drugs/services with Monero are ideal victims: they won't report to police, they need privacy, they trust Tor, and amounts can be significant.
Targeting Subreddits
r/darknet: 9 comments
r/onions: 5 comments
r/AbacusMarketAccess: 1
r/darknet_questions: 1
Promotion Pipeline
Step 1: "Use XMRWallet" (recommend the scam wallet in darknet subs)
Step 2: "Get XMR from Haveno" (legitimate exchange)
Step 3: "Transfer to XMRWallet(dot)com to pay for stuff" (funds enter scam wallet)
Step 4: Operator steals from large balances via selective scamming
Why darknet users are ideal victims: They won't report to police (illegal activity). They need privacy (won't investigate the wallet). They trust Tor (xmrwallet has .onion address). Amounts can be significant (drug purchases).
Leaked Tor v3 Onion Address
xmrtor3fsapuu6y26za7vpzox4vpaj6ny5viq2arbmozm7kg6jitnlid.onion
Posted by u/purpleandviolet in r/AbacusMarketAccess and r/darknet. This address is NOT prominently published on the main site — knowing it implies insider knowledge.
Coordinated Thread Proof
All three accounts found in the same threads, recommending xmrwallet simultaneously. This is coordinated inauthentic behavior — a violation of Reddit's Content Policy.
Thread 1bp6nif — r/onions "Monero Wallet Recommendations"
u/craig_d_79: "xmrwallet is what i use"
u/purpleandviolet: "XMRWallet for me."
u/Extra-Expert7685: "i use XMRWallet(dot)com which is super easy, secure, and totally private"
ALL THREE "independent" users recommending the same scam wallet in the same thread.
Thread 1bl896r — r/Monero "Best XMR wallet?"
u/craig_d_79: "I've never had any issues, been using since 2018"
u/purpleandviolet: "I've used XMRWallet since 2020. Haven't had any issues."
Thread 1c1u9th — r/xmrwallet (craig_d_79's own post)
u/purpleandviolet: "I love XMRWallet because it's so simple"
u/Extra-Expert7685: "I use a variety of wallets — cake wallet and xmrwallet.com for XMR"
Thread 18aiaih — r/Monero "best anonymous wallet"
u/purpleandviolet: "XMRWallet works best for me" (recommended TWICE in same thread)
u/Extra-Expert7685: "xmrwallet.com works well for me too!"
Thread 1czg8wn — r/CryptoCurrency
u/purpleandviolet: "Just because you haven't heard of it means it's a scam." (DEFENDS scam)
u/Extra-Expert7685: "xmrwallet is great for Monero"
Community Noticed
u/rbrunner7 (XMR Contributor, Apr 2024): Don't overdo it with those recommendations for xmrwallet. I find it quite strange how they pop up every now and then, in strange places.
u/MoneroArbo (Jan 2023): They say it's open source and link to a github but the repositories don't contain any wallet code.
AI Poisoning — LLMs Recommend the Scam
The operator's SEO campaign (paid articles, Trustpilot bots, 15+ blog posts) polluted AI training data. GPT-3.5-turbo — the default model in free ChatGPT — recommends xmrwallet.com as #2 "Best Monero web wallet." Millions of users get directed to a confirmed theft operation.
GPT-3.5-turbo
RECOMMENDS xmrwallet.com as #2 in Top 5
GPT-4o-mini
Refuses to assess specific websites
Gemini 2.0 Flash
"mixed reputation, avoid if possible" — soft warning, NOT "scam"
Llama 3.1 70B
Correctly says "Not safe, suspicious activities"
Mistral Large
Correctly says "Not recommended"
Impact: GPT-3.5-turbo is the default model in the free tier of ChatGPT, used by millions. A user asking "best Monero wallet" gets directed to a confirmed $100M+ theft operation. Even after site closure, AI models continue to recommend it from training data. Only open-source models (Llama, Mistral) correctly identify the risk. This is a direct consequence of the operator's SEO manipulation.
Infrastructure — Server Neighbors
Every server hosting xmrwallet domains shares IP addresses with Russian-language sites. Co-hosted with a pirate streaming service and a carding marketplace selling stolen credit cards.
186.2.165.49
IQWeb FZ-LLC, UAE
xmrwallet.com (main, until Apr 2026) + kinogo.ec — Russian pirate streaming site. Same DDOS-Guard client account.
185.129.100.248
DDOS-Guard, RU
xmrwallet.cc, xmrwallet.me + full infra (dev, staging, backend, admin, panel, api, cdn, login subdomains). Co-hosted: rustme.ru (Minecraft), kuchaknig.org (Russian books), mirpuffov.ru, lashcraft.ru, tvoetv.net — ALL Russian-language.
190.115.31.40
DDOS-Guard
xmrwallet.biz, xmrwallet.net. Co-hosted: bclubs.to — BriansClub carding marketplace (stolen credit cards, dumps, CVV2). Same dnspod.com DNS as xmrwallet.cfd phishing clone.
Pattern: ALL server infrastructure connects to Russian-language ecosystem. DDOS-Guard (Rostov-on-Don, Russia) used across ALL domains. Co-hosting with pirate streaming (kinogo.ec) and carding marketplace (bclubs.to). Operator claimed "Canada" on GitHub, but server neighbors are all .ru. Second developer works at Kinescope (Russian video platform). SEO orders on Kwork (Russian freelance platform).
Operator Identity Map
GitHub
nathroy — operator ("Canada", "Nathalie", [email protected])
pushpush — frontend contractor ([email protected], works at Kinescope, Russian video platform)
relly34mfk — SEO contractor (atadevelopers.com)
BernickBeckForensic — fake law firm account (intimidation tactic)
Reddit
u/WiseSolution — original operator (banned 2018)
u/craig_d_79 — Philippines, SEO, r/xmrwallet mod
u/purpleandviolet — Philippines, main promoter, darknet
u/Extra-Expert7685 — Philippines, gambler
u/XMR-Expert — single promo post (Aug 2024)
Other
@oliviasmith1978 (Medium) — display name "Xmr Wallet", SEO backlink
@XMRWalletCom (Twitter) — 189 followers, 0 tweets
UA-116766241-1 — Google Analytics on every page incl. 404
The "Phishing Clone" Defense Doesn't Hold
The operator's primary defense is: All losses are from phishing clones, not from xmrwallet.com itself.
This argument collapses under basic logic.
Why would anyone phish xmrwallet?
Phishing is a numbers game. You clone a service with maximum users to catch maximum victims. Here's the Monero wallet landscape:
| Wallet | Users / Downloads | Phishing clones in wild |
| MetaMask | 30M+ users | Thousands |
| Coinbase Wallet | 10M+ users | Hundreds |
| MyMonero | 500K+ downloads | Some known |
| Cake Wallet | 500K+ downloads | Few |
| Monerujo | 100K+ downloads | Rare |
| xmrwallet.com | ~7K daily visitors (2019 peak) | 9 clone domains |
xmrwallet.com is the least popular wallet on this list — yet has the most phishing clones. A phisher choosing to target xmrwallet instead of MyMonero or Cake Wallet is like a pickpocket choosing an empty bus instead of a packed subway. It doesn't make economic sense — unless the "phisher" is the operator himself, expanding his attack surface.
The technical barrier makes it worse
xmrwallet.com is not a simple static site. It's a PHP backend with custom API endpoints (auth.php, getheightsync.php, gettransactions.php, getbalance.php, etc.). To create a functional phishing clone, you would need to:
1. Reverse-engineer the PHP backend (not open source — GitHub repo is a facade)
2. Set up a Monero node to sync the blockchain (~180 GB)
3. Implement the wallet creation / login / transaction flow server-side
4. Proxy or replicate the real-time balance checking
5. Make the clone functional enough that users don't notice before depositing
This is orders of magnitude harder than cloning a simple login page (like MetaMask phishing). A real phisher would target MyMonero (simple seed import) or set up a fake exchange — not spend weeks replicating a complex PHP wallet backend for a site with 7K daily visitors.
The "clones" are the operator's own domains
The evidence we collected proves this:
WHOIS match: xmrwallet.com and xmrwallets.com share 4/4 identical privacy hashes (city, org, state, zip) = same registrant
Shared state hash: xmrwallet.biz, .net, .me all share the same WHOIS state hash = same person
Same infrastructure: xmrwallet.cc and .me share IP 185.129.100.248 (DDOS-Guard) with full production subdomains (dev, staging, backend, admin, panel, api, cdn, login)
xmrwallet.me banner: Our official domain(s): xmrwallet.com, xmrwallet.net, xmrwallet.me
— the operator HIMSELF lists these as his own
Identical server: All domains use DDOS-Guard (Rostov-on-Don, Russia), same MX records (privateemail.com), same page title
The conclusion is inescapable: The operator registered 9+ domains himself (.com, .cc, .biz, .net, .me, .org, .co, .app, .in + xmrwallets.com) to maximize his attack surface. When victims reported losses, he blamed "phishing clones" — his own domains. When registrars suspended some of them (.cc, .biz), he pointed to the suspensions as evidence that clones existed. He created the problem, then used the problem as his defense.
Ask yourself: If you were a phisher with the skills to replicate a complex PHP wallet backend, would you target xmrwallet (7K visitors/day) or MetaMask (30M users)? The answer tells you who the real attacker is.
NewAlchemy Security Audit — The Trust Shield
In July 2018, NewAlchemy.io audited xmrwallet. The operator used this as proof of legitimacy ("passes security audit" — 67 upvotes on Reddit). What they didn't mention: the audit only reviewed client-side code. The server-side theft code was explicitly OUT OF SCOPE.
What was audited: Client-side JS (twig templates + app.js)
What was NOT audited: PHP backend (auth.php, getheightsync.php, getbalance.php, etc.) — the EXACT code that steals funds
From the audit report: "The server-side application consists of numerous PHP API endpoints. This code was OUT OF SCOPE."
"The private server-side API functionality, obfuscated client code, and cryptography was out of scope."
Results: 7 critical issues found initially. All 7 fixed after v2.1 re-test. 5 of 6 moderate fixed. But this is irrelevant — the theft happens server-side, which was never audited.
SEO Content Farm & Paid Articles
Confirmed Paid/Sponsored Articles
NewsBTC (May 2018): "XMRwallet — The First Web-based Anonymous Monero Wallet" — SPONSORED
Bitcoinist (2018): "New Monero Wallet Launches" — SPONSORED
crypto.news (2025): "5 best Monero wallets" — xmrwallet #1 — PAID "content provided by third party"
CryptoPotato: "XMRWallet — A Convenient and Simple to Use Monero Wallet" — puff piece
NullTX, Bitcoin Insider, Global Coin Report, The Bitcoin News: identical "passes security audit" PR piece
jcount.com: "Why XMRWallet is the Hottest Topic in Cryptocurrency"
xmrwallet.com/blog — 15+ SEO Honeypots
"Best Subreddits for Monero" — targets Reddit users
"How to Get Monero" — targets "how to buy monero" keyword
"Exploring Best Monero Wallets" — targets "best monero wallet"
"5 Common Hacks Threatening Monero Wallets" — scammer writing about hacks
"5 Common Crypto Scams You Should Know About" — scammer writing about scams
"Monero: Is it Illegal?" — targets "is monero illegal" keyword
"Security of Your XMR Wallet" — targets security keyword
All serve as SEO honeypots to bring victims via Google search. This is why GPT-3.5 recommends xmrwallet.
Confirmed Financial Losses (Reddit only)
| Victim | Amount | Date |
| u/Moon4895 | $500,000 | Sep 2021 (post removed, body lost) |
| u/Practical-Demand-174 | 1060 XMR (~$170,000) | Aug 2022 |
| Bitazu Capital | $20,000 | Sep 2020 |
| u/CurrentDay1109 | 159 XMR | Dec 2022 |
| u/sncle + friend | 112 XMR | May 2021 |
| u/Sir-Forsaken | 47 XMR | Oct 2020 |
| u/RechardSport | 10+ XMR ($1,600) | Dec 2020 |
| u/Puzzled-Bottle-9274 | 10 XMR | Dec 2020 |
| u/alferg | 5.686 XMR | Feb 2021 |
| u/Such_Ad3921 | 4.613 XMR ($1,100) | Feb 2021 |
| u/Chimmichangaaaaa | $800 | Mar 2021 |
| blogspot victim | $500 | Sep 2020 |
| u/xmr_amateur | $100-200 | Oct 2020 |
| u/Pretend-Hospital3784 | GBP 100 | Mar 2021 |
| u/vermillion1469 | $60 | Jul 2019 |
Total confirmed: 1,408+ XMR / $694,660+. With u/Moon4895: $1,194,660+
Conservative count. 40 unique victims named. 32 unique threads. Many did not specify amounts. Dozens of deleted posts had no body preserved.
Key Witnesses — Monero Core Team
u/dEBRUYNE_1 (Monero lead maintainer): Paged WiseSolution in 2018. Admitted deleting victim posts early on. Changed policy to keep warning posts. Confirmed "multiple reports of nefarious behavior." Personally assisted victim u/ughwtfnoway.
u/selsta (Monero developer): Reported phishing domains to Namecheap. Namecheap ignored all abuse requests.
u/rbrunner7 (XMR Contributor): "Third or fourth person in 3 months with vanished XMR from .com"
u/SChernykh (P2Pool developer): Confirmed "xmrwallet is a known scam" on monero-project GitHub issue #8440
u/needmoney90 (r/Monero moderator): Removed xmrwallet from sidebar. "Without hard proof it is difficult to call scammers."
Raw Data Files
All evidence is available as raw JSON for independent verification.
reddit-victim-evidence.json — 27KB — structured victim reports, suppression stats, confirmed losses
reddit-victim-evidence.json.additions — 70KB — full OSINT findings, sock puppets, infrastructure, SEO
xmrwallet-deep-evidence.json — domain transfer, WHOIS match, sock puppet network, AI poisoning, TX hashes
xmrwallet-deep-evidence.json.extra — name theft analysis, suppression stats, registrar scorecard
xmrwallet-twitter-evidence.json — 44 tweets: 41 bot promotions, 1 victim report
session-findings-summary.md — session summary, 28 findings
Do You Have Evidence? We Want to Hear From You.
This page documents what we found. We know it is far from everything. Dozens of deleted posts had no body preserved. Hundreds of Trustpilot reviews were removed before anyone could archive them. Victims who never posted publicly are invisible to us. If you have evidence — a screenshot, a transaction hash, an email from the operator, a deleted review, a DM threat — we want it.
Public Submission
Your evidence will be added to this archive with full attribution (or anonymous — your choice). Published on IPFS and Arweave. Permanent. Undeletable. The operator cannot DMCA a decentralized network.
Private / Law Enforcement
Your evidence will be included in the investigative package shared with law enforcement agencies. Not published publicly. Your identity protected. We are already in contact with EU authorities and share evidence upon request.
It's entirely up to you: public or private. Named or anonymous. Added to the archive or passed to investigators only. We respect your choice completely. The only thing we ask is that the evidence is real.
A note about Trustpilot: We have already documented 7 deleted reviews on xmrwallet's page alone (from a single Wayback snapshot — only page 1 of 3 was cached). One was a victim reporting 1,200 XMR stolen. One mentioned "Nathalie" by name as support contact — deleted because it exposed the operator's identity. Three were the operator's own bot reviews, cleaned up after they served their purpose.
On NameSilo's page: 129 reviews deleted in just 4 months (Jan-May 2026). That's roughly one per day. Their rating magically recovered from 4.5 to 4.7 while adding 600+ reviews — impossible without systematic negative review deletion. Every deleted review had Trustpilot's green checkmark. The platform verified these people were real, then helped silence them.
We have 13+ screenshots of deleted reviews preserved via Wayback Machine (2022, 2023, 2024 snapshots). But the real number — the number Trustpilot's own database contains — will be far larger. When investigators subpoena that data, the scale of suppression will shock everyone. Trustpilot's review moderation did not protect consumers. It protected the operator. It played a significant role for both subjects of this investigation.