NameSilo Defended a $100M Crypto Drainer
— Then Took Down Our Twitter
An ICANN-accredited registrar published 4 documented lies to protect a 10-year Monero theft operation, offered to scrub its VirusTotal record while the drainer was still live, then used a paid X Gold Checkmark to lock the researchers who proved them wrong. Their DevOps engineer: ex-Head of IT at a Russian financial pyramid for a decade.
This article is a preview. Full evidence, IPFS archives, and all source material at the link above.
The Background: What xmrwallet.com Actually Is
xmrwallet.com is not a phishing page. It is a fully functional Monero wallet with a server-side backdoor built in 2018 and running until May 2026 — nearly a decade. The GitHub repository is a public facade. The theft code exists only on the production server, never committed, never audited.
Every user interaction sends the private view key to the operator's servers via POST request, Base64-encoded in a variable called session_key — approximately 40 transmissions per session. The client-side transaction is explicitly discarded (raw_tx_and_hash.raw = 0); the server builds its own using the stolen keys.
The NewAlchemy audit earned 67 Reddit upvotes and was used as a trust signal for years. Its explicit scope: "client-side JavaScript only." Explicitly out of scope: "numerous PHP API endpoints." Those endpoints are the actual theft mechanism. The audit was structurally incapable of finding the backdoor.
The theft is selective by design. Small deposits are left untouched for years, building trust and legitimate reviews. Large amounts are stolen within minutes. One documented victim deposited 590 XMR — gone within 2 days. Conservative total across 15+ documented victims: 5,000–50,000+ XMR stolen ($1.5M–$15M+ at historical prices). 60% of victim posts mass-reported and deleted before evidence capture.
session_key to the operator on every session.We reconstructed the gtag-based key exfiltration in a sandboxed demo. Open DevTools → Network tab → interact with the wallet. Watch session_key POST requests fire in real time. This is what ran for 10 years. This is what the "security audit" never looked at. This is what NameSilo publicly defended.
The Sentence That Explained NameSilo
On February 16, 2026, the operator of xmrwallet.com emailed PhishDestroy demanding report removal. He signed as "Nathalie Roy" — GitHub account nathroy, ID 39167759. We replied with a full technical breakdown and a written warning: "What happens next depends entirely on how you choose to proceed."
The next day, he sent one sentence that told us everything about his relationship with NameSilo:
Three weeks before NameSilo called him the victim
Nobody running a decade-old drainer on $550/mo bulletproof Belize hosting, sitting behind Russian DDoS-Guard, calmly invites you to subpoena his registrar — unless he already knows the answer. Three other registrars (PDR, WebNic, NICENIC) suspended his domains within days of the same evidence. NameSilo wrote him a press release and offered to clean his record.
January 21, 2026 — xmrwallet paid PR Newswire to distribute a press release stating: "private keys never reach central servers." The session_key POST requests were firing on every user session to the production server throughout this period. PR Newswire is a paid distribution service — companies write and fund their own text, with no editorial review. Source: PR Newswire, Jan 21, 2026
NameSilo's Four Lies, On the Record
On March 13, 2026, NameSilo's official account posted under our investigation thread. 11,300 views before capture. Archived permanently at ghostarchive.org/archive/CXXZ0. Every sentence is refuted by primary sources:
-
1"Domain was compromised a few months ago (during which a copy of the webpage was replaced with a crypto-drainer)."SHA-256 hashes prove code was unchanged. The operator confirmed to us it was his own PHP backend, written in 2018. Nothing was injected. The "hack" story was invented after the fact.✗ FABRICATED
-
2"Prior to that, we had received no abuse reports related to this domain."PhishDestroy alone sent 20+ reports via NameSilo's portal (2023–2026), with delivery receipts. 100+ public complaints exist on BitcoinTalk and Reddit since 2018. Since this false claim, every report we file is published with timestamps before submission.✗ CONTRADICTED BY RECEIPTS
-
3"After an extensive review… not involving the registrant."The operator wrote to us February 17 defending his code as his own work — before NameSilo's tweet. He never claimed a hack. Their "extensive review" reached conclusions that contradict their own registrant's statements in writing.✗ SELF-CONTRADICTING
-
4"Working with the registrant to remove the website from VirusTotal reports."Not abuse handling — helping a confirmed scammer erase security warnings while the drainer was still live. PDR, WebNic, and NICENIC all suspended domains within days of the same evidence. NameSilo offered to scrub the record.✗ ACTIVE HARM TO VICTIMS
Who Is NameSilo: A CIS Outsourcing Operation With a US Mailing Address
NameSilo LLC is registered in Phoenix, Arizona. Listed on the Canadian Securities Exchange as Brisio Innovations (CSE:BZI), reporting C$65.5M revenue in 2025. The actual engineering team is spread across Russia, Belarus, Ukraine, Serbia, Argentina, and Latvia. At least 13 Russian-speaking employees identified. The person with full DevOps infrastructure access spent a decade running IT for a Russian financial pyramid before joining NameSilo.
Aleksey Podashevskiy (Frontend) — Belarus, sanctioned jurisdiction, working for a US-registered ICANN-accredited registrar. 13+ Russian-speaking employees identified in total across Russia, Belarus, Serbia, Argentina, Latvia. Zero Western hosting in the xmrwallet infrastructure chain.
5.18M+ domains analyzed across NameSilo's full portfolio — every one cross-referenced against VirusTotal, URLhaus, PhishTank, abuse.ch, OpenPhish, and SURBL.
xmrwallet PHP backend reconstructed entirely from client-side behavioral traces — no server access, no source code, no cooperation. The theft mechanism was mapped from observable network patterns alone.
13 team members correlated across LinkedIn, GitHub, HeadHunter, Telegram, corporate registries, and court records across 6 countries. Trustpilot deletion patterns tracked over multiple months to identify systematic removal cadence. CSE:BZI quarterly filings cross-referenced against domain portfolio data to identify the revenue anomaly. 5.18M domains analyzed against 6 threat intel feeds. All raw data is public at github.com/phishdestroy/namesilo-evidence. Filed with ICANN, EU law enforcement, and 3 national cybercrime units.
The Domain Anomaly: 32.2% Never Activated — A Statistical Smokescreen
We pulled and analyzed every domain in NameSilo's portfolio — all 5.18M of them. Each one was checked against VirusTotal, URLhaus, PhishTank, abuse.ch, OpenPhish, and SURBL. The raw data, methodology, and per-domain findings are public: github.com/phishdestroy/namesilo-evidence. Result: 32.2% of domains have never been activated — vs 14.7–22.8% at comparable registrars. 10,000–17,000 bulk registrations in a single day (peak: 17,180 on 2025-07-19). $12M spent on never-activated domains; annual burn rate $3.2M/year on domains that serve no purpose. In 2024, when NameSilo partner ShortDot acquired new TLDs (.sbs, .cfd at ~$0.50 wholesale, sold at $14.95 retail = 22–31× markup), dead-domain registrations spiked 615% in a single year.
PrivacyGuardian hides the buyer identity on 3M+ domains (registered to pw-{hex}@privacyguardian.org). Bitcoin accepted. No KYC. Every phantom domain makes the abuse-to-total ratio look smaller.
"barely anything"
every 43rd site
1 phishing per 2.5 legit
NameSilo reports C$65.5M revenue (2025). P/E: 143.8× vs industry 21×. Revenue per real (live) domain: C$68 vs industry $10–15. 95 ICANN registrars sell .com cheaper. If bulk phantom domain registrations are washing proceeds — BTC-to-domain at 22–31× markup — they surface as "legitimate registrar revenue" in quarterly reports filed on the Canadian Securities Exchange. This pattern is documented and referred to law enforcement.
prnewswire.com — Reach Systems / NASA order, Jun 23, 2026
newswire.ca — SewerVUE acquisition, Sep 12, 2025
prnewswire.com — xmrwallet "private keys never reach servers," Jan 21, 2026
What Happened After We Published
After our reporting went live, a coordinated legal and platform suppression campaign targeted every major surface where PhishDestroy had presence. Three mechanisms — each one logged, archived, and now part of ICANN complaint #1479.
Before the lock dropped, we published a tweet predicting NameSilo would use the scammer's suppression playbook and timestamped it in GhostArchive. They did exactly what we said, on schedule. The timestamped prediction — proving we anticipated the tactic before it was used — is included in the ICANN complaint against NameSilo (ICANN #1479).
Everything is on IPFS (phishdestroy.eth), Arweave, GhostArchive, and Wayback Machine. 61 SHA-256 verified screenshots. Zero successful legal challenges to any claim. Zero technical rebuttals from the operator or NameSilo. Zero factual responses — only legal threats, ad hominem, and deleted tweets. The full investigation with raw data, team dossier, laundering analysis, and victim resources is at phishdestroy.eth.limo — mirrored across IPFS, Arweave, GhostArchive, and Wayback Machine. No Gold Checkmark reaches any of them.
Escape Domain Network: Prepared Months Before Takedown
Starting February 4, 2026 — the same week the operator first contacted PhishDestroy — he began secretly registering escape domains across 4 different registrars, prepaid 5–10 years each. The infrastructure was designed to survive any single takedown. It didn't survive the investigation.
Initial technical breakdown with full evidence: github.com/phishdestroy/DO-NOT-USE-xmrwallet-com
| Domain | Registrar | Prepaid | IP | Status |
|---|---|---|---|---|
| xmrwallet.cc | PublicDomainRegistry | 8 years | 185.129.100.248 | SUSPENDED |
| xmrwallet.biz | WebNic.cc | 5 years | 190.115.31.40 | SUSPENDED |
| xmrwallet.net | NICENIC International | 10 years | 190.115.31.40 ← | DNS DEAD |
| xmrwallet.me | Key-Systems GmbH | 10 years | 185.129.100.248 ← | ACTIVE — abuse reported |
IP clustering: 185.129.100.248 shared by .cc and .me — same host. 190.115.31.40 shared by .biz and .net — same host. Four registrars, two IP clusters. 33 years of prepaid registration. All registered in secret after first contact with investigators.
Bought Reputation: Wikipedia, Forbes, and 15+ Sponsored Articles
NameSilo's public reputation is manufactured. Wikipedia: paid/promotional flag. Forbes: "We earn a commission" affiliate disclosure. SmartCustomer: 1.8/5 — with zero negative results in Google.
NameSilo has a Wikipedia article — marked by editors as a paid/promotional article, not neutral editorial coverage. Edit history (archived): en.wikipedia.org/w/index.php?title=NameSilo&action=history
NameSilo appears on Forbes Advisor with an explicit affiliate disclosure: "Forbes Advisor adheres to strict editorial integrity standards... We earn a commission." Forbes Advisor earns money when users sign up through their links — creating direct financial incentive for positive coverage. Source: forbes.com/advisor/business/software/namesilo-review/
NameSilo holds a 1.8/5 rating on SmartCustomer — source: smartcustomer.com/reviews/namesilo.com. Despite dozens of negative reviews on record, a Google search returns zero negative coverage — active suppression using the same GDPR and DMCA tools applied against our investigation.
NameSilo Technologies Corp. (CSE:BZI / OTC: URLOF — publicly-traded parent of NameSilo LLC) uses PR Newswire for corporate announcements. PR Newswire is a paid distribution service: the company writes the text and pays for placement. Examples of paid NameSilo Technologies press releases:
- Acquisition of SewerVUE Technology Corp. — newswire.ca, Sep 12, 2025
- Subsidiary Reach Systems receives NASA order — prnewswire.com, Jun 23, 2026
The same mechanism: xmrwallet used PR Newswire on January 21, 2026 to publish its cover story ("private keys never reach central servers") while the backdoor ran. Paid distribution presenting operator-authored text as newsworthy content.
Three Positions. One Company. None of Them Survive Contact With Each Other.
NameSilo did not maintain a consistent story. They ran three mutually exclusive positions in sequence — confident expert, threatened victim, humble public servant — depending on how much legal exposure they were facing at each moment.
"Your claims are false, libelous and defamatory. NameSilo takes action and reviews all abuse reports submitted to us. If you have any such cases, please submit them to abuse@namesilo.com. Otherwise, please contact the website host or registrant directly. And halt your falsehoods towards us or we will be forced to undergo legal action."
If your abuse team had the competence to conduct an extensive in-depth review, determine the domain was hacked, identify the registrant as the victim, and begin helping him remove VirusTotal detections — then you are explicitly claiming to be more authoritative and more technically competent than every antivirus vendor that flagged this domain as malicious.
You cannot later claim that you simply process reports and lack the expertise to determine phishing. The ICANN complaint is not asking for competence you don't have. It is asking why you used the competence you demonstrably have — to help the scammer, not the victims.
Trustpilot: Bot Farms Competing With Bot Farms
One 5-star for NameSilo (Jan 2026): “Leonid was very helpful… 5 stars!” The other review: for Otrium — a company with reviews alleging fraud and stolen money. One bot account, two scam-adjacent businesses. Pattern: named support agents, praised response time, templated language. Real domain buyers review prices and panel UX. Bot reviews praise “Leonid.”
Data Analysis — 2,280 NameSilo vs 2,480 Namecheap Reviews
| Metric | NameSilo | Namecheap |
|---|---|---|
| 5-star reviews | 88.9% | 74.0% |
| 1-star reviews | 7.2% | 16.7% |
| Single-review accounts | 62.4% | 59.6% |
| No avatar (fresh accounts) | 67.3% | 51.5% |
| Reviews about support/service | 70.0% | 60.2% |
| Reviews about price/cost | 9.8% | 37.5% |
| Named agent “Leonid” | 5.7% | 0.0% |
| US geolocation | 35.1% | 26.5% |
Leonid appeared on April 13, 2025. Zero mentions before. Then 65 reviews in his first two months. May 2025: 106 reviews (5× normal), 95% five-star, zero one-star. Not one unhappy customer in 106 reviews for a registrar ranked #96 in .com pricing.
43% of Leonid reviews are under 80 characters. Four have the title just “Leonid”. Three more: “Leonid was very helpful.” Among reviewers: “Satoshi Nakamoto,” “Author,” “Виктор -”, “Anna Koroleva,” “Boris Martin,” “Andrei Dobrescu” mixed with “Brad,” “LaToya,” “Patty Johnson.” A name generator cycling through continents. The name Leonid is Russian.
Zero four-star. Zero three-star. Zero anything else. 91% single-review accounts. Over 7 years. China: 94% five-star, 80% single-review. Singapore: 95% five-star. Combined 168 reviews from Chinese-speaking markets — almost entirely fabricated.
Why China? NameSilo actively markets there: namesilo-china.com, bcbay.com/namesilo, paid Chinese blog posts, a Chinese Wikipedia article. When investigators ask “who buys 4.22 million dead domains?” — NameSilo points to China. The Trustpilot data shows they have been building this alibi since 2019, one fake review at a time.
Independent Claude API Forensic Analysis — Blind Test
2,480 NameSilo and 2,480 Namecheap Trustpilot reviews submitted to Claude API, anonymized as “Company A” (NameSilo) and “Company B” (Namecheap). The AI had no knowledge of which was which.
| Forensic Indicator | NameSilo (A) | Namecheap (B) |
|---|---|---|
| 5-star ratio | 89.1% | 74.0% |
| 1-star ratio | 7.1% | 16.7% |
| Disposable accounts giving 5 stars | 92% | ~65% |
| Reviews mentioning price | 11.2% | 39.2% |
| Named single agent in reviews | Leonid: 168 | none |
| 5-star vocabulary diversity (TTR) | 0.073 | ~0.15 |
| HK: 100% five-star | 57/57 | n/a |
| May–Jun 2025 spike (5× normal) | 215 reviews | none |
| AI manipulation verdict | 92% | 15% |
“Company A exhibits extensive, multi-dimensional evidence of systematic review manipulation through coordinated artificial generation. The probability of these patterns occurring organically approaches zero.”
Full analysis: phishdestroy.eth.limo/namesilo-trustpilot.html · Raw data: trustpilot-forensic-report-final.txt
What the Investigation Achieved
Following PhishDestroy's investigation and publication, xmrwallet.com ceased operations. The operator sent a farewell message — and notably, no longer signed it as "Nathalie Roy." The identity that had been the public face of xmrwallet for years was quietly dropped. No explanation given.
xmrwallet.com was eventually redirected to its GitHub repository — the same public facade that served as the "open-source" alibi for a decade. It took three attempts. The repository had been inactive for 5 years prior to the redirect: no commits, no updates, no maintenance — consistent with a project whose actual code lived exclusively on an unaudited production server and was never intended for public review.
xmrwallet.com transferred to Namecheap in May 2026, registered until 2036. NameSilo apparently considers this resolved. It is not.
You thought the experts who could outperform every antivirus vendor would stop when the domain moved? The investigation is on IPFS. It is on Arweave. It is in ICANN's formal complaint system. It is with EU law enforcement. It is with 3 national cybercrime units. The legal threat added one more timestamp to the file. The domain transfer added one more exhibit. Every action taken to suppress this investigation is itself documented evidence of the pattern we described.
You were not the smartest people in this situation. You just had more money for a while.


