PhishDestroy Live
Back to News
 Share: Post Telegram
● BREAKINGUpdated July 2, 2026 — ICANN #1479 filed
Investigation

NameSilo Defended a $100M Crypto Drainer
— Then Took Down Our Twitter

An ICANN-accredited registrar published 4 documented lies to protect a 10-year Monero theft operation, offered to scrub its VirusTotal record while the drainer was still live, then used a paid X Gold Checkmark to lock the researchers who proved them wrong. Their DevOps engineer: ex-Head of IT at a Russian financial pyramid for a decade.

April 1, 2026 — Updated July 2, 2026 PhishDestroy Research 10 min read 61 SHA-256 verified files
$0M+ Estimated Stolen
0 yrs Operation Lifespan
0 Documented Lies
0k Pages Deindexed by Bing
0+ Reviews Deleted
0 SHA-256 Evidence Files
Read Full Investigation at phishdestroy.eth.limo

This article is a preview. Full evidence, IPFS archives, and all source material at the link above.

The Background: What xmrwallet.com Actually Is

xmrwallet.com is not a phishing page. It is a fully functional Monero wallet with a server-side backdoor built in 2018 and running until May 2026 — nearly a decade. The GitHub repository is a public facade. The theft code exists only on the production server, never committed, never audited.

Every user interaction sends the private view key to the operator's servers via POST request, Base64-encoded in a variable called session_key — approximately 40 transmissions per session. The client-side transaction is explicitly discarded (raw_tx_and_hash.raw = 0); the server builds its own using the stolen keys.

The 2018 "Security Audit" That Covered Nothing

The NewAlchemy audit earned 67 Reddit upvotes and was used as a trust signal for years. Its explicit scope: "client-side JavaScript only." Explicitly out of scope: "numerous PHP API endpoints." Those endpoints are the actual theft mechanism. The audit was structurally incapable of finding the backdoor.

The theft is selective by design. Small deposits are left untouched for years, building trust and legitimate reviews. Large amounts are stolen within minutes. One documented victim deposited 590 XMR — gone within 2 days. Conservative total across 15+ documented victims: 5,000–50,000+ XMR stolen ($1.5M–$15M+ at historical prices). 60% of victim posts mass-reported and deleted before evidence capture.

# The smoking gun: client-side transaction explicitly discarded raw_tx_and_hash.raw = 0 # thrown away; server builds its own with stolen keys # ~40 POST transmissions per session, every session, since 2016: session_key = base64_encode(wallet_address + ":" + private_view_key) # GitHub: 0 occurrences of "session_key" in any commit # Production server: core theft variable, all versions, since 2016
xmrwallet backdoor — GitHub public facade routes clean, hidden production server exfiltrates session_key
The theft in one diagram: green = GitHub public repo (clean, audited, trusted). Red = production server — never in any commit, never audited, exfiltrating session_key to the operator on every session.
 Live Demo — We Rebuilt the Exploit
Watch the session_key exfiltration happen in your browser

We reconstructed the gtag-based key exfiltration in a sandboxed demo. Open DevTools → Network tab → interact with the wallet. Watch session_key POST requests fire in real time. This is what ran for 10 years. This is what the "security audit" never looked at. This is what NameSilo publicly defended.

Open Interactive Demo

The Sentence That Explained NameSilo

Smoking gun — cracked gavel and glowing quote marks
February 17, 2026. One sentence. A decade of confidence in his registrar.

On February 16, 2026, the operator of xmrwallet.com emailed PhishDestroy demanding report removal. He signed as "Nathalie Roy" — GitHub account nathroy, ID 39167759. We replied with a full technical breakdown and a written warning: "What happens next depends entirely on how you choose to proceed."

The next day, he sent one sentence that told us everything about his relationship with NameSilo:

“Feel free to subpoena the domain registrar for my information.”
— Operator of xmrwallet.com, February 17, 2026
Three weeks before NameSilo called him the victim

Nobody running a decade-old drainer on $550/mo bulletproof Belize hosting, sitting behind Russian DDoS-Guard, calmly invites you to subpoena his registrar — unless he already knows the answer. Three other registrars (PDR, WebNic, NICENIC) suspended his domains within days of the same evidence. NameSilo wrote him a press release and offered to clean his record.

While the Backdoor Was Live: xmrwallet Paid PR Newswire to Claim the Opposite

January 21, 2026 — xmrwallet paid PR Newswire to distribute a press release stating: "private keys never reach central servers." The session_key POST requests were firing on every user session to the production server throughout this period. PR Newswire is a paid distribution service — companies write and fund their own text, with no editorial review. Source: PR Newswire, Jan 21, 2026


NameSilo's Four Lies, On the Record

On March 13, 2026, NameSilo's official account posted under our investigation thread. 11,300 views before capture. Archived permanently at ghostarchive.org/archive/CXXZ0. Every sentence is refuted by primary sources:


Who Is NameSilo: A CIS Outsourcing Operation With a US Mailing Address

NameSilo LLC is registered in Phoenix, Arizona. Listed on the Canadian Securities Exchange as Brisio Innovations (CSE:BZI), reporting C$65.5M revenue in 2025. The actual engineering team is spread across Russia, Belarus, Ukraine, Serbia, Argentina, and Latvia. At least 13 Russian-speaking employees identified. The person with full DevOps infrastructure access spent a decade running IT for a Russian financial pyramid before joining NameSilo.

DevOps — Full Infrastructure Access
Mikhail Chudinov
Argentina (relocated)
Previously Head of IT at SuperKopilka — Russian financial pyramid, 2007–2017. Ten years running the IT for a money circulation scheme until collapse. Self-described "crypto enthusiast." At NameSilo: full DevOps keys to all infrastructure.
Ex-pyramid IT head, 10 years
PHP Backend Developer
Ivan Borzenkov
Bryansk, Russia (+7 920)
Russia-based backend developer. GitHub: ivan1986. Direct PHP access to NameSilo backend from within Russia.
🇷🇺 Russia-based backend access
Project Manager
Vladimir Voskov
Moscow, Russia
Previously Zyfra Company — Russian state industrial automation contracts. Managing a US-registered domain registrar from Moscow.
🇷🇺 Moscow — ex-state contractor
Senior Project Manager
Tatiana Labutina
Belgrade, Serbia
Previously ForexClub Libertex — Russian forex broker, multiple EU regulatory sanctions. Belgrade: primary relocation hub for Russian professionals post-2022.
Ex-ForexClub Libertex
Also Identified

Aleksey Podashevskiy (Frontend) — Belarus, sanctioned jurisdiction, working for a US-registered ICANN-accredited registrar. 13+ Russian-speaking employees identified in total across Russia, Belarus, Serbia, Argentina, Latvia. Zero Western hosting in the xmrwallet infrastructure chain.

Scale of the Investigation

5.18M+ domains analyzed across NameSilo's full portfolio — every one cross-referenced against VirusTotal, URLhaus, PhishTank, abuse.ch, OpenPhish, and SURBL.

xmrwallet PHP backend reconstructed entirely from client-side behavioral traces — no server access, no source code, no cooperation. The theft mechanism was mapped from observable network patterns alone.

13 team members correlated across LinkedIn, GitHub, HeadHunter, Telegram, corporate registries, and court records across 6 countries. Trustpilot deletion patterns tracked over multiple months to identify systematic removal cadence. CSE:BZI quarterly filings cross-referenced against domain portfolio data to identify the revenue anomaly. 5.18M domains analyzed against 6 threat intel feeds. All raw data is public at github.com/phishdestroy/namesilo-evidence. Filed with ICANN, EU law enforcement, and 3 national cybercrime units.


The Domain Anomaly: 32.2% Never Activated — A Statistical Smokescreen

We pulled and analyzed every domain in NameSilo's portfolio — all 5.18M of them. Each one was checked against VirusTotal, URLhaus, PhishTank, abuse.ch, OpenPhish, and SURBL. The raw data, methodology, and per-domain findings are public: github.com/phishdestroy/namesilo-evidence. Result: 32.2% of domains have never been activated — vs 14.7–22.8% at comparable registrars. 10,000–17,000 bulk registrations in a single day (peak: 17,180 on 2025-07-19). $12M spent on never-activated domains; annual burn rate $3.2M/year on domains that serve no purpose. In 2024, when NameSilo partner ShortDot acquired new TLDs (.sbs, .cfd at ~$0.50 wholesale, sold at $14.95 retail = 22–31× markup), dead-domain registrations spiked 615% in a single year.

NameSilo geography and domain scale — Phoenix AZ company, CIS team, 5.18M domains
US-registered. CIS-operated. 5.18M domains, 32.2% never activated. The team connecting the dots from Phoenix to Moscow to Buenos Aires.

PrivacyGuardian hides the buyer identity on 3M+ domains (registered to pw-{hex}@privacyguardian.org). Bitcoin accepted. No KYC. Every phantom domain makes the abuse-to-total ratio look smaller.

0.43% vs 5.18M total
"barely anything"
2.34% vs HTTP-alive
every 43rd site
40.9% vs real businesses
1 phishing per 2.5 legit
Financial Anomaly: CSE:BZI

NameSilo reports C$65.5M revenue (2025). P/E: 143.8× vs industry 21×. Revenue per real (live) domain: C$68 vs industry $10–15. 95 ICANN registrars sell .com cheaper. If bulk phantom domain registrations are washing proceeds — BTC-to-domain at 22–31× markup — they surface as "legitimate registrar revenue" in quarterly reports filed on the Canadian Securities Exchange. This pattern is documented and referred to law enforcement.

How NameSilo Manufactures "Media Coverage" for CSE:BZI Investors — 6 Steps
1
NameSilo writes a press release about themselves. In third person. "NameSilo, the fastest-growing registrar..."
3
PR Newswire pushes it automatically to Yahoo Finance, Morningstar, StockWatch, newswire.ca — to anyone who paid, no editorial review.
4
Yahoo Finance publishes it with one small label: "This is a paid press release."
5
NameSilo's CSE:BZI stock page now shows "media coverage." "Yahoo Finance covered us." "StockWatch covered us."
!
Nobody wrote about them. They wrote about themselves and paid to make it look like news. This is the "media coverage" on the CSE investor page of a company whose registrar publicly defended an active Monero drainer.
 $805 paid press release ≠ independent journalism. CSE:BZI investors: read the label.

What Happened After We Published

After our reporting went live, a coordinated legal and platform suppression campaign targeted every major surface where PhishDestroy had presence. Three mechanisms — each one logged, archived, and now part of ICANN complaint #1479.

X / Twitter — @Phish_Destroy account locked. X Gold Checkmark gives subscribers a priority support channel not available to regular users. That channel was used to file a complaint against our account. X's own automated review system processed the case, cleared us in writing, and confirmed no violations. The lock remained regardless. We published the clearance letter before the lock even dropped — GhostArchive timestamped prediction included in ICANN #1479.
Google — GDPR erasure requests + DMCA complaints. European "right to erasure" requests were filed under GDPR to force Google to delist specific PhishDestroy investigation pages from search results. Parallel DMCA takedown notices were submitted targeting investigation URLs. Both mechanisms were applied simultaneously — legal pressure via EU privacy law, copyright pressure via US law. The investigation content itself was never successfully challenged on facts.
Bing — 108,000 pages deindexed in a single day. The entirety of phishdestroy.io — 108,000 indexed pages — was removed from Bing search in one bulk action. The timing was exact: the deindexation coincided precisely with our NameSilo reporting going public. Not a gradual crawl issue, not a technical error — a single bulk complaint that Bing processed without notice.
IPFS — they filed complaints. Nothing changed. Takedown requests were filed against the ENS domain and gateway services. phishdestroy.eth.limo remains fully operational. IPFS content is addressed by SHA-256 hash — there is no server to take down, no hosting account to suspend, no registrar to pressure, no CDN to call. The investigation exists on Arweave, GhostArchive, and Wayback Machine simultaneously. The anger is proportional to the helplessness.
Platform censorship campaign — X Gold Checkmark, Google GDPR, Bing deindex
One Gold Checkmark. Three legal mechanisms. 108,000 Bing pages. Every platform hit after the same publication. This is what corporate-funded silencing looks like.
We Predicted It — Timestamped in GhostArchive Before It Happened

Before the lock dropped, we published a tweet predicting NameSilo would use the scammer's suppression playbook and timestamped it in GhostArchive. They did exactly what we said, on schedule. The timestamped prediction — proving we anticipated the tactic before it was used — is included in the ICANN complaint against NameSilo (ICANN #1479).

The Archive Cannot Be Touched

Everything is on IPFS (phishdestroy.eth), Arweave, GhostArchive, and Wayback Machine. 61 SHA-256 verified screenshots. Zero successful legal challenges to any claim. Zero technical rebuttals from the operator or NameSilo. Zero factual responses — only legal threats, ad hominem, and deleted tweets. The full investigation with raw data, team dossier, laundering analysis, and victim resources is at phishdestroy.eth.limo — mirrored across IPFS, Arweave, GhostArchive, and Wayback Machine. No Gold Checkmark reaches any of them.


Escape Domain Network: Prepared Months Before Takedown

Starting February 4, 2026 — the same week the operator first contacted PhishDestroy — he began secretly registering escape domains across 4 different registrars, prepaid 5–10 years each. The infrastructure was designed to survive any single takedown. It didn't survive the investigation.

Initial technical breakdown with full evidence: github.com/phishdestroy/DO-NOT-USE-xmrwallet-com

Escape Domains — Registered After Investigation Started
Domain Registrar Prepaid IP Status
xmrwallet.cc PublicDomainRegistry 8 years 185.129.100.248 SUSPENDED
xmrwallet.biz WebNic.cc 5 years 190.115.31.40 SUSPENDED
xmrwallet.net NICENIC International 10 years 190.115.31.40 ← DNS DEAD
xmrwallet.me Key-Systems GmbH 10 years 185.129.100.248 ← ACTIVE — abuse reported

IP clustering: 185.129.100.248 shared by .cc and .me — same host. 190.115.31.40 shared by .biz and .net — same host. Four registrars, two IP clusters. 33 years of prepaid registration. All registered in secret after first contact with investigators.


Bought Reputation: Wikipedia, Forbes, and 15+ Sponsored Articles

NameSilo's public reputation is manufactured. Wikipedia: paid/promotional flag. Forbes: "We earn a commission" affiliate disclosure. SmartCustomer: 1.8/5 — with zero negative results in Google.

Wikipedia — Flagged as Promotional by Editors

NameSilo has a Wikipedia article — marked by editors as a paid/promotional article, not neutral editorial coverage. Edit history (archived): en.wikipedia.org/w/index.php?title=NameSilo&action=history

Forbes Advisor — Affiliate Commission Disclosure

NameSilo appears on Forbes Advisor with an explicit affiliate disclosure: "Forbes Advisor adheres to strict editorial integrity standards... We earn a commission." Forbes Advisor earns money when users sign up through their links — creating direct financial incentive for positive coverage. Source: forbes.com/advisor/business/software/namesilo-review/

SmartCustomer: 1.8/5 — Zero Negative Results in Google

NameSilo holds a 1.8/5 rating on SmartCustomer — source: smartcustomer.com/reviews/namesilo.com. Despite dozens of negative reviews on record, a Google search returns zero negative coverage — active suppression using the same GDPR and DMCA tools applied against our investigation.

PR Newswire — Self-Published, Paid, No Editorial Review

NameSilo Technologies Corp. (CSE:BZI / OTC: URLOF — publicly-traded parent of NameSilo LLC) uses PR Newswire for corporate announcements. PR Newswire is a paid distribution service: the company writes the text and pays for placement. Examples of paid NameSilo Technologies press releases:

The same mechanism: xmrwallet used PR Newswire on January 21, 2026 to publish its cover story ("private keys never reach central servers") while the backdoor ran. Paid distribution presenting operator-authored text as newsworthy content.


Three Positions. One Company. None of Them Survive Contact With Each Other.

NameSilo did not maintain a consistent story. They ran three mutually exclusive positions in sequence — confident expert, threatened victim, humble public servant — depending on how much legal exposure they were facing at each moment.

1
March 2026 — The Confident Expert Position
NameSilo's abuse team has definitively determined the domain was compromised. They investigated the hack. They know the registrant is the victim. They are helping him remove VirusTotal detections — which, by their own logic, means they are more authoritative than every antivirus vendor that flagged the domain. Confidence level: absolute.
2
Phase 2 — The Legal Threat (Public Tweet, May 11, 2026)
@namesilo — Official Gold Checkmark account — May 11, 2026 · 417 Views · 107 replies

"Your claims are false, libelous and defamatory. NameSilo takes action and reviews all abuse reports submitted to us. If you have any such cases, please submit them to abuse@namesilo.com. Otherwise, please contact the website host or registrant directly. And halt your falsehoods towards us or we will be forced to undergo legal action."

The confident expert who investigated the hack, identified the registrant as the victim, and was helping him remove VirusTotal detections — is now a simple abuse inbox. The investigation evaporated. The expertise evaporated. Only the legal threat remained.
3
ICANN response — The Humble Processor Position
Now they process reports. Now they cannot determine phishing. Now they defer to hosting providers. The team that outperformed every major antivirus vendor to conclude the domain was clean is now too humble to make a call. This is not incompetence. Incompetence is consistent. This is a position chosen for each audience.
The Core Contradiction — Pick One, NameSilo

If your abuse team had the competence to conduct an extensive in-depth review, determine the domain was hacked, identify the registrant as the victim, and begin helping him remove VirusTotal detections — then you are explicitly claiming to be more authoritative and more technically competent than every antivirus vendor that flagged this domain as malicious.

You cannot later claim that you simply process reports and lack the expertise to determine phishing. The ICANN complaint is not asking for competence you don't have. It is asking why you used the competence you demonstrably have — to help the scammer, not the victims.


Trustpilot: Bot Farms Competing With Bot Farms

Example: “Patty Johnson” — US Profile, 2 Reviews Total

One 5-star for NameSilo (Jan 2026): “Leonid was very helpful… 5 stars!” The other review: for Otrium — a company with reviews alleging fraud and stolen money. One bot account, two scam-adjacent businesses. Pattern: named support agents, praised response time, templated language. Real domain buyers review prices and panel UX. Bot reviews praise “Leonid.”

Data Analysis — 2,280 NameSilo vs 2,480 Namecheap Reviews

Metric NameSilo Namecheap
5-star reviews88.9%74.0%
1-star reviews7.2%16.7%
Single-review accounts62.4%59.6%
No avatar (fresh accounts)67.3%51.5%
Reviews about support/service70.0%60.2%
Reviews about price/cost9.8%37.5%
Named agent “Leonid”5.7%0.0%
US geolocation35.1%26.5%
The Leonid Anomaly

Leonid appeared on April 13, 2025. Zero mentions before. Then 65 reviews in his first two months. May 2025: 106 reviews (5× normal), 95% five-star, zero one-star. Not one unhappy customer in 106 reviews for a registrar ranked #96 in .com pricing.

43% of Leonid reviews are under 80 characters. Four have the title just “Leonid”. Three more: “Leonid was very helpful.” Among reviewers: “Satoshi Nakamoto,” “Author,” “Виктор -”, “Anna Koroleva,” “Boris Martin,” “Andrei Dobrescu” mixed with “Brad,” “LaToya,” “Patty Johnson.” A name generator cycling through continents. The name Leonid is Russian.

Hong Kong: 57 Reviews. 57 of 57 Five-Star. Statistically Impossible.

Zero four-star. Zero three-star. Zero anything else. 91% single-review accounts. Over 7 years. China: 94% five-star, 80% single-review. Singapore: 95% five-star. Combined 168 reviews from Chinese-speaking markets — almost entirely fabricated.

Why China? NameSilo actively markets there: namesilo-china.com, bcbay.com/namesilo, paid Chinese blog posts, a Chinese Wikipedia article. When investigators ask “who buys 4.22 million dead domains?” — NameSilo points to China. The Trustpilot data shows they have been building this alibi since 2019, one fake review at a time.

Independent Claude API Forensic Analysis — Blind Test

2,480 NameSilo and 2,480 Namecheap Trustpilot reviews submitted to Claude API, anonymized as “Company A” (NameSilo) and “Company B” (Namecheap). The AI had no knowledge of which was which.

Forensic Indicator NameSilo (A) Namecheap (B)
5-star ratio89.1%74.0%
1-star ratio7.1%16.7%
Disposable accounts giving 5 stars92%~65%
Reviews mentioning price11.2%39.2%
Named single agent in reviewsLeonid: 168none
5-star vocabulary diversity (TTR)0.073~0.15
HK: 100% five-star57/57n/a
May–Jun 2025 spike (5× normal)215 reviewsnone
AI manipulation verdict92%15%
AI Forensic Conclusion — Verbatim

“Company A exhibits extensive, multi-dimensional evidence of systematic review manipulation through coordinated artificial generation. The probability of these patterns occurring organically approaches zero.”

Full analysis: phishdestroy.eth.limo/namesilo-trustpilot.html · Raw data: trustpilot-forensic-report-final.txt


What the Investigation Achieved

xmrwallet.com — Operation Closed

Following PhishDestroy's investigation and publication, xmrwallet.com ceased operations. The operator sent a farewell message — and notably, no longer signed it as "Nathalie Roy." The identity that had been the public face of xmrwallet for years was quietly dropped. No explanation given.

Domain Now Points to GitHub — On the Third Attempt

xmrwallet.com was eventually redirected to its GitHub repository — the same public facade that served as the "open-source" alibi for a decade. It took three attempts. The repository had been inactive for 5 years prior to the redirect: no commits, no updates, no maintenance — consistent with a project whose actual code lived exclusively on an unaudited production server and was never intended for public review.


Moving the Domain Didn't End This. It Made It Permanent.

xmrwallet.com transferred to Namecheap in May 2026, registered until 2036. NameSilo apparently considers this resolved. It is not.

You thought the experts who could outperform every antivirus vendor would stop when the domain moved? The investigation is on IPFS. It is on Arweave. It is in ICANN's formal complaint system. It is with EU law enforcement. It is with 3 national cybercrime units. The legal threat added one more timestamp to the file. The domain transfer added one more exhibit. Every action taken to suppress this investigation is itself documented evidence of the pattern we described.

You were not the smartest people in this situation. You just had more money for a while.

Read Full Investigation phishdestroy.eth.limo Evidence on GitHub Report a Victim Case
Independent Investigation Notice
PhishDestroy · Non-Commercial Security Research

No one paid for this. This investigation received no funding, no editorial direction, and no supplied text from any party. Unlike Forbes Advisor and PR Newswire placements that NameSilo finances directly, this author has zero financial relationship with NameSilo — and zero obligation to present their preferred narrative.

Everything is documented. Every factual claim is supported by verifiable evidence: server responses, forensic captures, public records, abuse filings, and primary sources cited inline. Nothing is fabricated. Sources are linked. Evidence is archived on IPFS. Independent verification is encouraged.

“Stop spreading lies about us, or we will be forced to take legal action.” — NameSilo, in response to this investigation

Terrifying. We have witnessed NameSilo’s full operational capability: getting a Twitter/X account banned, purchasing Forbes placement, writing their own Trustpilot reviews, having VirusTotal detections removed, and publishing four demonstrably false claims in a single tweet.

As for “lies” — everything here is factual. If accurate coverage of your product constitutes defamation, open your own control panel — the one you exclude from every paid article. It makes the argument without us.

You did not pay this author. You provided no text. You have no claim over independent research. You do have obligations — to ICANN, to your registrants, and under the laws governing domain registrars. Those do not disappear because accurate coverage is inconvenient.

On legal action: this investigation is archived across 5–7 IPFS nodes. Since NameSilo has demonstrated operational familiarity with content removal, we suggest starting there. You know how it works. We’ll wait.

For better clarity — in your language:

PhishDestroy is a non-commercial research project. We do not claim infallibility or absolute certainty. The tone of this investigation may be direct — we are aware of that. We are not imposing a point of view: we recommend reviewing the materials and primary sources and forming your own conclusions. The presumption of innocence applies. This is our investigation, our observations, and our subjective comparison — one we spent considerable time on.

Full investigation with all evidence and IPFS archives: phishdestroy.eth.limo