Why was @Phish_Destroy banned on X?

X’s own automated review determined there was no violation and restored the account to full functionality. Despite that clear finding, the account remains inaccessible — consistent with a human-routed complaint overriding the automated result.

What did NameSilo do that made PhishDestroy expose them?

NameSilo sheltered xmrwallet.com for ten years while it stole Monero private keys from victims across multiple regions. Confirmed aggregate losses now exceed $20 million, and active criminal cases are open in EU jurisdictions. NameSilo ignored multiple abuse reports, publicly defended the scammer on X after speaking with him, and lobbied VirusTotal to remove Fortinet’s "Phishing" detection while the theft code was still running.

Did PhishDestroy pay for X verification (gold checkmark)?

Yes. The account had paid verified status granting access to X’s human review support channel. Despite that, the automated-cleared account remains banned, the human-support response has been silence, and the paid subscription has not been refunded.

Is NameSilo ashamed that they lied publicly?

NameSilo has not issued a retraction of their public defense of the xmrwallet.com operator, nor a correction of their tweeted cover story. Their response to being caught lying was to attempt to silence the researcher who documented the lies — not to correct the record.

Why should the truth about a registrar be erased?

It should not. Every claim in PhishDestroy’s investigation is documented, timestamped, and independently reproducible. Three peer registrars reviewed the same evidence and acted to suspend the scam domains. Silencing the researcher who published those findings does not change the facts — it only confirms that the facts were accurate enough to require silencing.

Does PhishDestroy have archives of NameSilo’s statements?

Yes, every public NameSilo statement defending the xmrwallet.com operator is archived on the Wayback Machine, Archive.today, our own GitHub evidence repository, mirrors on Medium, Mastodon, Bluesky, Telegram, and IPFS, plus hourly snapshots of phishdestroy.io itself with 14-day retention. Silencing any single mirror does not remove the information.

What happens to the ICANN compliance complaint now?

The original RAA §3.18 complaint against NameSilo was filed before the X ban. The retaliation ban itself is now additional evidence of a pattern of bad-faith conduct and has been supplemented to the same ICANN compliance case.

Are there criminal cases against the xmrwallet operation?

Yes. Confirmed aggregate losses from the xmrwallet.com Monero-theft operation now exceed $20 million, with victims identified across different regions. Active criminal cases are open in EU jurisdictions tied to the operation that NameSilo sheltered for ten years. The matter is now a law-enforcement investigation, not just research.

Did X issue two contradictory statements about the ban?

Yes. First (April 3) X Support emailed: "violation of our Rules did take place, specifically inauthentic behaviors ... overturn not warranted." PhishDestroy filed a formal appeal. Later, X automation responded to the appeal: "no violation and have restored your account to full functionality." The second email is the most recent written X ruling. The account is still locked anyway. X is not honoring its own most recent commitment.

Why was the original ban reason listed as payment?

The ban on April 3, 2026 was initially presented as a payment issue. The @Phish_Destroy account had an active paid gold-checkmark verification subscription in good standing at the time. The payment pretext was incorrect and the stated reason later shifted to "inauthentic behaviors" after appeal review — a shifting justification pattern common in bad-faith takedowns.

What can readers do to help?

Share this article and the original xmrwallet investigation. Tag @NameSilo and @X asking why a cleared account is still banned and why paid support is silent. Move domains away from NameSilo to registrars with clean abuse-response records. File ICANN compliance complaints against registrars that retaliate against researchers.

Back to News

Retaliation Report

NameSilo Killed Our Twitter Because We Told the Truth About Them

On April 3, 2026, X locked two PhishDestroy accounts citing a “payment issue,” with a promise that the paid subscriptions would be refunded. No refund arrived. Eleven days later, on April 14, X issued a new justification: “inauthentic behaviors — overturn not warranted.” We appealed. X’s own automation answered in writing: “no violation — account restored to full functionality.” The accounts are still locked. The money is still not refunded. The stated reason has now changed three times. Two weeks earlier we exposed NameSilo sheltering a $20M+ Monero-theft operation — now under active EU criminal investigation.

April 15, 2026 PhishDestroy Research 9 min read

The ban visualized: X’s own automation cleared the account. A human-routed NameSilo complaint kept it killed anyway.

Reason #1 · Apr 3

“Payment issue” + refund promised.

Two accounts locked. Subscriptions were paid and active. Refund never arrived.

Reason #2 · Apr 14

“Inauthentic behaviors.”

Eleven days later, a completely new justification. No specific tweet cited. No evidence disclosed.

Reason #3 · After appeal

“No violation — restored.”

Appeal result. X’s latest official ruling: the accounts are cleared.

Reality · Today

Accounts locked. Money gone.

Three different reasons. One unchanged outcome. No refund. No restored access.

Violations on appeal

Years sheltered

$20M+

Confirmed losses

~$100M

Our estimate

NameSilo lies

Paid checkmark

The Receipts: X Contradicts Itself in Writing

Two official emails from X Support. Same account. Same appeal. Opposite rulings. The second one is the more recent. Read them in order.

X Support email: 'no violation' stamp overridden by human review — The contradiction visualized: X’s automated review cleared us in writing. The ban held anyway.

Email #1 · April 3 · Initial lock decision

𝕏

Hello,

We have reviewed your appeal request for account, @Phish_Destroy.

Our support team has determined that a violation of our Rules did take place, specifically:

Violating our Rules against inauthentic behaviors.

We considered the additional information provided and decided an overturn of our original decision is not warranted in this case. Therefore, we will not overturn our decision to lock your account.

Thanks,
X Support

Lock justification: “INAUTHENTIC BEHAVIORS”

Email #2 · After our appeal · Automated review

𝕏

Hello,

We have reviewed your appeal request for account, @Phish_Destroy.

Our automated systems have determined there was no violation and have restored your account to full functionality.

Thanks,
X Support

Appeal result: “NO VIOLATION — RESTORED”

Email #2 is the more recent ruling. It explicitly reverses Email #1. It says — in writing, on X’s own letterhead — that the account has been restored to full functionality. The account is not restored. The paid subscription continues to bill. There is no third email walking back Email #2. X’s most recent commitment to us is simply not being honored.

Two possibilities. Both bad.

Either Email #2 is real — automation reviewed the appeal, concluded no violation, and some unnamed party is keeping the ban in place against that ruling.

Or Email #2 is not real — it was sent in error, the real decision is still Email #1, and X has not issued a correction in writing.

There is no third possibility. Both reflect poorly on X. One of them reflects catastrophically.

Why This Happened

Scammer sheltered by NameSilo on left; researcher silenced by NameSilo on right — One hand. Two protections. One for the scammer. One silencing the researcher who caught them.

On March 27 we published The End of xmrwallet[.]com: NameSilo Lied to Protect a Crypto Thief. The investigation was reproducible: PHP endpoint dumps, archived statements, 15+ documented victims. Three peer registrars (India, Malaysia, China) reviewed the same evidence and killed their xmrwallet domains in days. Only NameSilo defended the scammer.

What happened next matters. The order matters:

The scammer emailed us directly first — before any NameSilo public statement, before any appeal was filed. His email told us to “sue the registrar.” That is not a sentence a solo scammer writes to a researcher chasing him. That is a sentence someone writes when they already know the registrar will back them up. We have never seen that reaction from any other scammer we have documented.
NameSilo then issued a public statement containing two provable falsehoods, quoted verbatim and archived in our Medium investigation:
• “Domain was compromised a few months ago” — contradicted by the fact that the operator’s own theft code was still running in production at the time of NameSilo’s statement.
• “Prior to that, we had received no abuse reports” — contradicted by our delivery receipts for multiple prior abuse reports with full technical evidence.
The same statement also said: “Registrant is working to get delisted from VT reports,” which confirms NameSilo explicitly endorsed the operator’s attempt to remove VirusTotal detections while the theft code was live.
In the same statement, NameSilo dismissed our research as unserious and publicly offered to help the operator get security-vendor detections (VirusTotal, Fortinet) removed — while the theft code was still active.
We responded factually to that public statement. No harassment. No spam. No doxing. We corrected the record in the same venue NameSilo chose.
Seven days later, two PhishDestroy X accounts were locked. Reason cited: “payment.” Subscriptions were paid. The reason shifted on Apr 14 to “inauthentic behaviors.” After appeal the reason shifted again to “no violation, restored.” The lock, and the unreturned payments, did not shift at all.

The pattern identifying the real reason

NameSilo couldn’t refute the evidence — three peer registrars acted on it independently. So they did what the xmrwallet operator had been doing to critics for ten years: used a bureaucratic channel to silence the voice, without addressing the facts. The operator deleted 20+ GitHub accounts and 200+ Trustpilot reviews. NameSilo got an X account banned. Same playbook, corporate-grade.

Are NameSilo and the Scammer Connected?

The xmrwallet[.]com operator answered abuse reports with confidence, tweeted alongside the registrar with coordinated talking points, and never moved the domain in ten years of complaints. That is not how nervous scammers behave. That is how scammers with an arrangement behave.

In more than a hundred phishing-operator cases we’ve documented, we have never seen this specific sequence before:

The sequence we have never seen with any other scammer

The scammer wrote to us first. Before NameSilo made any public statement, before any appeal was filed — the operator himself emailed PhishDestroy. Identity is documented in the Medium investigation: the emails came from the xmrwallet[.]com operator, publicly identifiable via his own repository footprint as Nathalie Roy (Canada), GitHub nathroy, Reddit u/WiseSolution, banned from r/Monero in 2018.
His exact words (verbatim, archived): “Feel free to subpoena the domain registrar.” Not “take it down.” Not “I’ll fix it.” He explicitly pointed us at his own registrar as a party to go after — as if he already knew the registrar would not act against him, and was confident their legal posture would survive scrutiny. This quote is preserved in our Medium investigation (March 16, 2026).
Only then did NameSilo go public with the “our customer was hacked” cover story — a cover story contradicted by the still-running theft code — and the assertion that “no prior abuse reports existed,” contradicted by our delivery receipts.
NameSilo then weaponized a platform abuse channel against us — using the same silencing playbook the operator had already been running on GitHub (20+ accounts deleted), Trustpilot (200+ reviews deleted), and BitcoinTalk.

The operator’s infrastructure is not that of a hobbyist. According to our Medium investigation, xmrwallet[.]com is hosted on $550/month bulletproof hosting via IQWeb FZ-LLC (registered in Belize), behind DDoS-Guard (Russia). That is a professional, prepared, abuse-resistant stack — not a one-off scam page. A single operator running prepared bulletproof infrastructure while also having his registrar publicly issue a defense statement on his behalf is, at minimum, an unusually coordinated operation.

We cannot prove a relationship from outside NameSilo’s books. Only their internal records could. But on the visible evidence, two explanations remain: either the operator is the most self-confident crypto scammer of the last decade and correctly bet that his registrar would shield him on instinct — or there is an undisclosed relationship between them. The first deserves public scrutiny. The second deserves a subpoena. Law enforcement in EU jurisdictions is now working the underlying case.

The Victims: Who Actually Got Harmed

NameSilo’s implicit argument, by reaching for a platform abuse button instead of a retraction, is “we didn’t like being exposed.” Fair enough. People rarely like being exposed. But put the two harms on one scale.

The asymmetry

NameSilo’s harm from our reporting: embarrassment.

Victims’ harm from the operation NameSilo sheltered for ten years:

One single user: 590 XMR (~$177,000) lost in a single hijacked transaction.
Initial documented cases: 15 (Trustpilot, Sitejabber, BitcoinTalk).
Regions: different regions (victim reports corroborate this).
Confirmed aggregate: $20M+. This is based on victim reports we can individually verify.
Our opinion, informed but unverified: $100M+. Based on victim outreach and operation duration. We state this as our estimate and cannot prove it publicly. NameSilo also cannot credibly deny it without opening their own records.
Important pricing note. Our loss totals are calculated at the XMR exchange rate at the time of each theft, not at today’s Monero price. The figures above are the actual USD-equivalent amounts victims lost when they lost them.
Active criminal cases in EU jurisdictions. This is no longer just research — it is law enforcement.

Since publication, additional victims have reached out to us directly with individual loss amounts and transaction IDs. We are preserving and corroborating those reports.

Treating these two harms as comparable — by letting a registrar silence the researcher who documented the operation — is itself a policy failure.

The Permanent Record

Server racks with ARCHIVED labels and screenshots of NameSilo statements — Every NameSilo statement defending the xmrwallet operator, preserved across eight independent publishing systems.

Silencing a Twitter account does not remove the evidence. Everything germane to this case is archived:

Every public NameSilo statement defending the xmrwallet operator — Wayback Machine, Archive.today, our GitHub evidence repository.
Screenshots of the live theft code in production, with timestamps.
8 PHP endpoints reverse-engineered and published.
The full abuse-report conversation chain.
Our entire X timeline mirrored on Mastodon, Bluesky, Medium, Telegram, GitHub, IPFS.
Hourly snapshots of phishdestroy.io itself, 14-day retention, installed specifically so nothing we wrote can quietly disappear.

If any one mirror is silenced, the content lives on the other seven. The architecture is older than NameSilo. It will outlast them.

Was This Fair? Five Questions for Everyone Reading

Infographic of uncomfortable questions around the ban — Answerable questions. Every one of them deserves a public answer.

These are not rhetorical. Read the evidence above, then answer for yourself — privately, on your timeline, or while deciding whether to keep or move your domains.

Is it fair to ban a security researcher for publicly responding to a registrar’s own public statement? The registrar started the conversation. The researcher replied with facts. Only one side got silenced.
Is it acceptable for a registrar’s public statement to dismiss documented research as unserious while simultaneously offering to help a scam operator remove security detections? Both happened in one NameSilo statement. Victims are not mentioned anywhere in it.
Is it acceptable for X to explicitly withdraw its own lock justification in writing (“no violation, restored”) and keep the ban in force anyway? X’s own most recent ruling says the account should be live.
Is it acceptable for a paid verification subscription to continue billing while the underlying account is locked? If the service is not being delivered, is that a product — or a contract breach?
What does an ICANN-accredited registrar’s “good standing” mean if an accredited registrar can weaponize a third-party platform’s abuse channels to silence the researcher documenting their abuse-response failure? This is a compliance question, and it is being added to the existing RAA § 3.18 filing.

If Any Answer Was “No, This Is Not Fair”

Here are three concrete, zero-cost things, in ascending order of impact.

1. Share it publicly

Quiet disapproval does nothing. Visible pressure does. One click, pre-filled:

Share on X (pre-filled) Share on Telegram Share on LinkedIn Share on Reddit

2. Ask the parties by name

Tag them. Silent disapproval does nothing. Visible questions from readers get noticed.

@NameSilo — is the @Phish_Destroy ban related to your public statement offering to help the xmrwallet operator get detections removed?
@X / @XSupport / @elonmusk — Email #2 says “restored to full functionality.” The account is locked. Which ruling is operative?
@ICANN — does RAA § 3.18 cover registrar retaliation against researchers?
@Tucows — is platform-abuse retaliation against researchers compatible with your OpenSRS reseller standards?

3. Move your domains (this is the one that hurts)

Companies respond to revenue loss, not tweets. Transfers take about fifteen minutes. Our registrar statistics page lists registrars with clean abuse-response records. Every moved domain is a renewal-number datapoint NameSilo’s leadership will see next quarter.

If you are an organization — crypto project, bug-bounty platform, journalism outlet, threat-intel company — with any domain at NameSilo: consider what it means to fund the registrar that sheltered a $20M+ theft operation and then silenced the researcher who documented it. You can make that move publicly. It carries weight.

Final Word

A megaphone crushed by a red ABUSE REPORT rubber stamp — You don’t get to protect a $20M+ theft operation for ten years, lie in public, and then silently stamp the researcher who caught you.

You don’t get to protect a $20M+ theft operation for ten years, lie about it in public, retaliate against the researcher who caught you — and have the whole thing quietly forgotten. Especially not while EU law enforcement is working the case.

We are not asking you to take our word. Every factual claim above is linked, documented, timestamped, archived off-site, and reproducible. We are asking you to look at the evidence, answer the five questions for yourself, and act on your own answer. That is what fair looks like — a reader who reads the evidence and decides. It is also exactly the thing that silencing is designed to prevent.

PhishDestroy is volunteer-driven threat intelligence. Zero payments, zero sponsorships, zero favors. We publish what we find. NameSilo had us banned for it.

Original investigation: phishdestroy.io/xmrwallet-namesilo-exposed
Medium investigation (primary source): phishdestroy.medium.com/xmrwallet-com-2953f35b8a79
Evidence repo: github.com/PhishDestroy