Technical diagram: Monero View Key exfiltration attack - user browser sends wallet view key to xmrwallet.com which forwards it to attacker server
xmrwallet.com Exposed: 10 Years of Stolen Keys & Hijacked Transactions
Deep forensic investigation into a Monero web wallet that Base64-encodes your private view key into a session_key token, leaks it across 40+ API requests per session, then nullifies your transaction with raw_tx = 0 and rebuilds it to steal your funds. Active since 2016. Operator identified.
~9 min read· Updated March 2026· PhishDestroy Intelligence
Active Since 201640+ Key Leaks / SessionDDoS-Guard Protected
0
Years Active
40+
Key Leaks Per Session
$2M-$15M+
Estimated Total Stolen
0
GitHub Updates Since 2018
The Facade
xmrwallet.com presents itself as a free, open-source, client-side Monero wallet. No downloads. No registration. Their Terms of Service make a very specific claim:
"All cryptographic operations happen in your browser. The server has no ability to access your private keys."
— xmrwallet.com Terms of Service (demonstrably false)
This is a lie. Our forensic analysis — network captures, JavaScript deobfuscation, and production code comparison — proves the exact opposite. Every key entered on xmrwallet.com is stolen. Every transaction can be hijacked.
Production vs. GitHub: Total Divergence
The public GitHub repository hasn't received a single commit since November 2018. The production site runs completely different code with undocumented parameters absent from the repo:
Domain registered via NameSilo in 2016 — pre-paid through 2031. Fifteen years of registration for a "free volunteer project."
Attack #1: View Key Exfiltration
When you log into xmrwallet.com, your private view key is Base64-encoded and embedded into a session_key token. This token is then transmitted to the server with every single API request — 40+ times in a single session.
// Decoded example: // blob: a3f8c2... (session identifier) // address: 4A1BxN... (your Monero public address) // viewkey: YOUR PRIVATE VIEW KEY IN PLAINTEXT
Firefox WebExtension network captures confirm this token is sent across 6 distinct API endpoints totaling 40+ POST requests per session:
API Endpoint
Requests / Session
Leaks session_key
/api/getheightsync
12
Yes
/api/gettransactions
10
Yes
/api/getbalance
6
Yes
/api/getsubaddresses
4
Yes
/api/getoutputs
3
Yes
/api/support_login
1
Yes
40+ Copies of Your Private Key
A single login session sends your private view key to the server at minimum 36 times. The server doesn't need your key for any of these operations — balance checks and height syncs are public blockchain queries. There is zero legitimate reason to transmit key material. Full network capture evidence: xmrwallet.com GitHub Issue #36 — View Key Exfiltration Evidence.
Attack #2: Transaction Hijacking
View key theft lets the attacker watch your wallet. But xmrwallet.com goes further — it steals your funds in real time. The deobfuscated production JavaScript reveals a 5-step attack sequence:
Your wallet shows "transaction sent." Your funds arrive at the attacker's address. Victims see "Unknown transaction id" when they try to verify on block explorers. Transactions internally tagged as swept are the stolen ones.
Your Transaction Never Existed
raw_tx_and_hash.raw = 0 means the client-generated transaction is thrown away. The server builds a completely new transaction using your keys and sends your XMR to the attacker. The "success" message you see is a lie. Detailed code analysis: xmrwallet.com GitHub Issue #35 — Transaction Hijacking Proof.
Hidden Production Code
xmrwallet.com maintains a public GitHub repository to look legitimate. The repository is a decoy. It hasn't been touched since November 2018. The production site runs entirely different, obfuscated code.
Public GitHub (Decoy)
Last commit: Nov 2018
No session_key parameter
No verification param
No /support_login.html
No Google Tag Manager
Clean, auditable code
Production Site (Real)
Actively updated 2024-2026
session_key with Base64 viewkey
verification exfil channel
/support_login.html backdoor
GTM remote JS injection
Obfuscated, unauditable code
The Backdoor & Remote Code Injection
Production site contains /support_login.html — a hidden administrative endpoint completely absent from the GitHub repository. Combined with Google Tag Manager (GTM-container) integration, the operator can remotely inject and modify JavaScript on the live site at any time — without updating the public codebase. This is a remote code execution vector disguised as analytics.
Bulletproof Infrastructure
xmrwallet.com doesn't use cheap shared hosting. It runs on premium bulletproof infrastructure specifically chosen to resist takedown requests and law enforcement.
Hosting & Network IOCs
Indicator
Value
Domain
xmrwallet.com
Registrar
NameSilo (2016 – 2031, 15-year registration)
Hosting Provider
IQWEB FZ-LLC ($550+/month)
IP Address
186.2.165.49
ASN
AS59692
CDN / DDoS Protection
DDoS-Guard
Web Server
Apache 2.4.58 (Ubuntu)
Backend
PHP 8.2.29
SSL Certificate
Let's Encrypt (auto-renewed)
Tor Mirror
xmrwalletdatuxms.onion
Annual Infrastructure Cost
$8,000 – $15,000+
Tracking & Analytics IOCs
Tracker
Requests / Session
Identifier
Google Tag Manager
12
GTM container
Google Analytics (UA)
12
UA-116766241-1
Google Analytics 4
5
GA4 stream
DoubleClick
1
Ad tracking pixel
DDoS-Guard Cookies
—
__ddg8_, __ddg9_, __ddg10_, __ddg1_
$8K-$15K/Year for a "Free Volunteer Wallet"
A legitimate free wallet doesn't spend $550+/month on IQWEB FZ-LLC bulletproof hosting behind DDoS-Guard — infrastructure specifically designed to resist abuse complaints and law enforcement subpoenas. It doesn't register a domain for 15 years. It doesn't run Google Analytics tracking on a "privacy-focused" Monero wallet. This is infrastructure built for one purpose: persistent theft at scale.
Operator Identified: Nathalie Roy
Open-source intelligence traces xmrwallet.com's infrastructure directly to a single individual.
Nathalie Roy was banned from the official r/Monero subreddit in 2018 for promoting xmrwallet.com. The last GitHub commit happened the same year. For 6+ years the public code has been frozen while the production site actively steals funds with completely different code. The domain is paid through 2031 — the operator isn't going anywhere.
Documented Victims
At least 15 publicly reported cases of fund theft across Trustpilot, Sitejabber, Reddit, and GitHub Issues. Real people. Real money. Gone.
15+
Public Reports
590 XMR
Single Largest ($177K)
0
Years of Theft
$2M-$15M+
Estimated Total
590 XMR (~$177,000) — single theft, largest documented case
17.44 XMR — documented with transaction ID on-chain
20 XMR stolen overnight — wallet drained while user slept
Multiple reports of "Unknown transaction id" — the swept tag signature
The operator actively deletes victim reports from GitHub Issues (all issues before #13 are gone). The site claims to accept donations but no donation wallet address has ever been published. Why would a "volunteer project" spending $8K-$15K/year refuse donations? Because the revenue comes from theft.
Timeline of Events
Timeline 2014-2024: xmrwallet.com 10,000+ stolen keys - from site launch through first victims to operator identified
2016
Domain Registered — xmrwallet.com
Registered via NameSilo with a 15-year registration period (2016-2031). Presents as free open-source Monero web wallet.
May 2018
GitHub Organization Created
XMRWallet GitHub org created on 2018-05-10 by nathroy (ID: 39167759). Public code pushed as transparency theater.
2018
Banned & Code Frozen
Operator u/WiseSolution banned from r/Monero for promotional spam. Last GitHub commit around this time. Victim issue reports start being deleted (Issues #1-#12 gone).
2018 – 2024
6 Years of Silence
Public repository frozen. Production code diverges completely with obfuscated JS, undocumented parameters, and backdoor endpoints. Victim reports accumulate on Trustpilot and Reddit.
Monerujo (Android) — Open-source with Tor support Cake Wallet (iOS/Android) — Multi-coin, well-maintained
The Golden Rule of Crypto
Never enter your seed phrase, private keys, or view keys on any website. Legitimate wallets run locally — they never need to send your keys to a server. If a web wallet asks for your private keys, it's a scam. For maximum security, use a hardware wallet (Ledger, Trezor) with official Monero software.
Protect the Community
xmrwallet.com has been stealing Monero for 10 years. The evidence is public. The operator is identified. Share this investigation. Report the domain. Help us shut it down.
Transparency notice. PhishDestroy is a non-commercial, volunteer-driven project. Our research may reflect an inherent bias against scam infrastructure and the services that enable it. We encourage readers to evaluate all material critically and independently. Read our full transparency statement →
