What is xmrwallet.com?

A fake Monero wallet that stole private view keys and hijacked transactions for 10 years, stealing an estimated $2M+ in XMR.

Why did NameSilo protect the scammer?

NameSilo contacted the domain operator, believed his story, publicly declared him the victim of a compromise, and praised his efforts to suppress VirusTotal detections — while the theft code was still running.

What happened to the domains?

Three of four registrars suspended the domains. PublicDomainRegistry, WebNic, and NICENIC acted independently. Only NameSilo refused to act.

Back to News

Investigation Report — Final

The End of xmrwallet[.]com: NameSilo Lied to Protect a $2M Thief

After 10 years of stealing Monero private keys, the operation is destroyed. Three registrars acted within days. The fourth — NameSilo — contacted the scammer, believed his story, and became his press secretary.

March 27, 2026 PhishDestroy Research 12 min read

xmrwallet.com Investigation — NameSilo Exposed

Investigation overview: The fall of xmrwallet[.]com and NameSilo's role in protecting the scammer.

$2M+

Estimated Stolen

Years Active

3/4

Registrars Suspended

NameSilo Lies Proven

Theft PHP Endpoints

What xmrwallet[.]com Actually Did

Since 2016, xmrwallet[.]com marketed itself as a free, open-source Monero wallet. Our live network capture on February 18, 2026 proved it was doing something very different: stealing private Monero view keys on every login and hijacking transactions server-side.

Monero view key exfiltration attack — laptop transmitting stolen keys to scammer's server

Screenshot 1 — The theft mechanism: every wallet login transmitted the victim's private Monero view key to the scammer's server via Base64 encoding.

Core Theft Mechanism

Not injected code — the core architecture. A session system across 8 PHP endpoints, transmitting the victim’s private view key 40+ times per session. When users sent XMR, their transaction was silently discarded (raw_tx_and_hash.raw = 0) and replaced with the scammer’s.

User opens wallet

View key exfiltrated (Base64)

TX hijacked server-side

XMR sent to scammer

8 PHP API endpoints used for view key theft — GitHub evidence repository

Screenshot 2 — The 8 PHP endpoints documented in our GitHub evidence repository. Each endpoint participates in the session_key/view_key exfiltration chain.

Six security vendors on VirusTotal flagged it as malicious. Fifteen documented victims across Trustpilot, Sitejabber, and BitcoinTalk. One victim lost 590 XMR (~$177,000) in a single theft.

VirusTotal scan showing 6 of 93 vendors flagging xmrwallet.com as malicious including Fortinet Phishing detection

Screenshot 3 — VirusTotal: 6/93 vendors flagged xmrwallet.com as malicious. Fortinet classified it as “Phishing.”

ScamAdviser showing xmrwallet.com as Very Likely Unsafe with Trust Score 1 out of 100

Screenshot 4 — ScamAdviser: Trust Score 1/100. “Very Likely Unsafe.”

Three Registrars Did Their Job

We filed identical abuse reports with all four registrars hosting xmrwallet domains. Three acted immediately:

Three locked doors representing suspended registrars and one open door representing NameSilo's refusal to act

Screenshot 5 — Three registrars locked the doors. NameSilo left theirs wide open for the scammer.

PublicDomainRegistry

xmrwallet.cc

Suspended

India · Days to act

WebNic

xmrwallet.biz

Suspended

Malaysia · Days to act

NICENIC

xmrwallet.net

DNS Dead

China · Weeks to act

NameSilo

xmrwallet.com

Refused

USA · Defended scammer

Three countries. Three independent conclusions.

India, Malaysia, China — reviewed the evidence, found fraud, suspended the domains. No questions asked.

NameSilo Chose a Different Path

The fourth registrar — NameSilo, LLC (USA) — hosting the primary domain with the most evidence and most victims — did the opposite. They contacted the scammer, believed his story, and published a public statement defending him:

NameSilo public statement on X Twitter defending xmrwallet.com operator claiming domain was compromised

Screenshot 6 — NameSilo's public statement on X (Twitter), March 12, 2026. Every claim in this post was false.

“Our Abuse team conducted an in-depth review into this case and it seems that domain was compromised a few months ago... After an extensive investigation, our team found evidence of the compromise not involving the registrant... The registrant is also working to get the website delisted from VT reports.”

— NameSilo, via X (Twitter)

We analyzed this statement line by line. Every claim was false.

The Operator’s Own Words

Before NameSilo intervened, the operator responded directly to our abuse report. His emails confirm awareness and intent:

xmrwallet operator email response claiming this is not phishing and has been running for 8 years

Screenshot 7 — Operator's response: “This is not phishing, we've been running for over 8 years.”

xmrwallet operator email response denying theft accusations and defending data collection practices

Screenshot 8 — Operator's second response: “This is the data we need to offer the service.” The “data” was the victim's private view key.

Seven Lies, Exposed

LIE #1: “The domain was compromised”

The theft mechanism is the core architecture — 8 PHP endpoints, Base64 key exfiltration, a 5.3-year GitHub commit gap. This system was built over years, not injected in a hack.

LIE #2: “We had received no prior abuse reports”

Six VirusTotal vendors, Trustpilot complaints going back years, a BitcoinTalk warning thread, the operator banned from r/Monero in 2018. A single Google search would have shown this.

LIE #3: “Not involving the registrant”

The operator registered 4 escape domains across 4 registrars (prepaid 5-10 years each) before the investigation was published. Deleted 21+ GitHub issues. Hired developers for a captcha system. That’s not a victim — that’s an operation.

LIE #4: “They immediately took steps to reverse it”

The theft code was running in production during NameSilo’s statement. Zero GitHub commits addressing any incident. Nothing was reversed.

LIE #5: “Working to get delisted from VirusTotal”

NameSilo praised the scammer for lobbying to remove Fortinet’s “Phishing” detection — without removing the phishing code. That’s not good faith. That’s suppressing security warnings.

LIE #6: “Is the abuse recent?”

Shifting the burden of proof to the reporter so they can close the case. The evidence was in the report. Three peer registrars didn’t need to ask.

LIE #7: “We will re-open the investigation”

“Re-open” implies it was once open. Their investigation consisted of calling the scammer and writing down what he said. That’s not an investigation — that’s dictation.

Infrastructure Evidence

Domain network diagram showing suspended xmrwallet domains and escape domains registered before investigation

Screenshot 9 — The domain escape network: 4 domains across 4 registrars, all pointing to the same servers. Three neutralized.

URLScan results showing xmrwallet domains resolving to same IPs across multiple TLDs

Screenshot 10 — URLScan data: all xmrwallet domains (.com, .cc, .biz, .net, .me, .app) resolving to the same infrastructure.

GitHub evidence repository showing documented theft endpoints and network captures

Screenshot 11 — Our GitHub evidence repository with the complete network capture analysis. 109 requests, 43 view key transmissions documented in a single session.

Timeline: The Fall of xmrwallet

2016

xmrwallet[.]com begins operation, marketing as “free open-source Monero wallet”

2018

Operator banned from r/Monero. First victim reports appear on Trustpilot

Feb 4, 2026

Escape domain xmrwallet.cc registered (8yr prepaid) — before investigation published

Feb 13, 2026

Issue #35 published — full TX hijacking mechanism exposed

Feb 18, 2026

Issue #36 — live capture: 109 requests, 43 viewkey transmissions in single session

Feb 23, 2026

xmrwallet.cc SUSPENDED (PDR). xmrwallet.biz SUSPENDED (WebNic). Operator panic-deletes Issues #35 & #36

Feb 26, 2026

More panic: xmrwallet.net and .me registered (10yr prepaid, same IPs as suspended domains)

Mar 8, 2026

xmrwallet.net DNS DEAD (NICENIC). 3 of 4 escape domains neutralized

Mar 2026

NameSilo publishes statement: “The registrant is the victim.” Helps suppress VirusTotal detections

Mar 27, 2026

Formal ICANN complaint filed (RAA Section 3.18). Evidence submitted to law enforcement. This report published.

The Verdict

NameSilo didn’t ignore the evidence. They read it, called the scammer, believed him, declared him innocent, and helped suppress security warnings. Then asked the researchers to prove the abuse is “recent.”

That’s not negligence. That’s a partnership.

The domain is down. The scam is over. But the fact that a US registrar chose to publicly fabricate a cover story to shield a $2M crypto thief — that is something that will follow NameSilo for a very long time. Their statement will be Exhibit A in every filing from this point forward.

If you vouch for the thief, you share his bill.

Evidence & Resources

Full Investigation on Medium Evidence Repository Investigation Page NameSilo Statement (archived)

This investigation is based on publicly available evidence, live network captures, OSINT, public review platforms, and NameSilo’s own verbatim public statement. No unauthorized access was performed. All findings are independently reproducible.