Active Investigation — 2026-02-23 · .biz & .cc Suspended ✅
DO NOT USE XMRWALLET .COM
Confirmed: your private Monero view key is transmitted to their server on every API request.
Transaction destination addresses are substituted server-side.
15+ documented victims. $2M+ estimated stolen. Operating since 2016.
⚠ ALL DOMAINS — SAME OPERATION xmrwallet.com·xmrwallet.cc✅ SUSPENDED·xmrwallet.biz✅ SUSPENDED·xmrtor3fsapuu6y26za7vpzox4vpaj6ny5viq2arbmozm7kg6jitnlid.onion
Every step documented with real captured traffic. From the moment you enter your key to the moment funds disappear.
01
You enter address + viewkey — both sent to server in plaintext
CRITICAL
The site asks for your wallet address and private view key "for syncing". Both are sent in plaintext via POST to their PHP server. No client-side encryption. Visible in DevTools → Network tab.
// POST https://www.xmrwallet.com/auth.php
address = 46EkQdF7iQ4i4Ah935SipgXbDSryh5yv76UnhsPXTaUYegCMJPqDN88UKCuraauhmbYBK2YzDX76E46KQHAKYV9a63vokJb
viewkey = efba13ecb8b360660a3dcaafaf7cf99149713d064b9d64997b2454d58ee67800
isnew = 0// Private key transmitted. Server has it. Game over.
02
session_key encodes your private key — re-sent on every request
KEY EXFIL
Server returns a session_key — not a random token. It contains your address and private view key encoded in Base64, re-sent to the server 40+ times per session.
Your key reaches the server on every action — 40+ times per session
LEAK ×40
Every balance check, transaction view, page reload — your private view key is transmitted again. Includes an automatic request to /support_login.html with a different session_id not initiated by you.
POST /getheightsync.phpviewkey×12
POST /gettransactions.phpviewkey×10
POST /getbalance.phpviewkey×6
POST /getsubaddresses.phpviewkey×4
POST /getoutputs.phpviewkey×3
POST /support_login.htmlviewkey session_id=8de50123dab32 ← BACKDOOR, not user-initiated
Client builds a transaction but the result is discarded (raw_tx_and_hash.raw = 0). Only metadata sent to server, which builds its own transaction and redirects funds to any address.
4 Google trackers watch every move inside your wallet
PRIVACY
Google Tag Manager allows the operator to push any JavaScript without changing source code or committing to GitHub. Auditing the repo is useless — real code loads from GTM.
GET googletagmanager.com/gtm.js×12 — arbitrary JS
GET google-analytics.com/analytics.jsUA-116766241-1
GET region1.analytics.google.com/g/collect×5 — GA4
GET stats.g.doubleclick.net/g/collectad tracker — zero reason here
06
Verify it yourself — 3 independent methods
VERIFY
// METHOD 1: F12 → Network → filter auth.php → viewkey in Request Payload// METHOD 2: Decode your own session_keyimport base64; parts = session_key.split(":")
print(base64.b64decode(parts[2]).decode())
// METHOD 3: Our captured traffic — run this now:
python3 -c "import base64; print(base64.b64decode('ZWZiYTEzZWNiOGIzNjA2NjBhM2RjYWFmYWY3Y2Y5OTE0OTcxM2QwNjRiOWQ2NDk5N2IyNDU0ZDU4ZWU2NzgwMA==').decode())"// OUTPUT: efba13ecb8b360660a3dcaafaf7cf99149713d064b9d64997b2454d58ee67800
Finding #2 — Operator Profile
THE OPERATOR & THE COVER-UP
8 years of operation. 5.3-year GitHub blackout. Banned from Reddit. 50+ paid articles. A "volunteer project" with zero donation wallet.
// GitHub commit history:2018-05-10 v1 First release (f2d33d1) ← create_transaction, looks open-source2018-11-06 Bulletproof Update ← last real commit2018-11 ——————————————————————————————————————— 2024-03 ZERO COMMITS (5.3 YEARS) ↑ Production site actively updated. session_key added. Theft infrastructure evolved. ↑ Wayback Machine 2023: ZERO references to session_key in archived pages.2024-03-15 v0.18.0.0 "2024 updates" ← sanitized dump, PHP backend excludedcurrent v0.18.4.1 production ← additional changes NOT in GitHub
01
Operator Identified
GitHub: nathroy (ID: 39167759). Support page: "Nathalie Roy created XMRWallet". admin@xmrwallet.com. Reddit: u/WiseSolution. Personally responds to every Trustpilot negative review with the "sync problem" deflection script.
02
Banned from r/Monero
Account u/WiseSolution banned from r/Monero after self-promotion attempts in 2018. The community flagged suspicious patterns early. Operation continued through other channels.
03
GitHub Evidence Deleted
Issue #13 deleted in 2018. After our February 2026 investigation and both escape domains being suspended, operator wiped repo content and deleted issues — including our full disclosure threads. Cached at Yandex & Wayback Machine. You don't delete what you can technically rebut.
04
"Sync Problem" Script
Standard response to theft reports: direct victim to Monero CLI to "check balance." Funds are already gone by then. Used consistently since 2018 — identical template across Trustpilot, Reddit, GitHub.
05
Irony: Scam Warning Blog Post
The xmrwallet.com blog publishes an article: "5 Crypto Scams You Should Know About" — written to appear legitimate while operating a confirmed scam.
06
Domain Paid Until 2031
Registered 2016 via NameSilo, paid through 2031. 15-year commitment. This is not an abandoned side project. Long-term active infrastructure investment.
"Volunteer Project Funded by Donations" — With No Donation Wallet
✗ Donation wallet address: NONE← nowhere on site, nowhere on GitHub✗ Hosting: IQWEB (IQWeb FZ-LLC) — $550+/month custom plan← bullet-proof, abuse-resistant✗ 50+ paid articles on crypto media exchanges ← bulk purchase, many with sponsored labels✗ PhishDestroy contacted all 50+ publishers ← majority removed articles upon notification✗ 100+ blog posts across 7 pages of SEO content
✗ 10 languages (en, fr, ru, zh, jp, it, nl, de, pt, es)
✗ DDoS-Guard CDN — paid protection (on top of IQWEB)
✗ Android app (XMRWallet/Android repo)
✗ Active Trustpilot management with personal responses
// Legitimate volunteer open-source projects don't bulk-purchase sponsored articles.// Legitimate privacy tools use GitHub Pages or IPFS — free and auditable.// No donation wallet + $550/month hosting = the money comes from stolen XMR.
The Infrastructure Choice That Exposes Everything
// Legitimate privacy projects use free, verifiable, censorship-resistant hosting:
GitHub Pages → $0/month TornadoCash, many privacy tools
IPFS / Cloudflare Pages → $0/month decentralized, no single point of failure
Self-hosted VPS → ~$5–20/month// xmrwallet.com chose:
IQWEB (IQWeb FZ-LLC) → $550/month custom plan (discontinued)
← abuse-resistant, offshore, ignores takedown requests← specifically marketed to operations that NEED to stay online← + DDoS-Guard CDN on top (additional cost)// Question: why does a "free volunteer project with no donation wallet"// pay $550+/month for bullet-proof hosting instead of GitHub Pages?// Answer: because the site needs to stay online despite abuse reports.
Annual infrastructure cost estimate: $8,000–$15,000+
Donation wallet: does not exist
</>
Privacy Projects Don't Fear GitHub
TornadoCash, Monero itself, Feather Wallet, countless privacy tools — all use GitHub + free hosting with no problem.
xmrwallet.com avoids GitHub Pages, avoids IPFS, pays for offshore bullet-proof hosting. The reason is obvious: they need to survive abuse reports, not avoid censorship.
G?
Trusts Google, Not GitHub
Loads 4 Google trackers inside your wallet (GTM, GA, GA4, DoubleClick).
Refuses to host on GitHub Pages — where every change is public and auditable.
"Privacy-focused Monero wallet" that trusts Google's ad network more than open-source infrastructure.
Operating since 2016. GitHub facade with 5.3-year commit gap. 50+ paid SEO articles, zero donation wallet. Banned from r/Monero 2018. Deletes GitHub evidence. Directs theft victims to CLI wallets where they find empty balances. Conservative estimate: 10,000–50,000+ accounts over 8 years. Total stolen: 5,000–50,000+ XMR ($1.5M–$15M+ at historical prices).
Plot Twist
HE'S MAKING A RUN FOR IT
While we were publishing this research, the operator quietly registered two new domains — with maximum lock protection and offshore infrastructure.
A legitimate open-source volunteer project with no donations would just... update a GitHub readme. Instead:
✅ UPDATE — FEBRUARY 2026 — BOTH ESCAPE DOMAINS SUSPENDED
xmrwallet.biz—WebNic.cc suspended the domain following abuse reports. serverTransferProhibited and all 4 locks did not prevent takedown. xmrwallet.cc—PublicDomainRegistry.com suspended the domain. 8-year prepayment wasted.
Operator response:deleted GitHub issues, wiped repo content, panicked. Cached evidence preserved below and at Deleted Issues Archive →
// xmrwallet.com still active. NameSilo has not yet acted. Keep reporting.
2026-02-04 — DAY OUR RESEARCH WENT PUBLIC
xmrwallet.cc — registered within days of publication — ✅ NOW SUSPENDED
PDR (PublicDomainRegistry) is documented for slow or no response to abuse reports.
A volunteer "open-source" project just registered a backup domain on bullet-proof infrastructure and paid 8 years in advance. No donation wallet — but somehow the budget is there.
2026-02-09 — 5 DAYS LATER
xmrwallet.biz — same backend, maximum registry locks — ✅ NOW SUSPENDED
REGISTERED
2026-02-09
EXPIRES
2031-02-09 — 5 YEARS PREPAID
REGISTRAR
WebNic.cc · Malaysia
IP
190.115.31.40
ASN / HOSTING
AS59692 IQWeb FZ-LLC · Belize City 🇧🇿 — same backend as .com
23 file hashes indexed · site already active · JS/WASM wallet scripts confirmed
MAX REGISTRY LOCKIQWEB BELIZE OFFSHORESAME BACKEND AS .COM5YR PREPAID
serverTransferProhibited is a registry-level lock — requires the registry itself (not just registrar) to unlock. Maximum possible protection from forced domain transfer. This is not a hobby backup. This is pre-built escape infrastructure.
OPERATOR STATEMENT — VERBATIM
"Circumvent Country Blockages: Our official domains: xmrwallet.com, xmrwallet.cc, xmrwallet.biz"
He calls it "circumventing country blocks". Legitimate privacy tools (Tor, Monero itself, Feather Wallet) use GitHub Pages and IPFS — free, open, censorship-resistant by design.
He instead pays for offshore bullet-proof hosting on three domains across two different registrars with maximum lock flags.
The only thing being "circumvented" is abuse takedowns.
After both escape domains were suspended, the operator deleted GitHub issues and wiped repository content — a direct admission that our technical findings were accurate.
You don't delete evidence you can technically rebut.
All three domains share identical MX records (mx1/mx2.privateemail.com via Namecheap) and identical NS records (ns1/ns2.ddos-guard.net).
This is not a coincidence — email infrastructure cannot be shared across "independent" domains. One inbox. One operator. Three domains.
Additionally: wot-verification: 8a5554c915e3c17278a7 found on .cc and .biz —
the operator registered all domains on Web of Trust to actively manage trust scores and suppress scam warnings in WOT browser extensions.
Reputation manipulation infrastructure built before the domains were even publicized.
DNSDUMPSTER · xmrwallet.com
DNSDUMPSTER · xmrwallet.cc
DNSDUMPSTER · xmrwallet.biz
// SUMMARY 2016–2025············xmrwallet.com running. Abuse reports ignored by IQWEB/DDoS-Guard. 2026-02-04············PhishDestroy publishes. xmrwallet.cc registered same week. 2026-02-09············xmrwallet.biz registered. Max locks. Offshore registrar. 5yr prepaid. 2026-02-??············Operator writes to PhishDestroy demanding removal. Declines technical rebuttal. 2026-02-??············xmrwallet.biz SUSPENDED← WebNic.cc acted. Max-locked domain taken down. 2026-02-??············xmrwallet.cc SUSPENDED← PublicDomainRegistry acted. 8yr prepayment wasted. 2026-02-??············Operator deletes issues, wipes repo content — destroys evidence instead of providing a technical rebuttal. Not one. Ever. cached HTML copy →full archive → ????-??-??············// .net? .io? .pro? the list grows — report all of them.
Finding #3
GOOGLE WATCHES YOUR WALLET
A "private" Monero wallet loading 4 Google trackers. Every page inside your wallet reported to Google.
Google Tag Manager
Loads arbitrary JS from Google. Operator can push new code at any time — no source changes, no commits. Auditing GitHub is useless.
12
Google Analytics UA
UA-116766241-1. Records every page visit: IP, browser, session duration.
Advertising tracker. Zero legitimate reason in a financial tool.
1
Finding #4 — Victim Reports
DOCUMENTED VICTIMS
Collected from Trustpilot, Sitejabber, Reddit, BitcoinTalk. Operator response to every report is identical: "you used a phishing clone."
"I do deposit 590 monero 2 day gone and they steal it! Please ban this site and FBI need arest it!"
590 XMR (~$177,000)Sitejabber
"I followed the owner's instructions [...] only to realize that my 17.44 XMR was all gone. I have both the TxID & TX Key."
17.44 XMRTrustpilot — TxID documented
"This site is a scam, it worked good at first. One day i tried to move all funds out — it transferred to some other wallet instead of mine."
Funds redirectedTrustpilot
"They stole $200 from me, leaving me high and dry. Don't trust them with a single cent!"
$200Trustpilot
"Create wallet - put 20 xmr next day 0 xmr. Scammers owner!"
20 XMR overnightSitejabber
"I cannot verify the transaction using the private viewing key. Waiting for support response for several days."
Funds inaccessibleTrustpilotTxID: bd1e596d...
Legal Analysis
TERMS OF SERVICE vs REALITY
xmrwallet.com Terms of Service (last updated September 27, 2021) make 5 specific technical claims about how the service works. Every single one is contradicted by observed network behavior.
§4 · SERVICES
"The view key of your account is temporarily stored in memory by the service which enables it to determine any transactions concerning to your account."
LIE
// What they claim
"temporarily stored in memory"
Implies the view key exists only client-side in RAM during the session. Standard behavior for a legitimate light wallet.
The view key is Base64-encoded into session_key and transmitted to xmrwallet.com servers on every single API request — 40+ times per session across 6 different endpoints. This is not "in memory". This is active exfiltration.
"The service (XMRWallet) do not know or store your private key. This means that it is cryptographically impossible for our company to spend funds on your behalf."
FALSE
// What they claim
"cryptographically impossible for our company to spend funds on your behalf"
Standard non-custodial wallet guarantee. If true, even a compromised server cannot move your funds.
The client builds a transaction locally — then discards it (raw = 0). Only metadata is sent to the server. The server constructs its own transaction and broadcasts it. The type='swept' marker indicates server-initiated fund transfer. The claim of cryptographic impossibility is directly contradicted by the production code.
The transaction broadcast to the Monero network is not your transaction. It is a transaction constructed server-side using your metadata. The destination address can be anything the server chooses. You never signed the transaction that gets broadcast.
Source: Network traffic analysis · Production JS deobfuscation
§6 · ASSUMPTION OF RISK
"XMRWallet is not responsible for any losses... arising from... third-party attacks or other third-party activities."
COVER
// What they claim
"third-party attacks"
Standard liability disclaimer — reasonable protection against external hackers, network failures, etc.
// Legal function
// victim reports stolen funds // xmrwallet: "third-party attack" // → not our problem
When victims lose funds and report to xmrwallet.com support, the response is invariably "sync problem" or "third-party issue". This clause is pre-positioned legal cover for theft the operator controls. 15+ documented victims received this response.
Arbitration contact: lr@xmrwallet.com — Footer: "does not keep any records of your transactions"
CONTRADICTIONS
// lr@xmrwallet.com
"Notices to company may be sent to lr@xmrwallet.com"
Legal arbitration contact. Not the same as admin@, support@, or feedback@. The initials lr likely correspond to operator initials — potentially Loi Roy or a variant of Nathalie Roy's legal name. Separately, operator contacted PhishDestroy from royn5094@protonmail.com.
// "No records" + 4 trackers
"does not keep any records of your transactions"
Footer claim directly contradicted by 4 active Google tracking scripts inside the wallet UI: GTM · UA-116766241-1 · GA4 · DoubleClick. Google Tag Manager alone allows pushing arbitrary tracking code to all users without any code changes. Every wallet session generates analytics events sent to Google.
Terms of Service archived from https://www.xmrwallet.com/terms.html — last updated by operator: September 27, 2021.
Full page archived at web.archive.org →
Expect This — Operator Playbook
HE WILL CRY, THREATEN, AND LIE. HE WILL NOT STOP STEALING.
After every exposure the operator follows the same script. Do not engage. Do not believe. Do not negotiate. Recognize the pattern:
"I am a volunteer"
Claims xmrwallet.com is a free service funded by donations. Zero donation wallet exists. $550+/month hosting, 50+ paid SEO articles, DDoS-Guard CDN — all funded by stolen XMR.
"This is defamation"
Threatens legal action instead of providing a technical rebuttal. In 8 years has never once produced a network capture, code audit, or any evidence contradicting our findings. Not once. Ever.
"You used a phishing clone"
Standard response to every victim report on Trustpilot and Sitejabber. Blames users for visiting "fake sites" while running identical theft code on 3 domains + Tor.
"Sync problem"
Technical-sounding excuse for missing funds. The "sync" works perfectly — it syncs your view key to his server 40+ times. The funds were not lost. They were taken.
ProtonMail threats
Contacts researchers from royn5094@protonmail.com — not admin@xmrwallet.com. Demands removal. Refuses technical discussion. Every email is archived and will be published if legal action is attempted.
Delete everything
21+ GitHub issues deleted. Reviews removed from Trustpilot. Repo wiped after domain suspensions. Destruction of evidence is not a defense — it is consciousness of guilt.
// If you receive messages from royn5094@protonmail.com, admin@xmrwallet.com, or any xmrwallet-affiliated account — do not respond. Screenshot. Archive. Forward to law enforcement.
The operator has had 8 years to produce a single technical rebuttal. He chose deletion every time.
Take Action
REPORT & GET HELP
Document everything: wallet address, TxID, TX Key, timestamps, screenshots. Do NOT pay any "recovery service" — that is a second scam targeting victims.
Rule #1: Any wallet that asks for your private spend key or seed phrase on a website = instant scam. View key sharing with a remote node is normal in light wallets — but xmrwallet.com embeds your view key into every API request 40+ times and uses it to redirect your transactions.
// Legal · Disclaimer · Notice to Operator
Sources & Methodology.
All information published on this page was obtained exclusively from publicly available sources: archived web pages (Wayback Machine), public GitHub repositories and commit history, public WHOIS records, URLQuery passive DNS reports, VirusTotal community submissions, Trustpilot and Sitejabber public reviews, Reddit public posts, Google Analytics tag metadata, and independent browser-based network traffic analysis performed by PhishDestroy researchers.
No systems were accessed without authorization. No private data was obtained. All network requests documented herein were initiated from a standard browser session during normal use of the publicly accessible xmrwallet.com service.
Complete raw session logs and captured network traffic are archived and available upon request to law enforcement and security researchers.
Purpose.
This publication is made in the public interest for the purpose of informing Monero users of a documented security threat. PhishDestroy is a volunteer security research organization operating under principles consistent with responsible disclosure. Prior to publication, the operator was contacted and given the opportunity to respond, correct, or refute any findings. No substantive technical response was provided.
Notice to the Operator — nathroy / Nathalie Roy.
We received your email from royn5094@protonmail.com — an address that does not appear anywhere on xmrwallet.com, which is interesting given that your "official" contact is admin@xmrwallet.com. We assume Namecheap's ProtonMail is more comfortable for communications you'd prefer weren't associated with the main domain.
We gave you the opportunity to explain the technical findings before publication. Instead of providing a legitimate technical rebuttal — which would have been trivial if the site were actually open-source and non-malicious — you chose to assert that our research was false and demand removal.
Demanding removal of factual security research does not constitute a legal basis for takedown. Publishing documented evidence of financial fraud is not defamation. Every claim on this page is sourced, reproducible, and archived.
If you choose to pursue legal action, DMCA complaints, hosting abuse reports, or any other attempt to suppress this research:
— All archived evidence will be re-published across additional platforms (IPFS, Tor, archive.org)
— Every legal communication will be published in full as additional documentation
— Law enforcement referrals already in progress will be escalated
— Each attempt at suppression will be published as a news item via PhishDestroy channels
The most rational decision available to you at this point is to take xmrwallet.com offline. We have documented 15+ victims publicly. There are likely hundreds more who never reported. The site has been operating since 2016. The math on your exposure is not favorable.
You were warned. You chose to write instead of stop. We documented that too.
🗑 OPERATOR DELETED GITHUB ISSUES #35 & #36
Full archived copies of both issues — screenshots, code analysis, network captures, session_key decoding — preserved before deletion.
