Phase 1: Set fake balance (victim thinks funds are there)
GA Measurement ID
GA Trigger Mode — how xmrwallet hid from scanners
"Click" = GA loads only after user interaction (default, like real xmrwallet). URLScan shows clean page.
"Always" = GA loads on page load. URLScan shows google-analytics.com requests.
Make two scans with different modes → proof they controlled when GA appeared.