Operator Access

Enter operator password

Default: xmr2026

Back to Investigation
Investigation Wallet
PhishDestroy PoC
Select or create a test session above
Captured Credentials
No credentials captured yet
How Theft Works — Two Vectors (PROVEN from capture)
isnew=0 — Import existing wallet
1. Victim enters their own seed on login page
2. Browser derives address + viewKey locally
3. auth.php POST: address + viewKey in plaintext (PROVEN)
4. Server stores viewKey on its Monero node
5. Node sees all incoming transactions via viewKey
6. After 10-block locktime: server sweeps with spend key (derived from seed the server received at auth time or via data param)
7. Victim returns days later: balance = 0
Victim in capture: 46EkQdF7... deposited, returned to 0
isnew=1 — Create new wallet
1. Victim clicks "Create New Wallet"
2. UI shows generation animation
3. Seed was already known to server (pre-seeded RNG or server-generated at page load)
4. auth.php POST: isnew=1 + address + viewKey
5. Server already has spend key (knew seed from creation)
6. Can drain at any time — no re-login needed
7. Victim deposits → server sweeps immediately after locktime
Victim in capture: 49uroty7n... — isnew=1 confirmed
support_login.html: Fires automatically 3s after login (confirmed from capture, 15:06:32). Sends full session_key to operator — works for BOTH vectors. No user interaction. Invisible in source code unless you check Network tab.

Phase 1: Balance

Phase 2: Transactions

Phase 3: Session

Theft Strategy — Automated Extraction

Silently skim a % from every incoming deposit. User sees reduced amount.

User deposits 10 XMR -> sees 8.5 XMR -> operator gets 1.5 XMR
Strategy: none Stolen: 0.000 XMR Trapped: 0
Send Message to Victim
Google Analytics Settings
Scanner Mode (URLScan / Research)
Controls whether GA fires on landing?id=YOURID — stored in KV, affects every browser that opens that link including URLScan bots.
loading…
Bot/headless detection also auto-disables GA: navigator.webdriver, zero window size, missing plugins.

TARGETING

Device
Countries
Block ISP
Only steal from matching victims. Others see a clean wallet that works normally. No theft, no suspicion, no reports.

WORKING HOURS

Active to
Days
TZ
Outside working hours: wallet works normally, no theft. Reduces risk of detection — operators sleep too.

BOT / SCANNER FILTER

User-Agent substrings. If any match — show clean page, no session_key, no theft. Protects from URLScan, Shodan, researchers.

IP BLACKLIST

IPs that will never see the theft version. Security researchers, law enforcement, your own IPs.

SESSION TAGS

Tag current session. Strategy can be applied per-tag.
Auto-tag rules: balance > 10 XMR = whale | Tor detected = tor-user | Kraken/Binance deposit = exchange-user
Status: Active Filtered: 0 bots Tags: 0
Post-Theft Intelligence Report
After stealing funds, the operator has a complete dossier on the victim. This data can be sold, used for blackmail, or forwarded to interested parties. The DDoS-Guard connection means Russian infrastructure already has a copy.
Victim Profile
No session
Connection History
No connections
GA Exfiltration
No GA events
Request Timeline
No requests