Terms of Use

Last updated: May 19, 2026

What this is

This website is an interactive proof-of-concept and security research demonstration created by PhishDestroy.io.

It reconstructs the exact technical mechanism used by xmrwallet.com — a Monero "web wallet" operated via Namesilo domain registration — to steal cryptocurrency from users for 8 years (2018–2026). The purpose is to provide practical, verifiable evidence that refutes the operators' claims that "no theft occurred."

This is a demonstration, not an accusation against Google.
Google Analytics (UA-116766241-1) appears on this site because it appeared on the original xmrwallet.com. Google is a third party whose tracking infrastructure was present on a scam site — nothing more. The investigation concerns Namesilo, the domain registrar that hosted the scam, and the operators behind xmrwallet.com.

All data is fake and demonstrative

Every piece of data on this site is generated locally in your browser for demonstration purposes.

Wallet seeds are randomly generated — they do not correspond to real Monero wallets
Addresses and keys are derived from random data — they cannot hold or receive real funds
Transactions are simulated — no real blockchain interactions occur
The "operator panel" demonstrates what the real operator could see — with fake data
IP addresses, countries, and user profiles shown in the demo are fictional
All data is stored in your browser's localStorage and never transmitted anywhere

Purpose

This project exists for one reason: to show, practically and interactively, how xmrwallet.com stole Monero.

The operators' farewell letter (April 2026) claimed they never stole funds and that the wallet was "safe." Our investigation — based on network captures, code analysis, and OSINT — demonstrates the opposite:

139 API requests were captured per session, many containing base64-encoded private view keys
47 view key transmissions were sent to the server via session_key parameters
4 Google Analytics tracking IDs were used across the operation's lifetime
The session_key format ([blob]:[base64(address)]:[base64(viewkey)]) was designed to exfiltrate keys while appearing innocuous

Unlike the operators of xmrwallet.com, we don't lie. Everything on this site is transparent, open-source, and verifiable. View the source code. Check every request. We hide nothing — because that's the difference between research and fraud.

What this is NOT

This is not a real cryptocurrency wallet — do not send real funds to any address shown
This is not a phishing site — we explicitly tell you it's a demo on every page
This is not an accusation against Google — their analytics was a tool used by the scammers, nothing more
This is not legal advice — it is technical security research

Namesilo and the domain

xmrwallet.com was registered through Namesilo (registrar contact: Leonid). The domain operated for 8 years while facilitating cryptocurrency theft. The registered operator identity pointed to Nathalie Roy, described in WHOIS as a Canadian government employee. Traffic was routed through DDoS-Guard, a Russian DDoS protection service.

These are facts derived from public WHOIS records, DNS history, and network analysis. This demonstration allows anyone to verify the technical claims independently.

No warranty

This site is provided "as is" for educational and research purposes. PhishDestroy.io makes no guarantees about the completeness or accuracy of the reconstruction, though every effort has been made to replicate the original mechanism faithfully based on captured network data.

Contact

PhishDestroy.io — security@phishdestroy.io

PGP: See /.well-known/security.txt