PhishDestroy is not a party to a conflict. PhishDestroy is not a company, not a firm, not a person, and not a side in a dispute. It is a volunteer anti-scam and anti-phishing initiative — independent, non-profit, and free. You cannot name PhishDestroy as a subject of a legal dispute any more than you can sue "anti-fraud." This is not a conflict between PhishDestroy and NameSilo. This is anti-scam research documenting what happened and asking questions that remain unanswered. We have no conflict with anyone. We destroy scam and phishing. That's it.
IPFS Archive — phishdestroy.eth

They delete evidence.
We put it where no one can touch it.

Independent anti-scam research. A volunteer movement against phishing and online fraud. This archive exists because they tried to erase us — deleted from Bing, locked on Twitter, DMCA'd on GitHub, reported on every platform. So we moved to IPFS via Ethereum Name Service. No server to shut down. No host to pressure. No "report" button to abuse.

130K+Domains blocked
$20M+Stolen & documented
7+Platforms censored
0Claims disproven
Our research was completely removed from Bing search. Our Twitter account was locked via X Gold Checkmark corporate support — X's own automated review found "no violation", but the lock remains. Our GitHub repos received false DMCA takedowns. DMCA requests filed against Google search results. This is the same suppression playbook the operator used against victims for 10 years — and this archive is our answer.
ghostarchive.org/archive/CXXZ0
NameSilo tweet defending xmrwallet.com
NameSilo, LLC (IANA #1479) publicly defending a $20M+ Monero theft operation — 11.3K views — permanently archived
Timeline

How the madness unfolded.

Every step documented before it happened. We knew the playbook. We were ready.

2023 — First abuse reports
20+ reports filed through NameSilo's own portal
PhishDestroy submitted 20+ abuse reports about xmrwallet.com and operator-linked mirrors through NameSilo's abuse portal between 2023 and 2026. We hold every delivery receipt — confirmation pages, ticket IDs, automated acknowledgements. Independent researchers had been reporting the same domain for years. Based on archived victim threads and deleted accounts, the real number of reports NameSilo received is likely well over 100. They later claimed: "we had received no abuse reports."
2023–2025 — Years of research
Mapping the operator's suppression machine
Before publishing a single word, we spent years documenting how the operator kept a $20M+ theft operation alive for a decade. His strategy: delete everything, everywhere. What he couldn't delete — he buried.

Deletion: DMCA takedowns against Google, GitHub, domain registrars. Mass-reporting Trustpilot reviews (100+ removed). Filing abuse reports using government email addresses. Taking down YouTube analysis videos. Coordinated reporting on BitcoinTalk, Reddit, Twitter.

SEO burial: We nicknamed him "SEO Grandpa" because his second weapon was parasitic SEO. He ordered 50+ paid articles through Kwork, Freelancehunt, and more expensive intermediaries — all sponsored content placed on third-party sites to push victim complaints out of search results. His freelance orders, complete with article texts and link-building instructions, are still indexed on Google Drive in plain sight. When we got one sponsored article taken down, the host site publicly confirmed it was paid placement. He bought low-quality backlinks at scale, parasitizing the "xmrwallet" brand name built on theft.

The code theater: The operator publishes "open source" code on GitHub to appear legitimate. But the actual site is hosted on DDoS-Guard — a bulletproof hosting provider. If the code is honest, why use DDoS-Guard? Because the production code contains session_key exfiltration, encrypted payloads, and server-side TX construction that don't exist in the public GitHub repository.

We mapped the entire playbook. We knew exactly what would happen. We prepared for every step.
2023–2026 — Domain takedowns
We took down his escape domains. One by one.
The operator registered xmrwallet mirror domains across multiple registrars with 5–10 year registration periods — pre-paid escape routes for when domains got banned. Each clone was linked directly from the main site (all archived in Wayback Machine), hosted on IQWeb / DDoS-Guard, with identical code hashes across every mirror. We systematically reported and took them down, one after another, at different registrars. A "legitimate open-source wallet" does not need pre-registered escape domains across five registrars for a decade. Strange behavior for someone who was allegedly "compromised," isn't it? Perhaps the "hacker" was also kind enough to register backup domains years in advance and host them on bulletproof infrastructure.
February 16, 2026 — Operator's first email
"You are incorrect with your report"
The operator contacted us directly, demanding we remove our report:
"Hi, You are incorrect with your report. There is no phishing going on with xmrwallet.com, this is the official domain name for xmrwallet. We are an open source crypto wallet that is non-custodial, we don't store seeds or keys, everything is done in your browser locally. Please remove your report on us, thank you. N.R."
He claimed the site was working normally. He did not claim he was hacked. He told us to remove our report. Screenshot →
February 2026 — Escalation
Story changes. Then come the threats.
When confronted with the technical evidence — server-side TX hijacking, session_key exfiltrating wallet addresses and private view keys, 8 PHP endpoints, Google Analytics tracking victims — the operator stopped claiming innocence:
"What they use is what they need."
Then came the threats. The operator was confident. He had his registrar. He believed he was untouchable — that we could be silenced like everyone before us. He even suggested we could be taken to court through the registrar. He was wrong about all of it.
March 13, 2026 — NameSilo's public tweet
4 sentences. 4 verifiable lies.
NameSilo's official corporate account publishes a public defense of xmrwallet.com:
"Our Abuse team conducted an in-depth review... the domain was compromised a few months ago... Prior to that, we had received no abuse reports... [working with the registrant to remove the website from VT reports]."
Lie #1: "Compromised" — We have SHA-256 hashes of the site code from before and after the alleged "compromise" window. The code never changed. The IP never changed. NameSilo invented this story. The operator himself never claimed compromise in his emails — he said the site was working normally. Lie #2: "No abuse reports" — 20+ from us alone since 2023, with delivery receipts. Likely 100+ total from all reporters. Lie #3: The operator was directly involved — he emailed us defending his code. Lie #4: A registrar publicly committing to remove VirusTotal detections for a known drainer. Not investigate. Not suspend. Help the scammer avoid detection. Full debunking →
March 16, 2026 — Receipts published
@Phish_Destroy posts the rebuttals
Three rebuttals posted to Twitter, each citing the operator's own emails: "@NameSilo is lying", "@NameSilo is acting as press secretary for a $20M+ theft operation", and "Who is this operator to you?" Every tweet archived to Wayback Machine and GhostArchive within minutes of posting — before the lock came. We also tagged NameSilo under older threads from other researchers documenting xmrwallet going back to 2022.
March 18, 2026 — ICANN & law enforcement
Full case file submitted
Complete evidence package forwarded to ICANN Contractual Compliance and federal law enforcement. SHA-256 verified screenshots, archived tweets, email headers, operator communications, all delivery receipts for ignored abuse reports. Announced publicly on Twitter. This post appears to have triggered what came next.
Late March 2026 — Silenced
Gold Checkmark used to lock @Phish_Destroy
Days after the ICANN escalation, @Phish_Destroy is permanently locked. X Support: "Our support team has determined that a violation against inauthentic behaviors occurred." No tweet quoted. No rule cited. The signature of a human-agent decision via the paid Gold Checkmark live-support channel — concierge censorship you can buy.
April 15, 2026 — X contradicts itself
"No violation. Account restored." — Still locked.
On appeal, X Support: "Our automated systems have determined there was no violation and have restored your account to full functionality." Subject: "Your account has been restored." The account is still locked. The subscription is still billed. X's own automation cleared us. The Gold Checkmark override persists. Screenshot →
April 2026 — Full suppression
Bing, DDoS, DMCA, content scrubbing
All phishdestroy.io results removed from Bing. DDoS traffic against phishdestroy.io correlated with NameSilo's abuse-tolerant infrastructure. DMCA requests filed against Google results. Coordinated reporting against GitHub repos, Medium articles, public mirrors. Every surface with a "report" button — weaponized.
May 2026 — This archive
IPFS + Ethereum Name Service. No "report" button.
Every takedown made the archive bigger. The operator and NameSilo occupy the same side. Both seem confident their arrangement will survive scrutiny. It won't. We are also aware that criminal cases related to xmrwallet are open in Europe. This archive will serve as evidence.
The unanswered questions

Who owns xmrwallet.com?
Why did NameSilo risk everything to protect them?

Evidence

What's in the files — and why.

Every claim is backed by source material. Every screenshot is SHA-256 fingerprinted. Every external link has at least one immutable archive copy.

📧

Operator Emails

Direct correspondence from the xmrwallet operator "N.R." — defending the site, demanding report removal, changing his story from "it's legit" to threats. Proves NameSilo's "compromise" story was invented — the operator never claimed it.

View →
📊

Technical Breakdown

8 PHP endpoints for key exfiltration. Server-side transaction construction. session_key carrying wallet address + private view key, base64-encoded. Google Analytics tracking victims. Production code vs. GitHub code comparison.

View →
📸

SHA-256 Verified Screenshots

16 screenshots in the evidence directory. NameSilo's tweet, operator emails, X Support contradictions, third-party research threads. Each file fingerprinted in EVIDENCE_HASHES.txt. Court-usable format.

View →
🔍

Code Hashes & Forensics

SHA-256 hashes of the xmrwallet.com source code captured before and during the alleged "compromise" period. The code never changed. The IP never changed. NameSilo's "compromise" claim is provably false.

View →
📜

The 4 Lies — Debunked

Line-by-line analysis of NameSilo's March 13 tweet. Each of the 4 sentences is independently proven false using documents NameSilo does not control: operator emails, delivery receipts, code hashes.

View →
🌍

Archived Sources

Every external reference has Wayback Machine, GhostArchive, or archive.today copies. The Twitter archive methodology is documented. Even if every platform goes dark, the evidence survives.

View →
For Victims & Authorities

You are not powerless. Don't stay silent.

The operator's entire strategy depends on victims giving up after being silenced. This section is for those who refuse.

🛡️

If you are a victim

We know it feels hopeless. Monero is private. Your money seems gone. They deleted your reviews, your posts, your warnings. They want you to believe there's nothing you can do. That's not true.

  • There are legal levers. The registrar is a US company (NameSilo, LLC, IANA #1479). They can be called to court. The scam operator himself suggested this — interesting, isn't it?
  • Monero is private, not invisible. Transaction timing, exchange deposits, IP correlation, and the operator's own infrastructure leave traces. Evidence exists. Forensics firms specialize in this.
  • Criminal cases are open in Europe. You are not alone. Other victims have contacted us. The documented amount exceeds $20M, and we believe the real total is at least 5 times higher.
  • Don't be afraid of account deletion. Yes, they will try to delete your posts, your reviews, your warnings. Let them. Every deletion is documented. Every suppression attempt becomes evidence. They cannot just steal your money and force you to stay silent.
  • File abuse reports. Even if previous reports were ignored, file them. With NameSilo. With ICANN. With your local law enforcement. Each report creates a paper trail that becomes harder to deny.
  • Contact us: abuse@phishdestroy.io — your report will be added to the case file.

The operator's power was making victims disappear. This archive makes that impossible.

⚖️

For law enforcement & regulators

This archive is structured as a court-ready evidence package. Everything you need is here.

  • ICANN Compliance: Full case file submitted March 18, 2026. NameSilo (IANA #1479) is an accredited registrar subject to RAA obligations including abuse handling.
  • Evidence integrity: Every screenshot is SHA-256 fingerprinted in EVIDENCE_HASHES.txt. The hashes were published before any party could have modified the originals.
  • Operator identification: The operator signed emails as "N.R." Technical infrastructure analysis, domain registration patterns, and payment trail documentation are in OPERATOR_PROFILE.md.
  • Registrar conduct: NameSilo's public statement contains 4 independently falsifiable claims. Full analysis: THE-LIES.md. The suppression campaign is documented in PRESSURE.md.
  • License: Explicit written consent for any victim, prosecutor, regulator, or court to use this material as-is.
  • Theft mechanism: Server-side transaction hijacking via 8 PHP endpoints. Full technical breakdown in the xmrwallet investigation.
  • Scale: Documented losses exceed $20M. Based on victim contacts and timeline analysis, the actual total over the full operating period is likely $100M+.
  • Recommended subpoenas — Trustpilot: Request all deleted/removed reviews for xmrwallet.com. Over 100 victim reviews were removed through automated moderation abuse. The original reviews are recoverable via SHA-256 hashes and Wayback Machine snapshots of the Trustpilot page. The delta between archived and current reviews is the suppression count.
  • Recommended subpoenas — GitHub: Request the full issue history for the xmrwallet repository, including deleted issues. We observed issues disappearing — the gap between sequential issue IDs and the ones we recorded proves deletions. Request deleted user accounts associated with victim reports.
  • Domain registration pattern: The operator registered xmrwallet mirrors across multiple registrars with 5–10 year registration periods. Each clone domain linked directly from the main site — all archived in the Wayback Machine. We systematically took these domains down, one by one. A legitimate service does not pre-register escape domains for a decade across multiple registrars. This is infrastructure for a long-term fraud operation.
  • Hosting forensics: All domains use IQWeb / DDoS-Guard infrastructure. The codebase hash is identical across every mirror — public scan results confirm this. These are not independent clones or compromised copies. This is a single operator deploying the same theft code across a network of domains on bulletproof hosting.
Archive

Complete mirrors. Self-contained. Permanent.

Every repository, every page, every screenshot. GitHub goes down, domains get seized, accounts get locked — it's all still here.

Blocklist

DestroyList

Real-time phishing & scam domain blocklist. 130,000+ curated threats. Plain text, hosts, AdBlock Plus, dnsmasq. Threat intelligence API. All raw data included.

Dashboard list.txt DNS Feeds Docs
Evidence

NameSilo Cover-Up

The registrar's tweet, operator emails, X Support contradictions, SHA-256 verified screenshots, full technical breakdown. Filed with ICANN and law enforcement.

Evidence Site Proofs Operator
Research

xmrwallet.com

Private key theft, server-side TX hijacking, 8 PHP endpoints, Google Analytics tracking. Deleted GitHub Issues #35 & #36 — cached copies included.

Full Investigation Research Docs
Intel

ScamIntelLogs

Scam operator infrastructure analysis. Phishing kits, panel configs, affiliate networks, crypto drainer source code. Raw intelligence.

Browse Intel Wiki
Tools

DestroyScammers

Interactive scam analysis dashboard. Domain lookup, operator tracking, infrastructure mapping.

Dashboard Scripts
Archive Map

What's inside. Where to find it.

Full directory of this IPFS archive. Every page, every document, every piece of evidence — linked and described.

🛡️ destroylist/ Phishing & scam domain blocklist — 130K+ domains +
index.html Dashboard — interactive blocklist viewer docs.html API documentation & integration guide list.txt Raw blocklist — 130K+ domains, plain text README.md Project documentation dns/ DNS feeds — active domains, daily/weekly/monthly JSON dns/active_domains.json Currently active threat domains dns/active_domains.txt Active domains, plain text format
📋 namesilo-evidence/ NameSilo cover-up — complete evidence dossier +
docs/index.html Evidence site — full navigable presentation THE-LIES.md 4 lies debunked — line-by-line analysis of NameSilo's tweet PROOFS.md SHA-256 verified evidence & proof chain OPERATOR_PROFILE.md Operator identification & infrastructure analysis PRESSURE.md Suppression campaign documentation CONNECTION.md Connection between operator and registrar ARTICLE_FULL.md Complete investigation article SCAM_TECHNICAL.md Technical analysis of the theft mechanism TWITTER_ARCHIVE.md @Phish_Destroy tweet archive methodology VICTIMS.md Victim reports & documented losses SOURCES.md All external sources with archive URLs EVIDENCE_HASHES.txt SHA-256 fingerprints of all evidence files EVIDENCE_INDEX.md Index of 16 evidence screenshots MEDIUM_MIRROR.md Mirror of Medium articles deleted-issues/issue-35.html Cached copy of deleted GitHub Issue #35 deleted-issues/issue-36.html Cached copy of deleted GitHub Issue #36 xmrwallet-evidence/domains/ Domain registration analysis per TLD proof/TECHNICAL_EVIDENCE.md Server-side theft mechanism forensics proof/GOOGLE_ANALYTICS.md How the operator tracked victims via GA
🔍 xmrwallet/ xmrwallet.com investigation — full research repo +
index.html Main investigation page docs/index.html Research documentation site docs/deleted.html Deleted evidence — GitHub issues, reviews, posts Scam Exposed Main exposé article NameSilo Cover-Up Registrar involvement article Is xmrwallet Safe? Safety analysis Captcha Defeated How we bypassed the operator's captcha Nathalie Roy Operator identity investigation Alternatives Safe Monero wallet recommendations Deleted Evidence What the operator tried to erase cache-issue35/ Cached GitHub Issue #35 cache-issue36/ Cached GitHub Issue #36 TECHNICAL_EVIDENCE.md 8 PHP endpoints, TX hijacking, key exfiltration GOOGLE_ANALYTICS.md Victim tracking via Google Analytics domains/ All xmrwallet TLDs: .com, .net, .cc, .biz, .me, .onion YOUR_KEYS_ARE_MINE/ Key theft proof-of-concept
📡 scamintel/ ScamIntelLogs — scam operator infrastructure analysis +
index.html Intel dashboard — all operations wiki.html Scam operator wiki 717Team/ 717 Team phishing operation analysis BitXLucky/ BitXLucky crypto scam logs LuxardGambling/ Luxard gambling fraud operation MercuryTeam/ Mercury Team — payments & theft records RublevkaTeam/ Rublevka Team operation analysis TRXDrop/ TRX airdrop scam infrastructure TheProject/ TheProject phishing operation TrustWalletPanel/ Fake Trust Wallet panel analysis WasabiSquad/ Wasabi Squad operation logs gambler/ Gambler scam network investigation keitaro/ Keitaro TDS abuse — panels, domains, IOCs nicecrypto/ NiceCrypto operation analysis olympus-panel/ Olympus phishing panel research
💻 destroyscammers/ Scam analysis dashboard & OSINT tools +
index.html Interactive analysis dashboard scripts/ Python OSINT toolkit — 14 scripts data/data.json Scam operation database data/registrants.json Domain registrant patterns
Suppression Log

Every platform. Every time. Same playbook.

The operator kept victims silent for a decade. Then he tried it on us. We documented it all before it happened.

Twitter / X

Gold Checkmark corporate support used to lock @Phish_Destroy. X reviewed: "no violation." Still locked.

Bing Search

All phishdestroy.io results removed from Bing. Complete erasure from Microsoft search.

GitHub

False DMCA takedowns against repos. Operator deleted Issues #35 & #36 with victim reports.

Trustpilot

100+ victim reviews removed through automated moderation abuse.

Google / DMCA

DMCA requests against Google search results, domains, hosting. Anything reportable gets reported.

SEO Burial

50+ paid articles via Kwork, Freelancehunt, intermediaries. Orders indexed on Google Drive.

YouTube

Technical analysis videos reported and removed. Researchers demonstrating the theft silenced.

BitcoinTalk

Coordinated reporting against warning threads. Community discussion suppressed.

Gov Emails

Government email addresses used to file fraudulent abuse reports on platforms.

DDoS-Guard

"Open source" wallet on bulletproof hosting. GitHub code ≠ production code. Anti-analysis infrastructure.

Every platform with a "report" button has been weaponized. Every search engine accepting DMCA requests has been abused. Every freelance marketplace used to buy burial. This is a decade-long strategy — not an accident. The operator and NameSilo are on the same side. The case file is with ICANN Contractual Compliance and federal law enforcement.

Contact

Report. Verify. Contribute.

Main Site

phishdestroy.io

GitHub

github.com/phishdestroy

Codeberg

codeberg.org/phishdestroy

Ethereum Name Service

phishdestroy.eth

Medium

phishdestroy.medium.com

Telegram Bot

@PhishDestroy

Mastodon

infosec.exchange/@phishdestroy

Victim Reports

abuse@phishdestroy.io

Submit Evidence

report@phishdestroy.io