{
  "meta": {
    "collected": "2026-05-17",
    "total_size_kb": 96,
    "sources_used": [
      "PullPush API (Reddit archive)",
      "GitHub API (authenticated)",
      "VirusTotal API",
      "SecurityTrails API",
      "Shodan API",
      "Hunter.io API",
      "Exa Search API",
      "URLScan.io",
      "crt.sh",
      "OpenRouter (AI model testing)",
      "CleanTalk",
      "DNS over HTTPS (Google)",
      "Playwright browser automation"
    ]
  },
  "domain_transfer": {
    "date": "2026-05-13",
    "from": "NameSilo LLC (IANA #1479)",
    "to": "Namecheap Inc",
    "new_expiry": "2036-05-13",
    "old_expiry": "2035-08-29",
    "note": "Operator transferred domain 4 days ago and extended 1 year. NOT retiring."
  },
  "whois_hash_match": {
    "xmrwallet.com": {
      "city": "7a96e04d2a2490b3",
      "org": "566bb814321610e4",
      "state": "e1c7c1911395a3cf",
      "zip": "c692e0cb8851b160",
      "email": "54b4f253f07e55ebs@privacyguardian.org"
    },
    "xmrwallets.com": {
      "city": "7a96e04d2a2490b3",
      "org": "566bb814321610e4",
      "state": "e1c7c1911395a3cf",
      "zip": "c692e0cb8851b160",
      "email": "702d68599dc86452s@privacyguardian.org",
      "match": "4/4 hashes identical = SAME PERSON"
    }
  },
  "escape_domain_whois_cluster": {
    "shared_state_hash": "e1a13ff8c8552296",
    "domains": [
      "xmrwallet.biz",
      "xmrwallet.net",
      "xmrwallet.me"
    ],
    "note": "All 3 escape domains share same state hash = same registrant"
  },
  "xmrwallet_me_live": {
    "date_live": "2026-03-05",
    "title": "Best Monero Wallet (XMR) - Send & Receive Monero Securely",
    "urlscan_screenshot": "https://urlscan.io/screenshots/019cbcbb-b9c8-747d-a501-908676de3b41.png",
    "banner_text": "Circumvent Country Blockages: Our official domain(s): xmrwallet.com, xmrwallet.net, xmrwallet.me",
    "features": [
      "Create XMR Wallet",
      "Login",
      "Blog",
      "Support",
      "Tor onion"
    ],
    "current_status": "Backend disconnected, DNS/MX/SPF/Google verification still active",
    "shodan_subdomains": [
      "admin",
      "api",
      "app",
      "apps",
      "backend",
      "cdn",
      "dev",
      "login",
      "m",
      "panel",
      "sitemap",
      "staging",
      "test",
      "testing",
      "www"
    ]
  },
  "traffic_data": {
    "source": "siteindices.com (Oct 2019)",
    "global_rank": 459346,
    "top_country": "Philippines",
    "country_rank": 12842,
    "daily_visitors": 6861,
    "estimated_worth_usd": 71372
  },
  "scam_addresses_monero": [
    {
      "address": "46U48fkNkteDJEWypqHH9NfLWsTNMNFZiRETdVm1Q73234hifuMhqKCAYx3muwWb2955twtpKvUncEdSBWeeX8UL49sAQWo",
      "type": "operator donation",
      "source": "support_login.twig in GitHub"
    },
    {
      "address": "48AKq9BfZuE8sPNCf2tB88M51n7y3t25QJEgadYzs2yCVb1LBjyBWxS3k43F78Z2gT5pSYhygDy3HZsXVeg53FLMTwafDNS",
      "type": "xmrwallet.in phishing",
      "source": "u/XMR2021 Reddit Nov 2020"
    },
    {
      "address": "43NQ57boq4YUmpu6CQurXUi86meYvh1npj2CRbvSrECKhZDsAbGg6jAixXC9EA8c85aNNmw3jsmsodg89HDKREjS9129JdV",
      "type": "xmrwallet.net phishing",
      "source": "blogspot Sep 2020"
    }
  ],
  "victim_tx_hashes_verified": [
    {
      "hash": "986c9821e95edde80589165bae653a59357050f743834e9bd7606d963cefa91b",
      "block": 2327688,
      "date": "2021-04-30",
      "victim": "u/CommercialAd5283"
    },
    {
      "hash": "00a888c91b0f6cceb8e2a7d2fc1a93dd00253d53d6226c74604399b0d51cf0a1",
      "block": 2666869,
      "date": "2022-07-14",
      "victim": "u/dance88 (GitHub#8440)"
    },
    {
      "hash": "b3f2ca86fdc786d846d5d3ce29d40ace2876e0c3fc9fd2a5448ae99b2723ab8f",
      "victim": "u/Practical-Demand-174",
      "amount": "1060 XMR"
    }
  ],
  "sock_puppet_network": {
    "philippines_accounts": {
      "craig_d_79": {
        "role": "r/xmrwallet moderator, SEO expert",
        "location": "Tagaytay/Cavite",
        "mentions": 7
      },
      "purpleandviolet": {
        "role": "main promoter, darknet targeting",
        "mentions": 37,
        "darknet_subs": 16
      },
      "Extra-Expert7685": {
        "role": "gambler, support",
        "location": "Philippines (WeddingsPhilippines, DigitalbanksPh)",
        "mentions": 6
      }
    },
    "shared_thread_proof": "Thread 1bp6nif (r/onions) - ALL THREE recommend xmrwallet simultaneously",
    "total_shared_threads": 8
  },
  "ai_poisoning": {
    "gpt_3_5_turbo": "Recommends xmrwallet.com as #2 Best Monero web wallet",
    "gemini_2_flash": "Mentions but soft warning only",
    "llama_3_1_70b": "Correctly says not safe",
    "mistral_large": "Correctly says not recommended",
    "cause": "15+ SEO listicle articles + operator blog + paid placements in training data"
  },
  "operator_emails_status": {
    "royn5094@protonmail.com": {
      "status": "VALID",
      "score": 89,
      "cleantalk": "spam history"
    },
    "hassizabir@gmail.com": {
      "status": "VALID",
      "score": 92
    },
    "titanmaster138@gmail.com": {
      "status": "VALID",
      "score": 92
    },
    "admin@xmrwallet.com": {
      "status": "INVALID",
      "reason": "no MX records"
    }
  },
  "github_network": {
    "nathroy": {
      "name": "Nathalie",
      "location": "Canada",
      "bio": "Cryptocurrency developer and jump rope expert"
    },
    "tooniecoin": {
      "name": "Ronald Mason",
      "location": "Waterloo Ontario Canada",
      "company": "Canadian Spectrum Holding Corp / GeckoWebsites",
      "role": "Enom/Tucows Domain Wholesaler",
      "follows_all_sock_puppets": true
    },
    "BernickBeckForensic": {
      "type": "fake law firm account",
      "mirrors_nathroy_followers": true
    },
    "relly34mfk": {
      "bio": "SEO expert",
      "company": "atadevelopers.com"
    },
    "pushpush_titanmaster138": {
      "role": "frontend contractor 2018",
      "employer": "Kinescope (Russian video)",
      "connection_to_operator": "none beyond contract"
    }
  },
  "infrastructure_co_hosting": {
    "186.2.165.49": {
      "org": "IQWeb Dubai",
      "co_hosted": [
        "kinogo.ec (Russian pirate streaming)"
      ]
    },
    "185.129.100.248": {
      "org": "DDOS-Guard Rostov",
      "co_hosted": [
        "rustme.ru (Russian Minecraft)",
        "kuchaknig.org",
        "Russian .ru domains"
      ]
    },
    "190.115.31.40": {
      "org": "IQWeb Dubai",
      "co_hosted": [
        "bclubs.to (BriansClub carding)",
        "kellys-landing.com",
        "repaygate.io"
      ]
    },
    "147.45.110.175": {
      "org": "TimeWeb St Petersburg",
      "co_hosted": [
        "40+ phishing domains: Keplr, Trust Wallet, Ledger, BSCScan, DeBank, banks"
      ]
    }
  },
  "suppression_stats": {
    "reddit_posts_total": 93,
    "r_monero_removed_pct": 60,
    "reddit_legal_takedowns": 5,
    "deleted_github_issues": "21+",
    "trustpilot_removed_reviews": "50+"
  },
  "still_live_infrastructure": [
    "sites.google.com/xmrwallet.cfd/xmrwallet-official/ (PHISHING)",
    "sites.google.com/view/xmr-wallet1 (SEO backlink)",
    "storage.googleapis.com/abrahambrantley/WalletXmr.html (SEO)",
    "alvislewis.s3.amazonaws.com/MoneroWallets.html (SEO)",
    "edwardscott.blob.core.windows.net/paperwallet/FreeMonero.html (SEO)",
    "3 Google Drive folders (hassizabir@gmail.com)",
    "u/purpleandviolet still active on Reddit (Apr 2025)",
    "xmrwallet.me DNS/MX/SPF/GSV fully configured"
  ],
  "threat_intel_ioc": [
    {
      "date": "2025-02-03",
      "researcher": "@Phish_Destroy",
      "tag": "#phishing"
    },
    {
      "date": "2025-07-13",
      "researcher": "@CarlyGriggs13",
      "tag": "#phishing"
    },
    {
      "date": "2026-03-16",
      "researcher": "@skocherhan",
      "tag": "domain IOC"
    }
  ]
}