Dear ICANN Compliance Team,
We are submitting this formal complaint in our capacity as cybersecurity researchers who have conducted an extensive technical investigation into the domain xmrwallet.com, a confirmed Monero cryptocurrency theft operation active since 2016. We believe it is our professional and ethical obligation to escalate this matter to ICANN, as the registrar of record — NameSilo, LLC — has not only failed to act on a well-documented abuse report, but has actively fabricated a defense for the domain operator and assisted in undermining security vendor classifications.
This complaint is supported by technical evidence, the operator's own email correspondence, and the independent enforcement actions of three other ICANN-accredited registrars who reviewed the same evidence and suspended the operator's domains.
xmrwallet.com is a web-based Monero wallet that presents itself as a privacy-focused open-source tool. Our investigation, conducted between February and March 2026, established through live network capture and source code analysis that the site performs two distinct theft mechanisms:
session_key parameter. This key is sent 40+ times per session across 8 PHP endpoints. The operator can monitor all wallet balances and incoming transactions in real time.raw_tx_and_hash.raw = 0) and replaced by a server-constructed transaction that redirects funds to an address controlled by the operator. A custom theft marker (type == 'swept'), absent from the Monero protocol, is used to track stolen transactions.The operation has been active since August 29, 2016 (domain registration date). We have documented 15+ victims with confirmed losses exceeding $2M USD equivalent in Monero (XMR). The operator is identified as Nathalie Roy (Canada), GitHub username: nathroy (ID: 39167759), email: royn5094@protonmail.com.
Full technical evidence is publicly available at:
https://phishdestroy.github.io/DO-NOT-USE-xmrwallet-com/
Following publication of our findings, the operator registered four escape domains across four different registrars to maintain operations in the event of takedown. We submitted identical evidence packages to all registrars. The results were as follows:
| Domain | Registrar | IANA ID | Action Taken |
|---|---|---|---|
| xmrwallet.cc | PublicDomainRegistry (PDR Ltd.) | 303 | SUSPENDED |
| xmrwallet.biz | WebNic.cc | 460 | SUSPENDED |
| xmrwallet.net | NICENIC International | 2225 | DNS DEAD (abuse action) |
| xmrwallet.com | NameSilo, LLC | 1479 | REFUSED TO ACT |
Three independent, ICANN-accredited registrars in three different jurisdictions reviewed the same evidence and independently concluded that enforcement action was warranted. NameSilo was the sole exception.
On March 4, 2026, NameSilo's abuse team responded to our report with the following position:
NameSilo provided zero technical evidence for this claim. No forensic report. No server logs. No timeline of the alleged breach. No identification of the alleged third party. No explanation of how malicious code was maintained across multiple domains, servers, and a Tor hidden service simultaneously for years.
Between February 16 and February 23, 2026, the xmrwallet.com operator emailed PhishDestroy directly from royn5094@protonmail.com. These communications occurred before we filed any abuse report with NameSilo. The operator's own words prove that no compromise occurred:
“We don't store seeds or keys, everything is done in your browser locally. Please remove your report. N.R.” From: royn5094@protonmail.com → PhishDestroy
Significance: First person (“we”). Defends the site as his own operation. No mention of any compromise or unauthorized access. Meanwhile, live network capture confirms session_key = Base64(private_view_key) transmitted to the server 40+ times per session.
“This is the data we need to offer the service.” From: royn5094@protonmail.com → PhishDestroy
Significance: Within 24 hours, the operator contradicts his own prior statement. Yesterday: “we don't store keys.” Today: “this is the data we need.” Still first person. Still no mention of any hack.
“Feel free to subpoena the domain registrar for my information to submit a complaint in the courts.” From: royn5094@protonmail.com → PhishDestroy
“I've hired a lawyer and a private investigator.”
“Trezor and Ledger also get their view keys.” From: royn5094@protonmail.com → PhishDestroy
Significance: Sent the same day xmrwallet.cc and xmrwallet.biz were suspended. The lawyer never materialized. The claim that “Trezor and Ledger also get view keys” is technically illiterate — Trezor is a hardware wallet with no server component. Still no mention of any compromise. Still defends the code as his own.
| Date | Event | Who mentioned “hack”? |
|---|---|---|
| Feb 16 | Operator emails: “We don't store keys” | Nobody |
| Feb 17 | Operator emails: “This is the data we need” | Nobody |
| Feb 17 | Operator emails: “Subpoena the registrar” | Nobody |
| Feb 23 | Operator emails: “I've hired a lawyer” | Nobody |
| Feb 23 | xmrwallet.cc and .biz SUSPENDED | Nobody |
| Mar 4 | NameSilo responds to abuse report | NameSilo |
The operator communicated with us four times. In every communication, he used first person, defended the code as his own creation, and never once referenced any hack, compromise, or unauthorized third-party access. The “compromise” narrative appeared for the first time on March 4 — in NameSilo's response. Not from the operator. From NameSilo.
At the time of our investigation, xmrwallet.com was flagged as malicious by multiple security vendors on VirusTotal, including Fortinet (Phishing), ESET, Sophos, and others. Following NameSilo's involvement, the operator initiated removal of these security classifications. NameSilo's “compromise” narrative was used as justification to request delisting from threat intelligence databases.
This constitutes active assistance in undermining the cybersecurity ecosystem's ability to protect users from a confirmed fraud operation.
We believe NameSilo's conduct violates the following provisions of the 2013 Registrar Accreditation Agreement:
The following evidence is publicly available and verifiable:
| Evidence | Location |
|---|---|
| Full technical investigation (code analysis, network captures) | https://phishdestroy.github.io/DO-NOT-USE-xmrwallet-com/ |
| NameSilo cover-up analysis with operator email evidence | https://phishdestroy.github.io/DO-NOT-USE-xmrwallet-com/posts/post-namesilo-xmrwallet-coverup.html |
| Archived deleted GitHub issues #35 and #36 | https://phishdestroy.github.io/DO-NOT-USE-xmrwallet-com/deleted.html |
| VirusTotal classification (multiple vendors) | https://www.virustotal.com/gui/domain/www.xmrwallet.com |
| Medium article with full analysis | https://phishdestroy.medium.com/xmrwallet-com-2953f35b8a79 |
| GitHub repository with all evidence archived | https://github.com/phishdestroy/DO-NOT-USE-xmrwallet-com |
| Operator email screenshots (4 emails, Feb 16–23) | Available in the NameSilo cover-up analysis page above |
Operator email correspondence originals are preserved and can be provided to ICANN upon request with full headers for authentication.
We respectfully request that ICANN Contractual Compliance:
As cybersecurity professionals, we consider it our duty to escalate this matter. The evidence is unambiguous: the operator built this theft infrastructure, maintains it across multiple domains and a Tor hidden service, and has been stealing cryptocurrency from users since 2016. Three ICANN-accredited registrars independently confirmed this assessment. NameSilo not only failed to act but actively constructed a false narrative to protect the operator.
We do not make this complaint lightly. We have exhausted all available channels with NameSilo directly. Their abuse team's response was not negligent — it was deliberately protective of a confirmed fraud operation. The operator's own words, written before NameSilo's involvement, prove that the “compromise” story is a fabrication.
We are available for further discussion, evidence submission, or technical briefing at ICANN's convenience.
Respectfully submitted,