# xmrwallet.cc — SUSPENDED (Escape Domain)

> **xmrwallet.cc was a redirect domain for xmrwallet.com scam. Suspended by registrar after abuse reports.**

## What happened

After PhishDestroy published evidence of server-side TX hijacking and view key theft on xmrwallet.com, the operator registered **xmrwallet.cc** as an escape domain — a backup redirect in case the main domain gets taken down.

| Detail | Value |
|--------|-------|
| Domain | xmrwallet.cc |
| Registered | 2026-02-04 (same week as PhishDestroy publication) |
| Prepaid | **8 years** |
| Registrar | PublicDomainRegistry |
| Hosting | DDoS-Guard (Russia), AS57724 |
| IP | 185.129.100.248 |
| Status | **SUSPENDED** |

## Why it was registered

The timing speaks for itself:
- **2026-02-04**: xmrwallet.cc registered
- **2026-02-13**: PhishDestroy publishes Issue #35 (TX hijacking proof)
- The operator registered this domain **before** our publication went live — suggesting advance knowledge that exposure was coming

## DNS proof — same operator

xmrwallet.cc shared **identical infrastructure** with xmrwallet.com:
- Same MX records: mx1/mx2.privateemail.com
- Same NS records: ns1/ns2.ddos-guard.net
- Same WOT verification token: `8a5554c915e3c17278a7`

One inbox. One operator. Three domains.

## Current status

**SUSPENDED** by PublicDomainRegistry after abuse reports. 8-year prepayment wasted.

## Main investigation

- [Full Evidence](https://phishdestroy.github.io/DO-NOT-USE-xmrwallet-com/)
- [Deleted Issues Archive](https://phishdestroy.github.io/DO-NOT-USE-xmrwallet-com/deleted.html)
- [xmrwallet.com still active — report to abuse@namesilo.com](mailto:abuse@namesilo.com)

---

*Investigation by [PhishDestroy Research](https://github.com/phishdestroy)*