The XMRWalletDeception
How a sophisticated Monero theft operation stole over $20 million from thousands of victims while NameSilo actively protected the fraudulent domain.
Executive Summary
Critical Threat Alert
xmrwallet.com is an active Monero theft operation that has compromised thousands of wallets and stolen over $20 million since 2016.
Technical Mechanism
Systematic exfiltration of private view keys via session tokens enables real-time surveillance, while server-side transaction hijacking redirects funds to operator-controlled wallets.
NameSilo Complicity
Despite comprehensive evidence, NameSilo refuses to suspend the domain and actively assists the operator in suppressing security warnings.
Action Required
All users must immediately migrate to verified local wallet clients. Victims should preserve evidence and report to cybercrime authorities.
Technical Mechanism of Theft
The xmrwallet.com operation represents one of the most technically sophisticated and long-running cryptocurrency theft schemes documented in the privacy coin ecosystem.
Private Key Exfiltration via Session Tokens
The cornerstone of xmrwallet.com's surveillance was the session_key parameter, which encoded the private view key using Base64 and transmitted it to the operator's server on every authenticated request.
PhishDestroy's network capture documented 43 separate requests transmitting private view keys from a single test session.
Transaction Hijacking Mechanism
Client-signed transactions are deliberately discarded and replaced with server-constructed alternatives.
signed_transaction = cnUtil.create_transaction(pubkeys, seckeys, ...);
// Signed TX is DISCARDED:
var raw_tx_and_hash = {};
raw_tx_and_hash.raw = 0; // <-- THE FRAUD. Client-signed TX is never used.
// Only metadata sent. Server builds its OWN transaction.This constitutes explicit, intentional transaction hijacking. The server modifies the destination address to any arbitrary Monero address controlled by the operator.
Operational Scale and Duration
Registered August 29, 2016 with 15-year prepaid plan through 2031
Real total likely 5x higher based on operating duration
Based on service duration and user acquisition estimates
Codebase Deception Strategy
The operator maintained a deliberate divergence between public GitHub repository and production codebase. The public repository was frozen for 5.3 years (2018-2024) while production code evolved secretly. The site is hosted on DDoS-Guard — bulletproof hosting — while claiming to be "open source."
Documented Victims and Reported Losses
Verified Victim Cases
15+ documented victims with specific loss amounts. 100+ Trustpilot reviews deleted by operator. Real victim count estimated in thousands.
Impact Beyond Financial Loss
Private view key exfiltration means operators retain permanent ongoing visibility into all incoming transactions for affected wallets. Complete security recovery requires generating entirely new wallets and transferring all funds.
The Operator: Nathalie Roy
Nathalie Roy
Canadian national identified through multiple convergent evidence sources.
Primary Identifiers
- GitHub: nathroy (ID: 39167759)
- Reddit: u/WiseSolution (banned 2018)
- Email: royn5094@protonmail.com
False Claims
- Self-described as "volunteer"
- No verifiable donation infrastructure
- Zero evidence of compromise claim
- Contradicted by direct communications
Direct Email Communications (Feb 16-23, 2026)
- • Operator speaks in first person about wallet operations
- • Claims "we are an open source wallet" and "this is how the website is run"
- • At no point mentions any hack, compromise, or unauthorized access
- • Self-incriminating statements made before any public exposure
These communications definitively establish operator control and intent. View screenshot →
Systematic Evidence Destruction
GitHub Issue Deletion Campaign
The operator systematically deleted 21+ GitHub Issues over an 8-year period. Issues #35 and #36 — containing comprehensive fraud documentation — were removed on February 23, 2026. The complete repository was wiped shortly after.
Evidence Preservation
Despite deletion efforts, all evidence is preserved across: IPFS (phishdestroy.eth.limo), GitHub, Codeberg, Wayback Machine, GhostArchive, and multiple independent mirrors. Full evidence archive →
Escape Domain Strategy
Pre-registered Escape Domains
The operator registered multiple domains with 5-10 year prepaid plans — before exposure. All shared identical DDoS-Guard infrastructure, nameservers, MX records, and code hashes.
NameSilo's Complicity
4 Sentences. 4 Verifiable Lies.
NameSilo's March 13, 2026 public tweet: claimed domain was "compromised" (code hashes prove otherwise), denied receiving abuse reports (20+ delivery receipts exist), and committed to removing VirusTotal detections for a known drainer. Full debunking → · Screenshot →
Active Suppression Campaign
Twitter/X Lock via Gold Checkmark
@Phish_Destroy locked. X Support found "no violation" — lock persists. Screenshot →
VirusTotal Delisting
A registrar helping a scammer remove security vendor detections. Not investigate. Remove.
Bing Search Removal
All phishdestroy.io results removed from Bing.
Recommended Actions
For Victims
- 1. Migrate to verified wallet (getmonero.org, featherwallet.org)
- 2. Generate new seed — old one is permanently compromised
- 3. Transfer all funds to new address
- 4. Preserve evidence (screenshots, TX IDs, dates)
- 5. Report to law enforcement and ICANN
- 6. Contact abuse@phishdestroy.io