Active Investigation — 2026-02-18

DO NOT USE
XMRWALLET
.COM

Confirmed: your private Monero view key is transmitted to their server on every API request. Transaction destination addresses are substituted server-side. 15+ documented victims. $2M+ estimated stolen. Operating since 2016.

40+Requests leaking viewkey
15+Confirmed victims
$2M+Estimated stolen
4Google trackers
📄 Technical Proof Lost Funds? Report →
Full Technical Breakdown

HOW THE ATTACK
WORKS — STEP BY STEP

Every step documented with real captured traffic. From the moment you enter your key to the moment funds disappear.

01
You enter address + viewkey — both sent to server in plaintext
CRITICAL

The site asks for your wallet address and private view key "for syncing". Both are sent in plaintext via POST to their PHP server. No client-side encryption. Visible in DevTools → Network tab.

// POST https://www.xmrwallet.com/auth.php address = 46EkQdF7iQ4i4Ah935SipgXbDSryh5yv76UnhsPXTaUYegCMJPqDN88UKCuraauhmbYBK2YzDX76E46KQHAKYV9a63vokJb viewkey = efba13ecb8b360660a3dcaafaf7cf99149713d064b9d64997b2454d58ee67800 isnew = 0 // Private key transmitted. Server has it. Game over.
02
session_key encodes your private key — re-sent on every request
KEY EXFIL

Server returns a session_key — not a random token. It contains your address and private view key encoded in Base64, re-sent to the server 40+ times per session.

// session_key = [blob]:[base64(address)]:[base64(viewkey)] part[2] = ZWZiYTEzZWNiOGIzNjA2NjBhM2Rj... ↓ base64_decode() = efba13ecb8b360660a3dcaafaf7cf99149713d064b9d64997b2454d58ee67800 ↑↑↑ YOUR PRIVATE VIEW KEY. IN PLAINTEXT. ↑↑↑ python3 -c "import base64; print(base64.b64decode('ZWZiYTEzZWNiOGIzNjA2NjBhM2RjYWFmYWY3Y2Y5OTE0OTcxM2QwNjRiOWQ2NDk5N2IyNDU0ZDU4ZWU2NzgwMA==').decode())"
03
Your key reaches the server on every action — 40+ times per session
LEAK ×40

Every balance check, transaction view, page reload — your private view key is transmitted again. Includes an automatic request to /support_login.html with a different session_id not initiated by you.

POST /getheightsync.php viewkey ×12 POST /gettransactions.php viewkey ×10 POST /getbalance.php viewkey ×6 POST /getsubaddresses.php viewkey ×4 POST /getoutputs.php viewkey ×3 POST /support_login.html viewkey session_id=8de50123dab32 ← BACKDOOR, not user-initiated
04
Transactions hijacked server-side — raw_tx_and_hash.raw = 0
TX HIJACK

Client builds a transaction but the result is discarded (raw_tx_and_hash.raw = 0). Only metadata sent to server, which builds its own transaction and redirects funds to any address.

raw_tx_and_hash.raw = 0 ← TX discarded, never broadcast from client if(type == 'swept') { ← server-initiated theft marker txid = 'Unknown transaction id' ← UI obfuscation }
05
4 Google trackers watch every move inside your wallet
PRIVACY

Google Tag Manager allows the operator to push any JavaScript without changing source code or committing to GitHub. Auditing the repo is useless — real code loads from GTM.

GET googletagmanager.com/gtm.js ×12 — arbitrary JS GET google-analytics.com/analytics.js UA-116766241-1 GET region1.analytics.google.com/g/collect ×5 — GA4 GET stats.g.doubleclick.net/g/collect ad tracker — zero reason here
06
Verify it yourself — 3 independent methods
VERIFY
// METHOD 1: F12 → Network → filter auth.php → viewkey in Request Payload // METHOD 2: Decode your own session_key import base64; parts = session_key.split(":") print(base64.b64decode(parts[2]).decode()) // METHOD 3: Our captured traffic — run this now: python3 -c "import base64; print(base64.b64decode('ZWZiYTEzZWNiOGIzNjA2NjBhM2RjYWFmYWY3Y2Y5OTE0OTcxM2QwNjRiOWQ2NDk5N2IyNDU0ZDU4ZWU2NzgwMA==').decode())" // OUTPUT: efba13ecb8b360660a3dcaafaf7cf99149713d064b9d64997b2454d58ee67800
Finding #2 — Operator Profile

THE OPERATOR
& THE COVER-UP

8 years of operation. 5.3-year GitHub blackout. Banned from Reddit. 50+ paid articles. A "volunteer project" with zero donation wallet.

// GitHub commit history: 2018-05-10 v1 First release (f2d33d1) ← create_transaction, looks open-source 2018-11-06 Bulletproof Update ← last real commit 2018-11 ——————————————————————————————————————— 2024-03 ZERO COMMITS (5.3 YEARS) ↑ Production site actively updated. session_key added. Theft infrastructure evolved. ↑ Wayback Machine 2023: ZERO references to session_key in archived pages. 2024-03-15 v0.18.0.0 "2024 updates" ← sanitized dump, PHP backend excluded current v0.18.4.1 production ← additional changes NOT in GitHub
👤
Operator Identified
GitHub: nathroy (ID: 39167759). Support page: "Nathalie Roy created XMRWallet". admin@xmrwallet.com. Reddit: u/WiseSolution. Personally responds to every Trustpilot negative review with the "sync problem" deflection script.
🚫
Banned from r/Monero
Account u/WiseSolution banned from r/Monero after self-promotion attempts in 2018. The community flagged suspicious patterns early. Operation continued through other channels.
🗑️
GitHub Issues Deleted
Issue #13: "This issue has been deleted" — removed by repo owner. Multiple subsequent theft reports also deleted. Active evidence suppression since 2018.
🎭
"Sync Problem" Script
Standard response to theft reports: direct victim to Monero CLI to "check balance." Funds are already gone by then. Used consistently since 2018 — identical template across Trustpilot, Reddit, GitHub.
📰
Irony: Scam Warning Blog Post
The xmrwallet.com blog publishes an article: "5 Crypto Scams You Should Know About" — written to appear legitimate while operating a confirmed scam.
🔒
Domain Paid Until 2031
Registered 2016 via NameSilo, paid through 2031. 15-year commitment. This is not an abandoned side project. Long-term active infrastructure investment.
"Volunteer Project Funded by Donations" — With No Donation Wallet
Donation wallet address: NONE ← nowhere on site, nowhere on GitHub Hosting: IQWEB (IQWeb FZ-LLC) — $550+/month custom plan ← bullet-proof, abuse-resistant 50+ paid articles on crypto media exchanges ← bulk purchase, many with sponsored labels PhishDestroy contacted all 50+ publishers ← majority removed articles upon notification 100+ blog posts across 7 pages of SEO content 10 languages (en, fr, ru, zh, jp, it, nl, de, pt, es) DDoS-Guard CDN — paid protection (on top of IQWEB) Android app (XMRWallet/Android repo) Active Trustpilot management with personal responses // Legitimate volunteer open-source projects don't bulk-purchase sponsored articles. // Legitimate privacy tools use GitHub Pages or IPFS — free and auditable. // No donation wallet + $550/month hosting = the money comes from stolen XMR.
The Infrastructure Choice That Exposes Everything
// Legitimate privacy projects use free, verifiable, censorship-resistant hosting: GitHub Pages → $0/month TornadoCash, many privacy tools IPFS / Cloudflare Pages → $0/month decentralized, no single point of failure Self-hosted VPS → ~$5–20/month // xmrwallet.com chose: IQWEB (IQWeb FZ-LLC) → $550/month custom plan (discontinued) ← abuse-resistant, offshore, ignores takedown requests ← specifically marketed to operations that NEED to stay online ← + DDoS-Guard CDN on top (additional cost) // Question: why does a "free volunteer project with no donation wallet" // pay $550+/month for bullet-proof hosting instead of GitHub Pages? // Answer: because the site needs to stay online despite abuse reports.
💸
The Cost Reality
IQWEB custom plan: $550+/month · DDoS-Guard CDN · NameSilo domain · Android app maintenance · 10-language site · 50+ paid articles · Trustpilot management.

Annual infrastructure cost estimate: $8,000–$15,000+
Donation wallet: does not exist
🧅
Privacy Projects Don't Fear GitHub
TornadoCash, Monero itself, Feather Wallet, countless privacy tools — all use GitHub + free hosting with no problem.

xmrwallet.com avoids GitHub Pages, avoids IPFS, pays for offshore bullet-proof hosting. The reason is obvious: they need to survive abuse reports, not avoid censorship.
🎭
Trusts Google, Not GitHub
Loads 4 Google trackers inside your wallet (GTM, GA, GA4, DoubleClick).
Refuses to host on GitHub Pages — where every change is public and auditable.

"Privacy-focused Monero wallet" that trusts Google's ad network more than open-source infrastructure.
External Threat Intelligence
URLQuery
URLQuery Report
urlquery.net/report/a56ea134... →
VirusTotal
VirusTotal
Multiple vendors flag www.xmrwallet.com. virustotal.com →
ScamAdviser
ScamAdviser — Low Trust
357 complaints. Low trust score. Pattern consistent with documented crypto theft operations.
IOCs
TYPEVALUENOTES
Domainxmrwallet.comNameSilo, paid until 2031
Torxmrwalletdatuxms.onionHistorical
IP186.2.165.49DDoS-Guard subsidiary AS59692
MXmail.privateemail.comNamecheap private email
Cookies__ddg8_, __ddg9_, __ddg10_, __ddg1_DDoS-Guard tracking
GitHubnathroy (ID: 39167759)5.3yr commit gap — facade repo
Emailadmin@xmrwallet.comalso: support@, feedback@
Redditu/WiseSolutionBanned from r/Monero
session_key[blob]:[b64_address]:[b64_viewkey]Key exfiltration vector
raw_tx_and_hash.raw= 0TX discarded client-side
type == 'swept'server TX markerTheft signature
/support_login.htmlsession_id=8de50123dab32Operator backdoor
⚠ 8 Years. $2M+. Zero Accountability.

Operating since 2016. GitHub facade with 5.3-year commit gap. 50+ paid SEO articles, zero donation wallet. Banned from r/Monero 2018. Deletes GitHub evidence. Directs theft victims to CLI wallets where they find empty balances. Conservative estimate: 10,000–50,000+ accounts over 8 years. Total stolen: 5,000–50,000+ XMR ($1.5M–$15M+ at historical prices).

Finding #3

GOOGLE WATCHES
YOUR WALLET

A "private" Monero wallet loading 4 Google trackers. Every page inside your wallet reported to Google.

🏷️
Google Tag Manager
Loads arbitrary JS from Google. Operator can push new code at any time — no source changes, no commits. Auditing GitHub is useless.
12
📊
Google Analytics UA
UA-116766241-1. Records every page visit: IP, browser, session duration.
12
📈
Google Analytics 4
Enhanced measurement: scrolls, clicks, navigation inside wallet.
5
🎯
DoubleClick
Advertising tracker. Zero legitimate reason in a financial tool.
1
Finding #4 — Victim Reports

DOCUMENTED
VICTIMS

Collected from Trustpilot, Sitejabber, Reddit, BitcoinTalk. Operator response to every report is identical: "you used a phishing clone."

"I do deposit 590 monero 2 day gone and they steal it! Please ban this site and FBI need arest it!"
590 XMR (~$177,000)Sitejabber
"I followed the owner's instructions [...] only to realize that my 17.44 XMR was all gone. I have both the TxID & TX Key."
17.44 XMRTrustpilot — TxID documented
"This site is a scam, it worked good at first. One day i tried to move all funds out — it transferred to some other wallet instead of mine."
Funds redirectedTrustpilot
"They stole $200 from me, leaving me high and dry. Don't trust them with a single cent!"
$200Trustpilot
"Create wallet - put 20 xmr next day 0 xmr. Scammers owner!"
20 XMR overnightSitejabber
"I cannot verify the transaction using the private viewing key. Waiting for support response for several days."
Funds inaccessibleTrustpilotTxID: bd1e596d...
Legal Analysis

TERMS OF SERVICE
vs REALITY

xmrwallet.com Terms of Service (last updated September 27, 2021) make 5 specific technical claims about how the service works. Every single one is contradicted by observed network behavior.

§4 · SERVICES
"The view key of your account is temporarily stored in memory by the service which enables it to determine any transactions concerning to your account."
LIE
// What they claim
"temporarily stored in memory"

Implies the view key exists only client-side in RAM during the session. Standard behavior for a legitimate light wallet.

// What actually happens
session_key = [blob]:[base64(address)]:[base64(viewkey)]

The view key is Base64-encoded into session_key and transmitted to xmrwallet.com servers on every single API request — 40+ times per session across 6 different endpoints. This is not "in memory". This is active exfiltration.

Source: URLQuery network capture · GitHub Issue #36
§4 · SERVICES
"The service (XMRWallet) do not know or store your private key. This means that it is cryptographically impossible for our company to spend funds on your behalf."
FALSE
// What they claim
"cryptographically impossible for our company to spend funds on your behalf"

Standard non-custodial wallet guarantee. If true, even a compromised server cannot move your funds.

// What actually happens
raw_tx_and_hash.raw = 0
if(type == 'swept') { ... }

The client builds a transaction locally — then discards it (raw = 0). Only metadata is sent to the server. The server constructs its own transaction and broadcasts it. The type='swept' marker indicates server-initiated fund transfer. The claim of cryptographic impossibility is directly contradicted by the production code.

Source: JavaScript deobfuscation · GitHub Issue #36
§4 · SERVICES
"You authorize our company to submit your requested transaction to the blockchain according with the instructions you provide."
MISLEADING
// What they claim
"your requested transaction"

Implies the transaction broadcast is exactly what you constructed and authorized — standard relay behavior.

// What actually happens
// client TX → discarded (raw=0)
// server TX → broadcast instead

The transaction broadcast to the Monero network is not your transaction. It is a transaction constructed server-side using your metadata. The destination address can be anything the server chooses. You never signed the transaction that gets broadcast.

Source: Network traffic analysis · Production JS deobfuscation
§6 · ASSUMPTION OF RISK
"XMRWallet is not responsible for any losses... arising from... third-party attacks or other third-party activities."
COVER
// What they claim
"third-party attacks"

Standard liability disclaimer — reasonable protection against external hackers, network failures, etc.

// Legal function
// victim reports stolen funds
// xmrwallet: "third-party attack"
// → not our problem

When victims lose funds and report to xmrwallet.com support, the response is invariably "sync problem" or "third-party issue". This clause is pre-positioned legal cover for theft the operator controls. 15+ documented victims received this response.

Source: Trustpilot reviews · Sitejabber reports · GitHub Issue #36
§14 · ARBITRATION + FOOTER
Arbitration contact: lr@xmrwallet.com — Footer: "does not keep any records of your transactions"
CONTRADICTIONS
// lr@xmrwallet.com
"Notices to company may be sent to lr@xmrwallet.com"

Legal arbitration contact. Not the same as admin@, support@, or feedback@. The initials lr likely correspond to operator initials — potentially Loi Roy or a variant of Nathalie Roy's legal name. Separately, operator contacted PhishDestroy from royn5094@protonmail.com.

// "No records" + 4 trackers
"does not keep any records of your transactions"

Footer claim directly contradicted by 4 active Google tracking scripts inside the wallet UI: GTM · UA-116766241-1 · GA4 · DoubleClick. Google Tag Manager alone allows pushing arbitrary tracking code to all users without any code changes. Every wallet session generates analytics events sent to Google.

Source: URLQuery report — 12× GTM requests · 12× GA requests · 5× GA4 requests · 1× DoubleClick
Terms of Service archived from https://www.xmrwallet.com/terms.html — last updated by operator: September 27, 2021. Full page archived at web.archive.org →
Take Action

REPORT &
GET HELP

Document everything: wallet address, TxID, TX Key, timestamps, screenshots. Do NOT pay any "recovery service" — that is a second scam targeting victims.

Law Enforcement
🇺🇸
United States · FBI
Internet Crime Complaint Center
ic3.gov
 🇺🇸
United States · FTC
Consumer Fraud Report
reportfraud.ftc.gov
 🇬🇧
United Kingdom · NFIB
Action Fraud
actionfraud.police.uk
 🇪🇺
European Union
Europol Cybercrime
europol.europa.eu
 🇨🇦
Canada · RCMP
Canadian Anti-Fraud Centre
antifraudcentre.ca
 🌐
International
Interpol Cybercrime
interpol.int
Takedown Reports — Domain & Hosting
Blocks in Chrome · Firefox · Safari
Google Safe Browsing
safebrowsing.google.com
Used by ISPs & Registrars
Netcraft
report.netcraft.com
Community Blocklist
PhishTank
phishtank.org
Auto-reports to 6+ platforms
Phish.Report
phish.report
Blocks in Edge · SmartScreen
Microsoft Defender
microsoft.com/wdsi
ISP & Email blocklists
Spamhaus
spamhaus.org
 📧
Domain Registrar
NameSilo Abuse
abuse@namesilo.com
 📧
Hosting Provider
DDoS-Guard Abuse
abuse@ddos-guard.net
Evidence Thread
GitHub Issue #36
github.com/XMRWallet/Website/issues/36
Web3 Security
Security Alliance (SEAL)
securityalliance.org
Blockchain Intelligence
Chainalysis
chainalysis.com
URL Scanners & Threat Intelligence Tools

Use these tools to analyze xmrwallet.com yourself and share results as additional evidence.

VirusTotal
virustotal.com
80+ AV engines
urlscan.io
urlscan.io
DOM · network · screenshot
URLQuery
urlquery.net
network behavior
Phish.Report Analysis
phish.report/analysis
auto-takedown
CheckPhish (Bolster AI)
checkphish.bolster.ai
AI phish detection
Criminal IP
criminalip.io
IP · domain intel
IsItPhish
isitphish.com
ML phish classifier
Phishs.com
phishs.com
phishing lookup
Bitdefender Link Checker
bitdefender.com
AV engine
Norton Safe Web
safeweb.norton.com
reputation score
PolySwarm
polyswarm.network
decentralized threat intel
Symantec Site Review
sitereview.bluecoat.com
web filtering
Sucuri SiteCheck
sitecheck.sucuri.net
malware scan
Quttera
quttera.com
malware scanner
ThreatMiner
threatminer.org
OSINT · passive DNS
DNSDumpster
dnsdumpster.com
DNS · subdomain recon
ScamAdviser
scamadviser.com
trust score · reviews
Use These Instead — Verified Safe Wallets
FULL NODE WALLETS — Your keys, your node, maximum privacy

Keys never leave your device. You connect to your own Monero node or a trusted remote node. Most private option.

Monero GUI / CLI
getmonero.org/downloads
WindowsLinuxmacOS
✓ Official release by the Monero core team. Full node included. Source on GitHub. Maximum trustlessness.
Feather Wallet
featherwallet.org
WindowsLinuxmacOSTor
Lightweight desktop. Built-in Tor, no analytics, reproducible builds, open source. ✓ Recommended
MOBILE WALLETS — Open source, remote sync

These wallets share your view key with a remote node for fast sync — faster and lighter than full node, slightly reduced privacy.

Monerujo
monerujo.app
Android
Android-only, open source, available on F-Droid. One of the oldest and most battle-tested Monero mobile wallets.
Cake Wallet
cakewallet.com
AndroidiOS
Most popular Monero mobile wallet. Open source, multi-coin (XMR, BTC, LTC, ETH). ✓ Recommended
Stack Wallet
stackwallet.com
AndroidiOSWindowsLinuxmacOS
Multi-platform, multi-coin. Open source, privacy-focused, Tor support built-in.
Unstoppable Wallet
unstoppable.money
AndroidiOS
Open source, non-custodial. Supports XMR, BTC, ETH and many others. Clean UI.
Monfluo
codeberg.org/acx/monfluo
Android
Lightweight Android wallet. Minimal permissions, open source, hosted on Codeberg (not GitHub).
ANONERO
.onion — Tor required
AndroidTor only
Maximum anonymity Android wallet. Accessible via Tor browser only. Advanced users.
Edge Wallet
edge.app
AndroidiOS
Multi-coin wallet with client-side key encryption. Keys never leave device unencrypted.
HARDWARE WALLETS — Air-gapped key storage

Private keys stored on a dedicated hardware device and never exposed to the host machine. Most secure option for large amounts.

Nano S  →  Monero GUI · CLI · Feather
Nano S Plus  →  Monero GUI · CLI · Cake Wallet · Feather
Nano X  →  Monero GUI · CLI · Feather · Monerujo
support.ledger.com/article/360006352934-zd →
Model T  →  Monero GUI · Feather
Safe 3  →  Monero GUI · Feather
Safe 5  →  Monero GUI · Feather
trezor.io/learn/supported-assets/monero-xmr-on-trezor →
Rule #1: Any wallet that asks for your private spend key or seed phrase on a website = instant scam.
View key sharing with a remote node is normal in light wallets — but xmrwallet.com embeds your view key into every API request 40+ times and uses it to redirect your transactions.
// Legal · Disclaimer · Notice to Operator
Sources & Methodology. All information published on this page was obtained exclusively from publicly available sources: archived web pages (Wayback Machine), public GitHub repositories and commit history, public WHOIS records, URLQuery passive DNS reports, VirusTotal community submissions, Trustpilot and Sitejabber public reviews, Reddit public posts, Google Analytics tag metadata, and independent browser-based network traffic analysis performed by PhishDestroy researchers. No systems were accessed without authorization. No private data was obtained. All network requests documented herein were initiated from a standard browser session during normal use of the publicly accessible xmrwallet.com service. Complete raw session logs and captured network traffic are archived and available upon request to law enforcement and security researchers.
Purpose. This publication is made in the public interest for the purpose of informing Monero users of a documented security threat. PhishDestroy is a volunteer security research organization operating under principles consistent with responsible disclosure. Prior to publication, the operator was contacted and given the opportunity to respond, correct, or refute any findings. No substantive technical response was provided.
Notice to the Operator — nathroy / Nathalie Roy.

We received your email from royn5094@protonmail.com — an address that does not appear anywhere on xmrwallet.com, which is interesting given that your "official" contact is admin@xmrwallet.com. We assume Namecheap's ProtonMail is more comfortable for communications you'd prefer weren't associated with the main domain.

We gave you the opportunity to explain the technical findings before publication. Instead of providing a legitimate technical rebuttal — which would have been trivial if the site were actually open-source and non-malicious — you chose to assert that our research was false and demand removal.

Demanding removal of factual security research does not constitute a legal basis for takedown. Publishing documented evidence of financial fraud is not defamation. Every claim on this page is sourced, reproducible, and archived.

If you choose to pursue legal action, DMCA complaints, hosting abuse reports, or any other attempt to suppress this research:
— All archived evidence will be re-published across additional platforms (IPFS, Tor, archive.org)
— Every legal communication will be published in full as additional documentation
— Law enforcement referrals already in progress will be escalated
— Each attempt at suppression will be published as a news item via PhishDestroy channels

The most rational decision available to you at this point is to take xmrwallet.com offline. We have documented 15+ victims publicly. There are likely hundreds more who never reported. The site has been operating since 2016. The math on your exposure is not favorable.

You were warned. You chose to write instead of stop. We documented that too.