Is xmrwallet.com Safe? No. Here's the Technical Proof.
xmrwallet.com is a confirmed Monero theft service. Do not use it under any circumstances.
If you are searching for whether xmrwallet.com is safe, the answer is unequivocally no. This is not speculation, opinion, or hearsay. PhishDestroy Research has conducted a full forensic analysis of the xmrwallet.com service and documented three independent categories of proof that it is a theft operation: code-level evidence, victim documentation, and behavioral evidence from the operator's response to exposure.
Proof Category 1: The Code Steals Your Keys
Private View Key Theft via session_key
Every API request xmrwallet.com makes to its server includes a parameter called session_key. Forensic analysis reveals that this session_key is not a random session token — it is your private view key encoded in base64.
// What xmrwallet.com sends to its server:
session_key = base64_encode(your_private_view_key)
// Verification:
base64_decode(session_key) === private_view_key // TRUEThis means the operator receives your private view key with every request. Your key is transmitted in a format that can be trivially decoded. A legitimate wallet service would never transmit your private view key to its server in any form.
Transaction Hijacking via raw_tx_and_hash
When you send Monero through xmrwallet.com, the server response includes a raw_tx_and_hash field. In a legitimate wallet, this contains the signed transaction hex. On xmrwallet.com:
raw_tx_and_hash.raw = "0"A value of "0" cannot be a valid Monero transaction. The server is not relaying your transaction — it is discarding it and substituting its own, sending your funds to the operator's wallet while displaying a fake confirmation to you.
Proof Category 2: 15+ Documented Victims, $2M+ Stolen
Independent of the code analysis, there is a substantial body of victim reports. PhishDestroy Research has documented more than 15 individual victims who reported losing Monero through xmrwallet.com. The total estimated losses exceed $2 million USD. The operation has been active since at least 2016.
Victim reports follow a consistent pattern:
| Stage | What the User Sees | What Actually Happens |
|---|---|---|
| Login | Wallet loads normally | Private view key is sent to operator's server |
| Deposit | Balance appears correctly | Operator can now monitor all incoming funds |
| Send | "Transaction sent" confirmation | Funds redirected to operator's wallet; raw_tx = "0" |
| After | Balance drops to zero | All funds have been stolen |
Proof Category 3: The Operator's Guilty Behavior
After PhishDestroy Research published its findings, the operator's response was not to defend the service or provide counter-evidence. Instead, the operator:
- Deleted 21+ GitHub issues containing victim reports and community discussions
- Wiped repository content from the GitHub repo to prevent independent code analysis
- Registered escape domains (
xmrwallet.ccandxmrwallet.biz) to continue operations under new names - Sent threatening emails via ProtonMail to researchers, attempting to suppress the investigation
- Claimed to be a "volunteer" rather than addressing any of the technical evidence
Both escape domains were subsequently suspended by their registrars after being reported. The operator's Reddit account, u/WiseSolution, was banned from r/Monero.
VirusTotal and Security Scanner Flags
Multiple security scanning services have flagged xmrwallet.com. VirusTotal results show detections from various security vendors classifying the domain as malicious or phishing-related. These independent automated assessments corroborate the manual forensic analysis conducted by PhishDestroy Research.
When multiple independent sources — code analysis, victim reports, operator behavior, and automated security scanners — all point to the same conclusion, that conclusion is not in doubt.
Frequently Asked Questions
Is xmrwallet.com open source?
The operator claims xmrwallet.com is open source, but the code deployed on the live site does not match any public repository. After exposure, the repository content was wiped. An "open source" claim is meaningless when the server runs different code than what is published, and the operator deletes the repository when caught.
Does xmrwallet.com work at all?
Deposits may appear to work initially. The scam is designed to look functional so that users trust it with larger amounts. The theft occurs during withdrawal or when the operator decides to drain the wallet using the stolen keys.
Is any web wallet safe for Monero?
Web wallets are inherently riskier than desktop or hardware wallets because they require trusting a server with key material. Even a well-intentioned web wallet can be compromised. For Monero specifically, use the official GUI/CLI wallet, Feather Wallet, or Cake Wallet.
What should I do if I used xmrwallet.com?
Assume your keys are compromised. Create a completely new wallet using trusted software (not a web wallet) and transfer any remaining funds to the new wallet immediately. Do not reuse any seed phrase or key that was ever entered into xmrwallet.com.
All Investigation Mirrors
- phishdestroy.github.io/DO-NOT-USE-xmrwallet-com
- phishdestroy.codeberg.page/DO-NOT-USE-xmrwallet-com
- phishdestroy.gitlab.io/do-not-use-xmrwallet-com
- phishdestroy.bitbucket.io/DO-NOT-USE-xmrwallet-com
- phishdestroy-research.on.drv.tw/DO-NOT-USE-xmrwallet-com
- phishdestroy.neocities.org/DO-NOT-USE-xmrwallet-com