NameSilo Lied About xmrwallet.com — Operator's Own Emails Prove It

Q: Did NameSilo lie about xmrwallet.com?

Yes. NameSilo claimed xmrwallet.com was 'compromised' (hacked by a third party). The operator's own emails to PhishDestroy, written before NameSilo got involved, prove he defended the site's code as his own. He never mentioned a hack. The compromise story was fabricated after NameSilo needed an excuse to close the abuse case.

Q: Why did NameSilo protect the xmrwallet operator?

Unknown. Three other registrars (PDR, WebNic, and the .net registrar) suspended or killed the operator's domains after reviewing the same evidence. NameSilo was the only one that refused to act and instead called the operator 'the victim.' The operator told PhishDestroy to 'subpoena the registrar' before any abuse report was filed — suggesting he knew NameSilo would protect him.

Q: How to file an ICANN complaint against NameSilo?

File a complaint at https://www.icann.org/compliance/complaint. Include: the domain (xmrwallet.com), NameSilo as registrar, the evidence that 3 other registrars suspended operator's domains, and NameSilo's fabricated 'compromise' response. Reference PhishDestroy's published investigation.

Q: Is NameSilo a good registrar?

NameSilo's abuse team sided with a confirmed phishing operator against evidence that led 3 other registrars to take action. They fabricated a 'compromise' story without evidence, helped the operator remove VirusTotal security warnings, and ignored technical proof of credential theft. Consider this when choosing a registrar.

By PhishDestroy Research · Published March 16, 2026 · Medium · dev.to

NameSilo shielding xmrwallet.com operator from accountability — 3 registrars suspended, NameSilo refused

SUMMARY: NameSilo claimed xmrwallet.com was "compromised" — hacked by a third party. The operator's own emails to PhishDestroy, written before NameSilo got involved, prove the "hack" story was fabricated. Three other registrars suspended the operator's domains after reviewing the same evidence. NameSilo was the only one that refused — and then wrote a cover story.

Why This Matters

Our investigation started because of what the code does: session_key = Base64(private_view_key) exfiltrates your Monero private view key on every API request. raw_tx_and_hash.raw = 0 discards the client-built transaction so the server can build its own and redirect funds. type == 'swept' is a custom theft marker not found anywhere in the Monero protocol.

xmrwallet.com session_key = Base64(private_view_key) exfiltration proof from network capture

We published the technical evidence. The operator's domains started getting suspended. That's when NameSilo entered the picture — not as a neutral registrar, but as the operator's press secretary.

This page documents what NameSilo did, what the operator said, and why the two stories cannot coexist.

Three Registrars Suspended. One Refused.

We sent the same evidence package to all four registrars managing the operator's domains. Three acted. One didn't.

Domain	Registrar	Action
xmrwallet.cc	PublicDomainRegistry (PDR)	SUSPENDED
xmrwallet.biz	WebNic.cc	SUSPENDED
xmrwallet.net	NICENIC	DNS DEAD
xmrwallet.com	NameSilo	"The registrant is the victim"

Three registrars suspended xmrwallet domains vs NameSilo refusing to act

Same evidence. Same technical proof. Three independent registrars in three different countries reached the same conclusion: this is a phishing/scam domain. NameSilo not only disagreed — they went further and invented a story to justify inaction.

NameSilo's Position: "The Site Was Compromised"

NameSilo's abuse team responded to our report by claiming xmrwallet.com was "compromised" — meaning hacked by an unauthorized third party. According to NameSilo:

The malicious code was not placed by the operator
The operator is "the victim" of a compromise
Therefore, no action should be taken against the domain

NameSilo provided zero technical evidence for this claim. No forensic report. No server logs. No timeline of the alleged breach. No explanation of how the "hack" happened or when. Just an assertion.

But here's the problem: the operator's own emails to us prove this story is a lie.

The Operator's Own Words

Between February 16 and February 23, 2026, the xmrwallet.com operator emailed PhishDestroy directly from royn5094@protonmail.com. These emails were sent before we contacted NameSilo, before any abuse report was filed with them, and before the "compromise" story existed.

Every email proves the same thing: the operator built this code, defends this code, and runs this site. There was no hack.

Email #1 — February 16, 2026

2026-02-16

From: Operator (royn5094@protonmail.com) → PhishDestroy

"We don't store seeds or keys, everything is done in your browser locally. Please remove your report. N.R."

ANALYSIS: First person — "we." Defends the site as his own. No mention of any compromise. Meanwhile, live traffic capture shows session_key = Base64(private_view_key) transmitted to the server 40+ times per session across 8 PHP endpoints. Nothing is "local."

xmrwallet operator email February 16 claiming keys are not stored

Email #2 — February 17, 2026 (first)

2026-02-17

From: Operator → PhishDestroy

"This is the data we need to offer the service."

ANALYSIS: 24 hours after claiming "we don't store keys," now admits "this is the data we need." Contradicts himself within one day. Still first person. Still "we." Still no hack mentioned.

Email #3 — February 17, 2026 (second)

2026-02-17

From: Operator → PhishDestroy

"Feel free to subpoena the domain registrar for my information to submit a complaint in the courts."

CRITICAL: This is the line that changes everything. Written February 17 — before we contacted NameSilo. Before any abuse report was filed. Before the "compromise" story existed. A scammer operating on $550/month bulletproof hosting behind DDoS-Guard does not invite registrar scrutiny unless he already knows the registrar will protect him.

xmrwallet operator email February 17 admitting data collection and telling us to subpoena registrar

Email #4 — February 23, 2026

2026-02-23

From: Operator → PhishDestroy

"I've hired a lawyer and a private investigator."
"Trezor and Ledger also get their view keys."

ANALYSIS: Sent the same day xmrwallet.cc and xmrwallet.biz were suspended. Panic mode. The lawyer never appeared. "Trezor and Ledger also get view keys" is technically illiterate — Trezor is a hardware wallet with no server. Still no mention of any hack or compromise. Still defends the code as his own work.

PhishDestroy Response

"Subpoena the Registrar" — Why This Line Matters

On February 17, the operator wrote: "Feel free to subpoena the domain registrar."

Think about this carefully:

This was written before we filed any abuse report with NameSilo
This was written before the "compromise" story existed
This was written by an operator running $550/month bulletproof hosting behind DDoS-Guard specifically to avoid takedowns

A scam operator running offshore infrastructure does not casually invite registrar involvement — unless he already knows the registrar will side with him.

He didn't say "subpoena the hosting provider" (DDoS-Guard, offshore, won't cooperate). He didn't say "contact law enforcement." He specifically said "subpoena the registrar" — NameSilo — with complete confidence that this would go nowhere.

Three days later, we filed the abuse report. NameSilo called him "the victim."

He already knew.

The "Compromise" Story: Fabricated After the Fact

Let's lay out the timeline:

Date	Event	Who said "hack"?
Feb 16	Operator: "We don't store keys"	Nobody
Feb 17	Operator: "This is the data we need"	Nobody
Feb 17	Operator: "Subpoena the registrar"	Nobody
Feb 23	Operator: "I've hired a lawyer"	Nobody
Feb 23	.cc and .biz SUSPENDED	Nobody
Mar 4	NameSilo responds to abuse report	NameSilo

The operator emailed us four times. In every single email, he used first person: "we are," "this is how the website is run," "this is the data we need." He defended the code. He defended the data collection. He never once mentioned a hack, a compromise, an unauthorized third party, or anything resembling the story NameSilo later told.

xmrwallet operator registered escape domains xmrwallet.cc and xmrwallet.biz — both suspended

The "compromise" narrative appeared for the first time on March 4 — in NameSilo's response. Not from the operator. From NameSilo.

NameSilo invented the "hack" story after the fact, after three other registrars had already suspended the operator's domains, to justify keeping xmrwallet.com online.

What NameSilo Did Beyond Refusing to Act

NameSilo didn't just ignore the abuse report. They actively helped the operator:

Fabricated the "compromise" narrative without any technical evidence
Called the operator "the victim" despite technical proof of credential theft
Helped remove VirusTotal security warnings flagged by Fortinet, ESET, Sophos, and others
Ignored evidence from 3 other registrars who reviewed the same material and suspended
Provided cover that the operator clearly anticipated ("subpoena the registrar")

This is not negligence. This is active assistance.

xmrwallet operator deleted 21+ GitHub issues containing victim reports — evidence cached by PhishDestroy

NameSilo's "Compromise" vs. the Operator's Emails

NameSilo claims	Operator's emails say
Site was "compromised" by third party	"We are an open source wallet" (first person)
Operator is "the victim"	"This is how the website is run" (defends code)
Malicious code was injected	"This is the data we need" (admits data collection)
Operator unaware of theft	"Subpoena the registrar" (knew NameSilo would protect him)
No prior abuse reports	Operator banned from r/Monero in 2018. 21+ deleted GitHub issues. 8 years of victim reports.

Every claim NameSilo made is contradicted by the operator's own words.

The Question NameSilo Needs to Answer

Who is this operator to NameSilo?

Employee?
Contractor?
Friend of support staff?
Relative?

Because he told us "subpoena the registrar" like a man who already had their answer. Three registrars suspended him. NameSilo wrote him a defense.

Coincidence doesn't explain this.

VirusTotal: Security Companies vs. NameSilo

At the time of publication, xmrwallet.com is flagged by multiple security vendors on VirusTotal:

Fortinet — classified as Phishing
ESET — flagged
Sophos — flagged
Multiple additional vendors

Fortinet is a Fortune 500 cybersecurity company with a dedicated threat research lab. Their classification is based on automated and manual analysis.

NameSilo's position is that their abuse team knows better than Fortinet's threat lab, ESET's malware researchers, and Sophos's security analysts — combined.

And they have zero evidence to support that position.

What You Can Do

File an ICANN Complaint Against NameSilo

NameSilo's abuse team is compromised or complicit. Bypass them. Report directly to ICANN.

File ICANN Complaint →

In your complaint, include:

Domain: xmrwallet.com
Registrar: NameSilo LLC
That 3 other registrars suspended the operator's domains based on the same evidence
That NameSilo fabricated a "compromise" story without evidence
That the operator's own emails contradict NameSilo's claims
Link to this investigation: https://phishdestroy.github.io/DO-NOT-USE-xmrwallet-com/

Additionally:

Report to Google Safe Browsing: safebrowsing.google.com
Report to Netcraft: report.netcraft.com
Email NameSilo abuse team: abuse@namesilo.com and support@namesilo.com

Conclusion

We've proven that NameSilo's abuse team intentionally lied in their public response. The operator's own emails — written before NameSilo got involved — contradict every claim they made.

NameSilo is covering for this operator. The reason is theirs to explain.

Our job was the evidence. It's done. It's permanent. It's public.

What happens next is between NameSilo, the operator, and the victims they both created.