Nathalie Roy and xmrwallet.com: The Operator Behind the Monero Theft Ring

Behind every scam is an operator. Behind xmrwallet.com — a confirmed Monero theft service that has stolen over $2 million from more than 15 documented victims — the operator has been identified as Nathalie Roy. This article compiles the publicly available evidence connecting Nathalie Roy to xmrwallet.com and documents the pattern of behavior exhibited after the scam was exposed by PhishDestroy Research.

The GitHub Trail: nathroy

The xmrwallet.com GitHub repository was maintained under the username nathroy. This account was the primary committer to the repository, the administrator of the issue tracker, and the person who responded to user inquiries and bug reports. The nathroy account is the central technical identity connected to the xmrwallet.com project.

After PhishDestroy Research published its forensic analysis demonstrating that xmrwallet.com steals private view keys and hijacks transactions, the nathroy account took the following actions on GitHub:

• Deleted over 21 issues from the repository, including victim reports, transaction failure complaints, and community security discussions
• Wiped repository content, removing code that could be independently analyzed to confirm the theft mechanisms
• Did not provide any technical rebuttal to the findings — no counter-analysis, no audit, no explanation

The deletion of issues is particularly significant. These were not the operator's own posts — they were reports filed by victims and community members. Deleting other people's issue reports is an act of evidence destruction, not repository maintenance.

The Reddit Connection: u/WiseSolution

On Reddit, the xmrwallet.com operator used the account u/WiseSolution to promote the service in Monero-related subreddits. This account recommended xmrwallet.com to users asking for wallet advice, posted about xmrwallet.com features, and defended the service against early criticisms.

The u/WiseSolution account was ultimately banned from r/Monero, the primary Monero community on Reddit. A ban from the largest Monero subreddit is a significant action taken by moderators who had sufficient evidence of malicious behavior. The ban prevented the operator from continuing to promote xmrwallet.com directly to the Monero community.

Escape Domains: Planning to Continue Under New Names

After the investigation was published, the operator registered two new domains:

The registration of escape domains is a calculated move by an operator who anticipated that the primary domain might face suspension or blocking. It reveals forward planning: the operator did not intend to stop stealing Monero, only to move the operation to new addresses.

Both xmrwallet.cc and xmrwallet.biz were reported to their respective domain registrars by PhishDestroy Research and community members. Both registrars took action to suspend the domains, cutting off the planned escape routes. However, the primary domain xmrwallet.com remains active at the time of this writing and continues to pose a danger to users.

ProtonMail Threats: Intimidation Over Evidence

After the investigation was published, the operator sent threatening communications via ProtonMail to researchers involved in the exposure. The choice of ProtonMail — an encrypted email service based in Switzerland — is consistent with an operator attempting to communicate without creating easily traceable records.

The content of these communications included threats aimed at pressuring researchers to remove the investigation findings. Rather than providing technical counter-evidence or submitting to an independent audit, the operator chose intimidation. This response pattern is consistent with guilt: an innocent operator would welcome scrutiny and provide evidence of legitimacy, not threaten those asking questions.

The "Volunteer" Defense

In communications, the operator has described themselves as a "volunteer" working on xmrwallet.com without compensation. This claim requires scrutiny for several reasons:

• A "volunteer" does not steal $2M+ in Monero. The code-level evidence demonstrates deliberate theft mechanisms. The session_key base64 encoding of private view keys and the raw_tx_and_hash.raw = "0" transaction hijacking are not bugs — they are purposefully engineered theft tools.
• A "volunteer" does not delete victim reports. Removing 21+ GitHub issues from victims who lost money is not volunteer behavior. It is evidence tampering.
• A "volunteer" does not register escape domains. Setting up xmrwallet.cc and xmrwallet.biz as fallback operations is business continuity planning for a theft operation, not volunteer work.
• A "volunteer" does not send threats. Threatening researchers via encrypted email is the behavior of someone protecting a revenue stream, not someone donating their time.

The "volunteer" defense is a social engineering tactic designed to generate sympathy and deflect accountability. It should be understood as another deception from an operator whose entire project is built on deception.

Pattern of Behavior: The Complete Picture

When the evidence is assembled chronologically, a clear operational pattern emerges:

1. Build trust (2016-2025): Operate xmrwallet.com as a seemingly functional web wallet, building a user base through search engine presence and community promotion via u/WiseSolution on Reddit.
2. Steal silently: Harvest private view keys through the session_key mechanism and hijack transactions through the raw_tx_and_hash manipulation. Delay draining wallets to obscure the connection to the service.
3. Suppress complaints: When victims report issues on GitHub, respond with deflections or silence. Maintain the appearance of a functioning project.
4. Destroy evidence when exposed: When forensic analysis proves the theft mechanisms, delete all victim reports, wipe the repository, and remove any public record of complaints.
5. Prepare escape routes: Register new domains to continue operations under different addresses when the primary domain faces action.
6. Intimidate: Send threats to researchers to suppress the investigation through fear rather than through evidence.

This is not the behavior of a misunderstood volunteer. It is the operational playbook of a long-running theft operation that has adapted to exposure by destroying evidence, fleeing to new domains, and threatening those who exposed the truth.