xmrwallet.com Operator Deletes Evidence After Being Caught Stealing Monero

By PhishDestroy Research · Published February 24, 2026 · Updated February 24, 2026

When a legitimate service is accused of wrongdoing, the operator responds with transparency: they publish audits, open their code, and address concerns publicly. When xmrwallet.com was exposed as a Monero theft service by PhishDestroy Research, the operator did the opposite. Within hours, over 21 GitHub issues were deleted, repository content was wiped, and escape domains were registered. This article documents the full timeline of the cover-up and explains why the destruction of evidence is itself a damning admission of guilt.

What Was Deleted: 21+ GitHub Issues Erased

The xmrwallet.com GitHub repository previously contained a public issue tracker where users could report bugs, ask questions, and — critically — document their experiences. Over the years, more than 21 issues had accumulated from victims reporting stolen funds, failed transactions, and suspicious behavior. These issues constituted a public, timestamped record of the scam's impact.

After PhishDestroy Research published its technical analysis demonstrating how xmrwallet.com steals private view keys through the session_key parameter and hijacks transactions by returning raw_tx_and_hash.raw = "0", the operator moved swiftly to erase the evidence.

The deleted issues included:

Victim reports detailing stolen Monero with specific amounts and transaction details
Technical questions from users who noticed suspicious network requests
Complaints about transactions that showed as "sent" but never arrived
Discussions where community members raised security concerns
Repeated reports of wallets being drained after login

Every single issue was deleted. Not closed — deleted. Closing an issue archives it but keeps it publicly visible. Deletion removes it entirely. This distinction matters: the operator did not want these reports to be readable at all, even as historical records.

The Deletion Timeline

Phase 1: Investigation Published PhishDestroy Research publishes the full technical analysis of xmrwallet.com, documenting the session_key exfiltration and transaction hijacking mechanisms. The report includes code analysis, victim testimonies, and proof of the theft operation.

Phase 2: GitHub Issues Deleted Within hours of the publication, the operator begins deleting GitHub issues. More than 21 issues containing victim reports and community discussions are permanently removed from the repository. The issue tracker, previously containing years of evidence, is wiped clean.

Phase 3: Repository Content Wiped The operator goes further, wiping substantive content from the GitHub repository itself. Commit history and code that could be analyzed for malicious behavior is removed or obscured.

Phase 4: Escape Domains Registered The operator registers xmrwallet.cc and xmrwallet.biz as fallback domains, anticipating that the original xmrwallet.com domain may face action. These domains are intended to continue the theft operation under new addresses.

Phase 5: Escape Domains Suspended Both xmrwallet.cc and xmrwallet.biz are identified and reported. The domain registrars suspend both domains, cutting off the operator's planned escape routes.

Phase 6: ProtonMail Threats The operator sends threatening messages via ProtonMail to researchers, attempting to intimidate them into removing the investigation. The operator claims to be a "volunteer" and denies all findings despite the technical evidence.

Why Deletion Is an Admission of Guilt

An innocent operator would welcome scrutiny. If xmrwallet.com were a legitimate service experiencing false accusations, the rational response would be to leave the issue tracker intact, point to the open-source code as proof of innocence, and publicly address each technical finding. Instead, the operator chose to:

Destroy evidence: Deleting victim reports removes the easiest way for new users to discover the scam before becoming victims themselves.
Prevent analysis: Wiping the repository removes code that could be independently audited to confirm or deny the findings.
Prepare to flee: Registering new domains is not the behavior of someone who believes they will be exonerated. It is the behavior of someone planning to continue operations under a different name.
Threaten researchers: Sending threats via anonymous email is an attempt to suppress the investigation through intimidation rather than through evidence.

Each of these actions is consistent with guilt and inconsistent with innocence. Taken together, they form a textbook pattern of evidence destruction and operational flight.

The Archival Record

Despite the operator's efforts, the evidence was not entirely destroyed. PhishDestroy Research had archived the GitHub issues, repository content, and victim reports before the deletion began. Web archiving services captured snapshots of the repository. The deleted content exists in multiple independent archives and is referenced in the full investigation report.

This is an important lesson for scam operators: the internet has a memory. Deleting a GitHub issue does not delete the cached copies, email notifications, RSS snapshots, or archived versions that were created automatically by multiple services the moment the content was published. The act of deletion did not protect the operator. It only added "evidence destruction" to the list of documented offenses.

What This Means for Current and Former Users

If you have ever used xmrwallet.com: Your private view key was stolen the moment you logged in. Your funds may be at risk even if they have not yet been taken. Create a new wallet using the official Monero software from getmonero.org and transfer your funds immediately.

The deletion of evidence does not change the technical reality of how xmrwallet.com operates. The session_key still encodes your private view key in base64. The server still returns raw_tx_and_hash.raw = "0" instead of valid transaction data. These mechanisms were documented through code analysis, not through GitHub issues, and they remain fully proven regardless of what the operator deletes.

The operator's response to exposure — destroy, flee, threaten — should be understood as the final confirmation that xmrwallet.com is exactly what the investigation claims it to be: a theft service masquerading as a Monero wallet.