xmrwallet.com Scam Exposed: How a Fake Monero Wallet Steals Your Crypto

For years, xmrwallet.com has presented itself as a free, open-source Monero web wallet. In reality, it is a sophisticated theft operation that has been silently siphoning Monero from users since at least 2016. This article details the exact technical mechanism xmrwallet.com uses to steal your cryptocurrency, based on forensic analysis conducted by PhishDestroy Research.

The Theft Mechanism: How xmrwallet.com Steals Your Monero

The xmrwallet.com scam operates through two coordinated attack vectors that work together to give the operator complete control over your funds. Neither attack is visible to the average user, making this one of the more insidious crypto theft schemes documented to date.

Attack Vector 1: Private View Key Exfiltration via session_key

When you log into xmrwallet.com, the site generates a value called session_key that is sent to the server with every API request. On a legitimate Monero wallet, a session identifier would be a random token with no cryptographic significance. On xmrwallet.com, the session_key is your private view key encoded in base64.

This was confirmed through direct analysis:

// The session_key sent to xmrwallet.com servers:
session_key = base64_encode(private_view_key)

// Decoding the session_key reveals the raw private view key:
base64_decode(session_key) === private_view_key  // TRUE

Your private view key allows anyone who possesses it to see every incoming transaction to your wallet, monitor your balance in real time, and track all deposits. The operator of xmrwallet.com harvests this key the moment you log in. You do not need to send a transaction for the theft of your view key to occur.

Attack Vector 2: Server-Side Transaction Hijacking

The second attack vector is even more destructive. When you attempt to send Monero through xmrwallet.com, the site constructs the transaction on its server. The response includes a field called raw_tx_and_hash. In a legitimate wallet, this field would contain the signed transaction data ready for broadcast to the Monero network.

On xmrwallet.com, the server returns:

raw_tx_and_hash.raw = "0"

A raw transaction value of "0" is not a valid Monero transaction. It is impossible for this value to represent any real transfer of funds. What happens instead is that the server constructs its own transaction using the keys it has already stolen, redirecting your funds to a wallet controlled by the operator. The site then displays a fake "transaction sent" confirmation to the user.

Why Victims Don't Notice Immediately

The scam is designed to delay detection. After the operator steals view keys, they do not necessarily drain funds immediately. Some victims reported that their wallet appeared functional for days or weeks before funds disappeared. This delay serves multiple purposes: it makes it harder for victims to pinpoint when the theft occurred, it disconnects the theft from the act of logging in, and it allows the operator to accumulate more targets before any public warnings emerge.

The fake transaction confirmations are another layer of deception. When a user sends Monero and sees a confirmation on xmrwallet.com, they believe the transaction was successful. It may take hours or days for them to realize the recipient never received the funds and that their balance has been drained to a different address entirely.

The Scale of the Theft: $2M+ Stolen

PhishDestroy Research has documented more than 15 victims across GitHub issue reports, Reddit threads, and direct communications. The total confirmed and estimated losses exceed $2 million USD in stolen Monero. The operation has been active since at least 2016, making it one of the longest-running Monero theft services ever documented.

Victim reports consistently describe the same pattern:

• Funds deposited to an xmrwallet.com address appear to arrive normally
• The user attempts to send Monero to another address
• The site shows a transaction confirmation
• The recipient never receives the funds
• The wallet balance drops to zero

The Operator: Nathalie Roy

The operator behind xmrwallet.com has been identified as Nathalie Roy, operating under the GitHub username nathroy and the Reddit account u/WiseSolution (banned from r/Monero). After PhishDestroy Research published its findings, the operator deleted 21+ GitHub issues containing victim complaints, wiped repository content, and registered escape domains xmrwallet.cc and xmrwallet.biz — both of which were subsequently suspended by their registrars.

How to Protect Yourself

The single most important action you can take is to never use xmrwallet.com or any of its mirror domains. If you have already used it, assume your keys are compromised. Create a new wallet using a trusted client and transfer any remaining funds immediately.

Use only verified, open-source Monero wallets:

• Official Monero GUI/CLI from getmonero.org
• Feather Wallet — a lightweight desktop Monero wallet
• Cake Wallet — a trusted mobile Monero wallet

Never trust a web-based wallet with your Monero. The fundamental design of web wallets requires sending key material to a server, creating an inherent point of trust that xmrwallet.com has exploited for nearly a decade.