ACTIVE INVESTIGATION TLP:CLEAR IANA #1479 ICANN Filed · Mar 18, 2026

NameSilo, LLC
Registrar Abuse Investigation

5,269,357 domains scanned  ·  Complete zone file census  ·  PhishDestroy Research

5,269,357
Domains scanned
87.3%
Dead or parked
183,419
Malicious (PG-shielded)
$10–20M
Estimated victim losses
20+
Abuse reports — ignored

Investigation Reports

All reports are based on the complete NameSilo zone file — no sampling. Raw data available as gzip archives in pkg/raw_data/.

📋
Zone Scan Report
Full investigation: methodology, HTTP scan pipeline, IOC breakdown, server fingerprint cluster analysis, chain of custody. SHA-256 verified.
5,269,357 domains  ·  2-phase scanner
🔬
Favicon Cluster Analysis
12 operator clusters identified via MurmurHash3 favicon fingerprinting. Identical favicon = identical operator. 328,230-domain single-server network.
12 clusters  ·  MurmurHash3
🗂
IOC Domain List
107,252 confirmed criminal domains — fully searchable with country flags, favicons, and abuse categories. Filter by type, country, or keyword.
107,252 IOCs  ·  searchable
🛡
PrivacyGuardian Shield
183,419 malicious domains registered with NameSilo and shielded by PrivacyGuardian.org — NameSilo's own WHOIS privacy service. The registrar owns both.
183,419 malicious  ·  25+ feeds
Review Manipulation
129 Trustpilot reviews deleted in 4 months. Bot review network. Victim reports suppressed. NameSilo and xmrwallet both published on PR Newswire same day.
129 deleted  ·  Jan–May 2026
📁
GitHub Evidence Repository
SHA-256 verified screenshots, full investigation dossier, operator intelligence, case documents, raw scan data. MIT licensed for legal/regulatory use.
github.com/phishdestroy/namesilo-evidence

What Happened

xmrwallet[.]com is a Monero wallet drainer that has been running since approximately 2016. On every login, the site silently transmits the user's private view key to the operator's server via a base64-encoded session_key parameter. Eight PHP endpoints handle the exfiltration. raw_tx_and_hash.raw = 0 ensures all client-side transactions are discarded. The site has never been compromised — the theft code is the product. Estimated victim losses: $10–20M.

PhishDestroy submitted 20+ delivery-receipted abuse reports to NameSilo between 2023 and 2026. No action was taken. On March 13, 2026, NameSilo's official corporate account published a statement calling the operator "the victim," denying all reports ever arrived, and committing in writing to helping him remove his VirusTotal detections. Three other registrars — PDR, WebNic, NICENIC — reviewed the same evidence and suspended the domain within days.

When PhishDestroy published the operator's own emails proving every sentence false, NameSilo used X Gold Checkmark live-support access to lock the @Phish_Destroy research account. X's automated review cleared the account in writing on April 15, 2026. The lock remains in place. NameSilo's only documented response to this investigation: the scammer's domain was quietly transferred to Namecheap.

Exhibit A — NameSilo's official statement · March 13, 2026 · 11,300 views

NameSilo official corporate tweet March 13 2026 — defending xmrwallet operator, denying abuse reports, committing to VirusTotal delisting

Archived: ghostarchive.org/archive/CXXZ0  ·  SHA-256: ad29e1d3d4803ff37c88ef860bef6de9e62f6ce533657f2e5c5460eb2e0b8ebf

NameSilo's Four Claims vs. the Record

"Domain was compromised a few months ago."
Exfiltration code is the product — 8 PHP endpoints, session_key server-side capture, raw_tx_and_hash.raw=0. Operator's own email (Feb 16): no hack claimed, site defended as his work.
FALSE
"Prior to that, we had received no abuse reports."
20+ delivery-receipted reports submitted through NameSilo's own portal, 2023–2026. Public tweet the day before: "9 reports is no joke anymore."
FALSE
"After an extensive review… not involving the registrant."
Operator contacted PhishDestroy Feb 16, defending the site as his own. NameSilo adopted a "compromise" narrative the operator himself never used.
FALSE
"Working with registrant to remove website from VT reports."
Written, published, on their verified corporate account. A registrar actively assisting a confirmed fraud operator in erasing consumer-protection security alerts.
DOCUMENTED — DAMNING

Key Evidence

All screenshots SHA-256 verified. Full index: EVIDENCE_INDEX.md

Operator email Feb 16 2026 — no phishing claim, no hack
Feb 16, 2026 — Operator email: "There is no phishing." No hack claim. Sent 25 days before NameSilo's "compromise" narrative.
PhishDestroy technical reply Feb 16
Feb 16, 2026 — PhishDestroy reply: 8 PHP endpoints documented, escalation notice issued.
X Support email Apr 15 2026 — no violation, restored
Apr 15, 2026 — X Support: "No violation. Restored to full functionality." Account still locked.
Tweet: who is this operator to you?
Mar 16, 2026 — "Who is this operator to you?" 7,900 views. Never answered. Account locked shortly after.
GhostArchive — original confrontation tweet
GhostArchive — archived before suppression. NameSilo's full reply thread, permanent record.
Tweet: NameSilo acting as press secretary for Monero theft operation
Mar 16, 2026 — "NameSilo is acting as press secretary for a Monero theft operation." Tweets now invisible.

Timeline

2016
xmrwallet.com goes live. session_key silently exfiltrates private view key on every login.
2023–2026
PhishDestroy: 20+ delivery-receipted abuse reports → abuse@namesilo.com. Zero action.
Feb 16, 2026
Operator emails PhishDestroy: "There is no phishing." No hack claim. Site defended as own work.
Mar 12, 2026
PhishDestroy public tweet: "9 reports is no joke anymore."
Mar 13, 2026
NameSilo official tweet (11,300 views): four false claims, offer to scrub VirusTotal. PDR, WebNic, NICENIC: suspended same domain within days.
Mar 16, 2026
PhishDestroy publishes operator emails. @Phish_Destroy account locked via X Gold Checkmark support.
Mar 18, 2026
Full case submitted to ICANN Contractual Compliance.
Apr 15, 2026
X automation: "no violation, restored to full functionality." Lock not lifted.
May 11, 2026
NameSilo legal threat tweet. Zero factual rebuttal. Documented →
May 2026
DMCA filed against this investigation. Keyword/geo suppression detected. xmrwallet domain transferred to Namecheap.
Jun 2026
Zone scan complete: 5,269,357 domains, 87.3% dead/parked. Site remains live. Investigation continues.

For Victims of xmrwallet[.]com

This evidence package is ready to attach to any legal or regulatory filing. MIT licensed — no further authorization needed.

report@phishdestroy.io

For Regulators & Press

Full case submitted to ICANN March 18, 2026. Raw materials available on request: email headers, PHP endpoint captures, abuse report receipts.

Evidence manifest with SHA-256 hashes: evidence_manifest.json

abuse@phishdestroy.io

Mirrors

This investigation is distributed across multiple platforms and protocols. No single point of failure.

● Live site
phishdestroy.eth.limo
IPFS via ENS · censorship-resistant
GitHub Pages
phishdestroy.github.io/namesilo-evidence
Arweave (blockchain)
arweave.net/LUuditolJS…
Permanent · on-chain
GitHub Repository
github.com/phishdestroy/namesilo-evidence
Codeberg
codeberg.org/phishdestroy
GhostArchive
ghostarchive.org/archive/CXXZ0
NameSilo's Mar 13 tweet · permanent
Medium
phishdestroy.medium.com
IPFS CID
bafybei…65xlq
PhishDestroy Research  ·  phishdestroy.eth.limo  ·  TLP:CLEAR  ·  MIT License

📊 Registration Activity

Daily and monthly new domain registrations. Click any bar to download that day’s list.

📡 Daily New Registrations

New domains registered daily — auto-fetched from NetAPI every 24h. Download any day as a plain-text blocklist.

Loading…

⏱️ Registration Period Distribution

How long operators register domains for. Longer registration = greater investment = more serious/organised campaign.

🌐 Top TLD Zones

Domain zone distribution with average registration period per TLD. Cheap short-reg TLDs signal bulk throwaway infrastructure.

📡 Deployment Status at Registration

Whether domains had an IP at time of fetch. No IP = registered but not yet deployed (parked, pre-staged, or bulk spam).

💰 Estimated Registrar Revenue

Estimated registration fees based on public TLD pricing. Does not include renewals or promo rates.

⚠️ Estimates use average public TLD prices. Actual revenue will differ.

🌍 Hosting Geography

IP country at time of domain registration. No IP means domain was not yet deployed when fetched.

🖧 Top Shared IPs

IP addresses hosting the most phishing domains. High-count IPs indicate bulletproof hosting infrastructure shared across campaigns.

💹 Revenue by TLD Zone

Estimated registration revenue split by TLD. Shows which zones generate most income for the registrar from phishing operators.

⚡ Domain Freshness

How old were domains at time of first fetch. Same-day and within-week catches indicate early warning capability.

📈 Registration Burst Days

Days with abnormally high registration volume — likely campaign start dates. Multiple-of-average spikes indicate coordinated bulk registration events.

🕵 Registrant Fingerprinting

Email addresses and phone numbers used to register phishing domains. Repeated contacts across hundreds of domains identify serial abuse operators — direct IOCs for attribution.

Top Registrant Emails
Top Registrant Phones

🎯 Brand & Keyword Heatmap

Brand names and phishing keywords found in domain labels. Shows which ecosystems are most targeted: crypto wallets, exchanges, DeFi protocols, and support scams.

🚨 Serial Registrant IOCs

Registrant emails appearing across multiple phishing domains — direct operator fingerprints. High repeat count = organised, sustained campaign. Import into SIEM/EDR for attribution.

✅ Blocklist Correlation

Cross-reference with the main Destroylist blocklist. Confirmed phishing domains validated by independent verification pipeline. Unranked % = new infrastructure with no prior web presence.