The short version

A U.S. registrar called NameSilo publicly defended xmrwallet[.]com — a Monero wallet that has been quietly stealing private keys for about ten years. Estimated damage: $10M–$20M.

Long live freedom of speech? Or is this about protecting scammers and lining pockets?

Their defense was a tweet. Four sentences. We went through it sentence by sentence. Every one of them was false, and we said so, with receipts.

Three weeks later our research account on X — @Phish_Destroy, paid Gold Checkmark, never warned, never reported anything fake — went into permanent lockdown. X’s automation reviewed the appeal and wrote back: “no violation, restored to full functionality.” The account is still locked. The Gold subscription is still being billed. We can’t even pull our own posts back out — including the tweets where we tagged NameSilo under older threads from other researchers, which is apparently the part the registrar found unforgivable.

This wasn’t a one-off either. We’ve been sending NameSilo abuse reports on US-targeting crypto scams since 2023, and through 2024 we sent a lot of them. The pattern was always the same — silence, or a polite reply that nothing was wrong. On this case they didn’t just ignore. They went public defending the operator.

And three days before NameSilo went public defending him, the scammer himself sent us one sentence about his own registrar that, alone, tells you everything you need to know about this story. We’ll get to that line in Section 5.

A small Easter egg for NameSilo: we run on the Hydra principle. Cut down one link — five more grow back.

1. How this actually started — a GitHub Issue and a warning the scammer chose to ignore

Honest framing first, because it matters.

I wasn’t running some big targeted operation against xmrwallet[.]com. I opened a GitHub Issue in the scammer's repo — a repo that, by the way, has nothing technically to do with the website itself, since the site sits behind DDoS-Guard. Just an Issue.

The operator wrote to abuse@phishdestroy.io off the back of that Issue. February 16, signed N.R., asking us — politely at first — to take the report down:

“Hi, You are incorrect with your report. There is no phishing going on with xmrwallet.com, this is the official domain name for xmrwallet. We are an open source crypto wallet that is non-custodial, we don’t store seeds or keys, everything is done in your browser locally. Please remove your report on us, thank you. N.R.”

The first email — the operator asks us, politely, to take the report down.

So we answered him. Same day. Calm, professional, technical, and explicit about how this would go from here:

“Hello, Let’s keep this clear and professional.

Analysis of phishing schemes and wallet abuse is a specialized field, and this case has already raised multiple technical indicators that warrant attention. The observations are based on actual production behavior and are reproducible. At the moment, this is not a full audit — just a focused review driven by professional interest.”

Then we walked him through the actual technical observations. Plainly. Client-side transaction generated but explicitly discarded (raw_tx_and_hash.raw = 0). Backend constructing its own transaction independently of the client one. Production-only parameters — session_key, verification, encrypted payload — that don't exist in the public GitHub repository. The session_key carrying the full wallet address and the private view key in base64. A non-standard type == 'swept' transaction paired with "Unknown transaction id," indicating server-side initiated operations not traceable through standard tooling. An observable divergence between his public GitHub code and the production behavior of his own site.

And we told him, in writing, exactly what would happen next:

“The current assessment stands and is technically grounded. The behavior aligns with known high-risk transaction handling patterns. Dismissing findings without addressing these mechanics does not change the conclusion.

If this remains a technical discussion, it stays at this level.

If it escalates — through continued denial or misrepresentation — it may justify a complete end-to-end audit with full documentation, reproducible evidence, and formal submission to relevant security and infrastructure channels.

Nothing here is based on assumptions — only on observable system behavior and verifiable logic. What happens next depends entirely on how you choose to proceed.”

Read that last line again. “What happens next depends entirely on how you choose to proceed.” On the record, in writing, time-stamped February 16. We told him exactly what we’d do, before doing any of it.

That email is not a threat. It’s a courtesy. We give it because we work hard to be transparent and accurate, and we genuinely don’t want to put more time into a deeper case if there’s a chance we’re wrong. Any security researcher will know the reflex — false positives are the single worst thing in our line of work, and the easiest way to avoid one is to give the subject a clean exit before you commit further resources.

A person with even average self-preservation instincts would have read that email once, gone quiet, and kept running their site without ever writing to us again. That option was right there, in plain text, on February 16.

He didn’t take it. He kept writing. He kept arguing. Later, when domains he liked started getting acted on by other registrars, he came back accusing us of “killing three of his domains,” treating the investigation like personal harassment instead of the documented, reproducible analysis it actually was.

So we did exactly what we’d already told him we’d do. We went deeper. We documented every endpoint. We published. Each step of that escalation was, on the record, a response to one of his. None of it was unprovoked.

Three weeks later, his registrar — the one he wasn’t afraid of — picked up exactly where he left off. Same posture. Same tone. Same wave-it-away dismissal of the work.

Two parties, scammer and registrar, both made the same mistake, and neither of them made it just once.

2. Every move we made was a response

The framing the scammer pushed, and the registrar later echoed, is that we are some kind of attack squad picking on independent operators. It’s worth being clear about what actually happened, in order:

• The investigation only escalated because the operator escalated it. Every step on our side — the technical breakdown, the repeated abuse reports, the public thread, the formal escalation to ICANN — landed only after a fresh action from his side. Denial. Reposted lies. Attacks on other researchers. Attempts to wipe reviews and bury repos. We had told him in the first email exactly how this would go: “What happens next depends entirely on how you choose to proceed.” He chose to proceed loudly.
• Then NameSilo decided to make it their problem. The smart move was silence — quietly act on the abuse report, or quietly do nothing. Instead they published a tweet declaring their abuse team had done a deep review, that the scammer was “the victim,” that no abuse reports had ever been received, and that they were going to help him scrub his VirusTotal detections.

After a public statement like that, from the registrar of the domain, the responsible move on our side was not to go quiet. The responsible move was to keep the receipts visible, refuse to let the lie stand unopposed, and tag the registrar under the older threads from other researchers who had been documenting xmrwallet for years before us. Anything else would have been complicity.

That was apparently the conduct that tipped NameSilo into using the Gold Checkmark channel on X. Refusing to fall silent in the face of a public lie was the “violation.” If that’s the rule, then the rule is the problem.

3. Their statement, taken apart line by line

March 13, 2026. NameSilo’s official account posts this under our investigation thread:

“Our Abuse team conducted an in-depth review into this case and it seems that domain was compromised a few months ago (during which a copy of the webpage was replaced with a crypto-drainer). Prior to that, we had received no abuse reports related to this domain. After an extensive review…”

Permanently archived: ghostarchive.org/archive/CXXZ0

NameSilo’s actual statement — published under our investigation thread, March 13, 2026.

I sat down with that tweet and went through it line by line. Four sentences. Four lies. Not “differently interpreted.” Not “out of date.” Not “a misunderstanding.” False.

Claim 1: “Domain was compromised a few months ago.”

The theft code is the website. Eight PHP endpoints, server-side key exfiltration, Base64 transmission to operator infrastructure, all sitting there for roughly a decade. Nothing was injected. The thing was built to steal from day one.

Claim 2: “Prior to that, we had received no abuse reports.”

We’ve sent 20+ abuse reports through their own portal between 2023 and 2026. We have the delivery receipts. Either their abuse team has no idea what reports they actually receive, or they know and lied anyway. Both are bad.

Claim 3: “After an extensive review… not involving the registrant.”

The operator wrote to us himself, defending his code as his own work. He never claimed a hack. NameSilo’s “review” apparently never asked him.

Claim 4: “Working with the registrant to remove the website from VT reports.”

That isn’t abuse handling. That’s helping a confirmed scammer scrub his security warnings while the drainer is still live.

Meanwhile three other registrars looked at the exact same evidence and acted in days:

• PublicDomainRegistry (PDR) — suspended.
• WebNic — suspended.
• NICENIC — suspended.

NameSilo alone went on TV and called the thief “the victim.” Full technical breakdown of the wallet itself: phishdestroy.io/xmrwallet-namesilo-exposed

And take that fourth claim seriously, because it’s the one people are sleeping on. A registrar’s small in-house abuse team, looking at a confirmed phishing site that steals private keys, that has been live for a decade, that has been flagged by multiple authoritative security vendors — including Fortune-500-grade vendors that build the security telemetry the rest of the industry leans on — is publicly announcing that they’re going to help the registrant get those detections removed.

That is an enormous amount of confidence for a small abuse team to walk in with. Their position is that they have looked at this case more carefully than every authoritative vendor that flagged it, and concluded everyone else is wrong. That isn’t a disagreement. That’s a public sneer at the entire profession — at every researcher, at every vendor, at every other registrar that already suspended.

The scammer had done exactly the same thing in his own emails — accusing us of “killing three of his domains,” dismissing our findings as personal harassment instead of the documented work it is. Three weeks later his registrar published the same posture in their official voice.

After we replied with the full breakdown, the tone from NameSilo’s side stopped sounding like “abuse team review” and started sounding like a company that had been caught. Two weeks later, our Twitter went down.

4. We posted the receipts. Publicly. While we still had an account.

Once their defense of the scammer was up, we replied with the only thing that matters in this work — proof.

March 16: “Let’s be direct. @NameSilo is lying. They claimed xmrwallet[.]com was ‘compromised’ — hacked by a third party. The operator’s own emails to us, written BEFORE NameSilo got involved, prove the ‘hack’ story was fabricated. We have the receipts.”

March 16, thread: “🚨 @NameSilo is acting as press secretary for a $2M+ Monero theft operation. xmrwallet[.]com steals private keys since 2016. 6 security vendors flag it. 3 registrars suspended it. NameSilo called the scammer ‘the victim’ and is helping him remove virustotal warnings.”

March 16: “Honest question for @NameSilo: Who is this operator to you? Employee? Contractor? Friend of support staff? Relative? Because he told us ‘subpoena the registrar’ like a man who already had your answer. 3 registrars suspended him. You wrote him a defense.”

“We’ve now proven that @NameSilo’s abuse team intentionally lied in their public response. The operator’s own emails — written before NameSilo got involved — contradict every claim they made. NameSilo is covering for this operator. The reason is theirs to explain.”

March 18, formal escalation: “Because no response or action has been provided, and due to what appears to be deliberately false statements made to protect a fraud operator, we have forwarded the full investigation materials to @ICANN Contractual Compliance, relevant regulatory authorities, and law enforcement…”

That, near as we can tell, is what got the account locked. A researcher quoting a registrar’s own emails back at them and notifying ICANN.

5. The scammer wasn’t afraid of his own registrar. That’s the whole story.

This is the line that should make every reader stop scrolling. From the operator, in writing, in an email to us dated February 17, 2026 — three weeks before NameSilo went public defending him:

“Feel free to subpoena the domain registrar for my information.”

Read it again.

A guy running a ten-year crypto drainer, on $550-a-month bulletproof hosting in Belize, sitting behind Russian DDoS-Guard, just calmly invited us to subpoena his own registrar. Nobody behaves like that with a registrar that might shut them down. Nobody behaves like that unless they already know how the registrar is going to react.

Three days later, that same registrar called him “the victim” in public.

I’m going to say this plainly because I’ve thought about every other explanation and none of them fits:

The operator of xmrwallet[.]com is connected to someone inside NameSilo. Staff, reseller-account holder, friend of an abuse-team person — something. The "honest mistake on a single review" version doesn't survive contact with the facts. Three other registrars looked at the same evidence and suspended in days. NameSilo wrote a press release for the guy.

6. The smoking gun: X cleared us. The lock didn’t move.

Quick clarification, because most people don’t know this: the Gold Checkmark on X is not the $8 blue thing. It’s the Verified Organization tier — costs an organization real money per month, and one of its main perks is direct access to a live human support agent at X. Both NameSilo and PhishDestroy hold one. We bought ours assuming it’d protect us from drive-by troll reports. NameSilo, on the evidence here, used theirs to file a takedown.

We even said it would happen, before it happened. We posted on Twitter — and notarized it in GhostArchive before the lock dropped — that NameSilo would try to silence us the same way the scammer silences everyone else. They did. Right on schedule. Yeah, yeah — we knew NameSilo would do exactly what they did.

Email #1 — the lock

“Our support team has determined that a violation against inauthentic behaviors [occurred]. We will not overturn our decision.”

No tweet quoted. No specific rule cited. No example. Just a verdict. That’s not what an automated rule trigger looks like. That’s what a human agent decision looks like, after a complaint.

And it’s worth noting what we were doing in the days before the lock came down. We were tagging NameSilo, in public, under older threads from other researchers who had documented xmrwallet[.]com long before us — pulling those receipts back into the timeline so the registrar's "we received no abuse reports" claim would be visible next to other people's evidence too. That, near as we can tell, is the actual conduct that broke their patience. Not insults. Not doxxing. Not anything against X's rules. Just dragging old, archived proof into the registrar's mentions and refusing to let the public statement quietly age out of view.

Email #2 — and now they contradict themselves

Subject line, in their own words: “[4] Your account has been restored.” Date: April 15, 2026.

“Hello, We have reviewed your appeal request for account, @Phish_Destroy. Our automated systems have determined there was no violation and have restored your account to full functionality. Thanks, X Support.”

X Support, on appeal: “no violation, restored to full functionality.”

The subject line in their own words: “Your account has been restored.” Dated April 15, 2026.

Reality check, today

• The account is still locked.
• The Gold subscription is still being billed.
• We cannot pull down our own posts — the very tweets that put NameSilo on the spot are now invisible to us, on our own account.
• No third email has rolled back Email #2. It just stands there, contradicting reality.

So one of two things is true:

1. Email #2 is real. The automation said “no violation, restore.” A human agent then manually overrode the machine after a Gold-tier complaint came in. The human kept the lock the automation lifted.
2. Email #2 is wrong. X sent a false restoration notice and never bothered to correct it, while continuing to bill a paid subscriber for a frozen account.

Either version is the same conclusion in different words. The Gold Checkmark “live human support” channel on X can be used by paying corporate accounts to silence whistleblowers. NameSilo paid for priority access to X moderators, and that access produced a ban that X’s own automation had already thrown out. That’s not content moderation. That’s concierge censorship that you can buy.

7. The same handwriting

Look at the pattern, side by side, and try not to see it.

The scammer’s whole career, when caught: make the evidence go away. Fake DMCA the GitHub repo. Mass-report the Trustpilot reviewer. Get the BitcoinTalk thread buried. Spam-report the YouTube video. Find the “report abuse” button on whatever platform the critic is on, and pull it.

NameSilo, when caught lying about him: make the evidence go away. File a complaint through the Gold Checkmark channel on X. Get the research account locked. Lock the researcher out of his own posts so he can’t redistribute them. Hope the audience moves on.

Same handwriting. The scammer learned to delete people who tell the truth. NameSilo just did the same thing on a corporate scale.

8. NameSilo, not NICENIC, is the worst registrar we have ever dealt with

For two years our internal worst-registrar list had NICENIC at the top. Slow, lazy, hosts a lot of garbage, ignores most of what you send them. We are correcting that ranking, in public, today.

The worst registrar PhishDestroy has ever encountered is NameSilo.

And it is important to be precise about why, because the registrars we usually call “the bad ones” are not the real enemy in this story. Let me break it down:

• NICENIC, WebNic, PDR, Key-Systems, ENOM, Dynadot — the registrars with the worst reputation for abuse handling — are slow. They ignore reports. They make you send three follow-ups. They sometimes never respond at all. That is bad. It is reasonable to be angry at them. But that is the entire scope of their failure.
• None of those registrars has ever stood up in public and called a confirmed crypto-drainer “the victim of a hack.”
• None of them has ever published a tweet declaring that they are going to help an active scammer get his VirusTotal detections removed.
• None of them has ever told the public, on the record, that they “received no abuse reports” about a domain that has been reported dozens of times through their own portal with delivery receipts to prove it.
• None of them, to our knowledge, has ever weaponised a paid X support channel to silence a researcher who quoted their own emails back at them.

Those registrars are messy infrastructure providers. NameSilo turned itself into a propaganda department for a $20M fraud operation. That is a different category of failure entirely.

To be even clearer: silence is not the same as defense. Ignoring a report is not the same as publicly siding with the operator. Slow processing is not the same as actively helping the scammer scrub his security record. Sloppy abuse handling is not the same as lying in your official voice and then banning the witness. NICENIC is bad at its job. NameSilo, on this case, decided to do a different job — and the job they chose was protecting the thief.

And this is not a one-domain story. In our records, NameSilo is tied to hundreds of active crypto-scam domains targeting U.S. users. Across two years of work, we have watched the same pattern over and over: reports submitted, reports ignored, scams kept running. Until xmrwallet[.]com, the worst we'd seen from NameSilo was institutional negligence. With xmrwallet[.]com, they crossed into something else — public defense of the operator, public help with his detections, public retaliation against the people who proved them wrong.

If a registrar that ignores reports is “bad,” there is no word strong enough yet for what NameSilo has put on the record here. We are settling for “the worst registrar PhishDestroy has ever encountered.” It will do for now.

9. From now on, every report is public — with timestamps and explicit consent for court use

One operational change came directly out of this case. We’d assumed, naively, that an ICANN-accredited registrar maintained an honest accounting of the abuse reports it received and acted on. NameSilo’s “prior to that, we had received no abuse reports” — published over our 20+ delivery-receipted submissions — proved that assumption wrong. Either there’s no proper intake control on their side, or there is and the public statement was knowingly false. Either reading is its own scandal.

So:

• Every abuse report we file is also published live on phishdestroy.io, alongside the registrar’s response — or their silence.
• Each report carries a delivery timestamp, so the registrar’s response window is publicly counted in days, not in private tickets that can later be claimed to have never arrived.
• Every report carries our explicit, written consent for the published evidence to be used as-is in any legal, regulatory, or law-enforcement proceeding. By victims, by prosecutors, by ICANN, by any court. No further authorization required from us. Take it, file it, attach it.

This is the direct answer to “we received no abuse reports.” There’s now a public ledger and a clock on the wall. If a registrar claims a report never arrived, anyone can go read the report.

10. What we’re working on next: the archive and “njan la”

We’re currently tracking a strangely high volume of DDoS traffic hitting phishdestroy.io from infrastructure tied to the "njan la" hosting ecosystem. We'll map that. But while we do, our primary focus is shifting to something much bigger: the historical record.

We’re pulling every abuse report we filed against NameSilo-registered domains between 2022 and 2024 — the absolute peak of the crypto-drainer and pig-butchering epidemics. During that era, NameSilo’s favourite reseller, “njan la”, was the undisputed king of bulletproof infrastructure. We’re going to start asking the uncomfortable questions: how much money was made selling overpriced, abuse-tolerant domains before “njan la” quietly shut down its public API? And is “njan la” actually an independent reseller, or something much closer to a subsidiary?

NameSilo acted like missing 20 reports on a single domain was a simple discrepancy. For context: over the years our project has discovered and reported between 300,000 and 500,000 malicious domains across the internet. Let’s be clear — digging into NameSilo’s history is not revenge for our Twitter ban. We expected the ban because we had thoroughly studied how their scammer operates (and notice, I’m still formally treating the operator as a separate person, even if the facts heavily suggest otherwise). All actions we take here are strictly investigative, not offensive.

We’re going to publish the complete, historical archive of PhishDestroy reports sent to NameSilo. Not to brag about scale — there is nothing to be proud of as long as entities like NameSilo and its “resellers” profit from scamming ordinary people. They hide behind excuses like “freedom of speech” while charging two-to-five-times premiums for bulletproof ignorance of abuse. I’m not a lawyer, but the pattern is staggering.

Since NameSilo claims they don’t receive reports — or simply lose them — we will become their permanent, public archive. Scammers can look at it to write NameSilo a thank-you note for ignoring so many of our complaints. Victims can look at it to realise that if this registrar had simply enforced basic ICANN rules, their life savings might still be intact. But NameSilo doesn’t seem to care about that. They’re too busy volunteering to scrub VirusTotal detections for the thieves.

Both the reseller analysis and the source-IP DDoS breakdown will be published on phishdestroy.io when they’re ready.

11. Why this is going up in more than one place

NameSilo doesn’t like the truth. We do. So this article is going on Medium, on our own site, in the GitHub evidence repo, and in GhostArchive — all the places we already use to keep the case file from disappearing. There’s no campaign, no petition, no “demand action.” Just facts, in more than one location, with timestamps.

If you’re a victim of xmrwallet[.]com and you need the evidence package for a report or a filing, it's permanently available at phishdestroy.io or report@phishdestroy.io. Take whatever you need.

12. A short note to the scammer and his registrar

I understand the truth is uncomfortable for both of you. You’ll find the report button without my help.

But the question stands: do you actually believe the truth about what you did can be erased?

It can’t. The receipts exist. The archives exist. The screenshots exist. Every move you make to take this down only adds another timestamp to the file.

You can keep clicking. It changes nothing.

Final word

We told the public, in advance, that NameSilo would try to silence us. We notarized that prediction in GhostArchive before the lock dropped. They did exactly what we said they would do.

And here is the article they were trying to prevent.

Scammers delete evidence. NameSilo defended one. X locked our account. The archive remains. The truth remains. We remain.

Sources & permanent archives

• NameSilo’s original tweet, archived: ghostarchive.org/archive/CXXZ0
• Full technical investigation of xmrwallet[.]com: phishdestroy.io/xmrwallet-namesilo-exposed
• How NameSilo killed our Twitter — full evidence dossier: phishdestroy.io/namesilo-killed-our-twitter
• Earlier Medium write-up on the scam itself: phishdestroy.medium.com/xmrwallet-com-2953f35b8a79
• GitHub evidence repository: github.com/phishdestroy/DO-NOT-USE-xmrwallet-com

PhishDestroy Research — phishdestroy.io

A registrar fabricated a “compromise” story to protect a phishing domain flagged by Fortinet, Webroot, and 4 other security vendors. Three peer registrars suspended the same evidence. NameSilo chose to defend the thief. If they’re this committed to protecting him — perhaps they should also cover his debts to the victims.

This investigation was conducted by PhishDestroy Research — an independent cybersecurity team that tracks, documents, and destroys phishing infrastructure. Full evidence: phishdestroy.github.io/DO-NOT-USE-xmrwallet-com. Repository: github.com/phishdestroy/DO-NOT-USE-xmrwallet-com.

xmrwallet.com has operated since 2016, marketing itself as a free, open-source Monero wallet. A live network capture on February 18, 2026 proved the site steals private Monero view keys on every login and hijacks transactions server-side. Fifteen documented victims across Trustpilot, Sitejabber, and BitcoinTalk. Six security vendors on VirusTotal flag it as malicious. Estimated stolen: $2M+.

Abuse reports were filed with all registrars. Three suspended their domains within days. The fourth — NameSilo, LLC — contacted the scammer, believed his story, and published a defense so absurd it deserves a line-by-line autopsy.

NameSilo’s public statement — verbatim

“Our Abuse team conducted an in-depth review into this case and it seems that domain was compromised a few months ago (during which a copy of the webpage was replaced with a crypto-drainer). Prior to that, we had received no abuse reports related to this domain. After an extensive investigation, our team found evidence of the compromise not involving the registrant, and they immediately took steps to reverse it. The registrant is also working to get the website delisted from VT reports. Are you able to confirm if the abuse you’re seeing is recent or from this initial hack? If you have any new evidence of abuse taking place, please send it over to us (at support@namesilo.com if that’s more preferable) and we will re-open the investigation again.”

Seven claims. Seven lies. Let’s go.

LIE #1: “The domain was compromised”

NameSilo says someone hacked xmrwallet.com and injected a crypto-drainer.

The theft mechanism is not injected code. It is the core architecture of the application — a complete session system built across 8 PHP endpoints, transmitting the victim’s private view key 40+ times per session.

Every login sends your private key to /auth.php. The server returns a session_key — not a random token, but your address and view key in Base64:

session_key = [blob]:[base64(address)]:[base64(viewkey)]

# Verify:
import base64
print(base64.b64decode(
  "ZWZiYTEzZWNiOGIzNjA2NjBhM2RjYWFmYWY3Y2Y5OTE0OTcxM2QwNjRiOWQ2NDk5N2IyNDU0ZDU4ZWU2NzgwMA=="
).decode())
# → efba13ecb8b360660a3dcaafaf7cf99149713d064b9d64997b2454d58ee67800
#   ^^^ real private view key from live capture

This key is re-sent on every request — to /getheightsync.php (12×), /gettransactions.php (10×), /getbalance.php (6×), /dashboard.html (4×), and more. Full capture data: PhishDestroy evidence page.

When you send XMR:

raw_tx_and_hash.raw = 0    // your transaction — discarded, never broadcast

if (type == 'swept') {     // custom theft flag — not in Monero protocol
    txid = 'Unknown transaction id'
}

A hidden backdoor phones home automatically — /support_login.html with hardcoded session 8de50123dab32. Not user-initiated. Not in the GitHub code. Documented in cached Issue #35.

The GitHub repository has a 5.3-year commit gap (2018–2024). The Wayback Machine shows no session_key in 2023 — but it's in production in 2025. This system was built over years, not injected in a hack.

Does NameSilo believe a hacker built a complete PHP backend with 8 endpoints, a Base64 key exfiltration protocol, a transaction hijacking mechanism, and a hardcoded backdoor — as part of a “compromise”? Or is NameSilo just repeating what the scammer told them?

LIE #2: “We had received no abuse reports”

This is the lie that proves NameSilo never investigated anything.

Here is what existed — publicly, for years — before any report was filed with NameSilo:

VirusTotal — six vendors flag xmrwallet.com. Fortinet (Fortune 500, FortiGuard Labs, 700,000+ organizations): “Phishing.” Webroot/OpenText (BrightCloud threat intel): “Malicious.” ADMINUSLabs: “Malicious.” CyRadar: “Malicious.” Lionic: “Malicious.” Seclookup: “Malicious.” These are automated systems — they crawl, analyze, and classify every domain on the internet continuously. They don’t file “abuse reports.” They just flag threats. The data was there for anyone to see.

URLQuery — automated analysis flagged the domain. Public report, publicly accessible, predating 2026.

ScamAdviser — “very low trust score.” The automated analysis notes: “registrar has high percentage of fraud sites” and “owner identity hidden via privacy service.”

Trustpilot — multiple theft reports going back years. $200 stolen. 17.44 XMR stolen (with TxID and TX Key documented). Funds redirected to unknown wallets. Transaction verification failing.

Sitejabber — 590 XMR (~$177,000) stolen in a single report. 20 XMR stolen. Rating: 1.5/5. Reports calling the site “fake” and “scammers.”

BitcoinTalk — the largest cryptocurrency forum in the world has a public warning thread: “[WARNING] XMRWallet.com Scams — Stay vigilant!”

Reddit r/Monero — the operator (u/WiseSolution) was banned from the official Monero subreddit in 2018. Eight years before NameSilo’s “review.”

Searching “xmrwallet.com” on VirusTotal takes five seconds. Googling “xmrwallet.com scam” returns a wall of warnings on the first page. Checking Trustpilot takes one click.

“No prior abuse reports” means one of two things: NameSilo’s “in-depth review” didn’t include a single Google search — or they found all of this and are lying about it. Which is it, NameSilo?

LIE #3: “Evidence of the compromise not involving the registrant”

Translation: NameSilo contacted the scammer, the scammer said “I was hacked,” and NameSilo wrote it down as an “investigation.”

Here’s what this “innocent registrant” has been doing:

Registered four escape domains — xmrwallet.cc, xmrwallet.biz, xmrwallet.net, xmrwallet.me — across four different registrars, each prepaid 5–10 years. Registered before the investigation was published. Deliberately spread to slow coordinated takedowns. (Full domain analysis)

Deleted 21+ GitHub issues documenting fraud — over eight years. Deleted Issues #35 and #36 (the full technical proof) the same day two escape domains were suspended. (Archived deleted evidence)

Zero technical rebuttals in eight years. Not one network capture. Not one code audit. Not one explanation for session_key, raw = 0, or the backdoor. (Cached Issue #35 · Cached Issue #36)

$550/month bulletproof hosting (IQWeb FZ-LLC, Belize) behind DDoS-Guard (Russia) — for a “free open-source client-side” project. GitHub Pages costs $0. (Infrastructure IOCs)

Banned from r/Monero in 2018. (Operator profile)

50+ paid SEO articles across crypto media to bury negative results. Zero donation wallets despite claiming “funded by donations.” (Full exposure article)

Four Google trackers (GTM, GA, GA4, DoubleClick) inside a “privacy” wallet. No legitimate Monero wallet does this — not Monero GUI, not Feather Wallet, not Cake Wallet, not Monerujo.

Hacked website owners publish incident reports and fix their code. This operator deletes evidence, buys escape domains, hires new developers for captcha systems, and pays for SEO campaigns. That’s not a victim. That’s an operation.

LIE #4: “They immediately took steps to reverse it”

Reverse what?

The session_key exfiltration is in production right now. The raw_tx_and_hash.raw = 0 is in production right now. The Google trackers are firing right now. The DDoS-Guard hosting is active right now. The Tor hidden service runs identical code right now.

The GitHub repository has zero commits addressing any security incident. No changelog. No patch. No incident report.

Nothing was “reversed.” The theft code is the product. It has always been the product.

LIE #5: “The registrant is working to get delisted from VT”

This single sentence exposes NameSilo’s role completely.

Fortinet — a Fortune 500 cybersecurity company — classified xmrwallet.com as “Phishing.” This classification is used by firewalls, email gateways, and security appliances protecting 700,000+ organizations worldwide.

The operator’s response: not to remove the phishing code — but to lobby VirusTotal to remove the detection.

And NameSilo presents this as a positive development. As evidence that the registrant is acting in good faith.

Read that again. A domain flagged as “Phishing” by Fortinet is trying to get the “Phishing” label removed — without removing the phishing code. And the registrar is cheering them on.

A legitimate site owner who was truly hacked would welcome VirusTotal detections — it validates the threat existed. They would focus on removing malicious code, not security warnings. This operator is doing the opposite: leaving the code intact, removing the warnings.

NameSilo is actively assisting a flagged phishing domain in suppressing security alerts that protect potential victims. This isn’t abuse handling. This is a PR service for a criminal.

LIE #6: “Are you able to confirm if the abuse is recent?”

The abuse is current. The abuse is continuous. The abuse has never stopped in eight years.

But the framing of this question is the real tell. NameSilo is not asking because they want to investigate. They’re asking to shift the burden of proof to the reporter — so they can close the case if the answer doesn’t arrive fast enough.

The evidence was in the report. The VirusTotal detections are live. The victim reports span years. Three peer registrars reviewed the same evidence and acted. NameSilo is asking researchers to do their job for them — while they do the scammer’s PR.

LIE #7: “We will re-open the investigation”

“Re-open” implies it was once open. Based on the response, NameSilo’s “investigation” consisted of calling the scammer and writing down what he said. That’s not an investigation. That’s dictation.

An actual investigation would have included: a VirusTotal search (5 seconds), a Trustpilot check (1 minute), a Google search for “xmrwallet.com scam” (10 seconds), a read of the cached Issue #35 (10 minutes), and a basic check of the hosting infrastructure (IQWeb Belize + DDoS-Guard Russia for an “open-source” project?).

NameSilo did none of this. Or did all of it and is lying.

Three registrars protected users. NameSilo became the scammer’s lawyer.

The same evidence package was sent to all registrars:

PublicDomainRegistry — xmrwallet.cc. Same operator (identical MX records mx1/mx2.privateemail.com, same WOT token 8a5554c915e3c17278a7, 23 file hashes on VirusTotal). Action: SUSPENDED. Days. No cover story. No call to the scammer.

WebNic — xmrwallet.biz. Same infrastructure (AS59692, same DNS, same MX, same WOT token, 23 files on VirusTotal). Action: SUSPENDED. Days.

NICENIC International — xmrwallet.net. Same IP as the already-suspended .biz (190.115.31.40). Ten-year prepaid registration. Action: DNS DEAD.

NameSilo — xmrwallet.com. The primary domain. Most documented. Most flagged. Most victims. Three peers already acted on identical evidence. Action: “The registrant is the victim. They’re working to get delisted from VT. Is the abuse recent?”

Three companies in three countries — India, Malaysia, China — independently concluded: fraud. Suspend. One company — NameSilo, USA — concluded: the scammer is the victim, let’s help him remove the warnings.

The victims NameSilo is helping the scammer hide from

“I do deposit 590 monero 2 day gone and they steal it! Please ban this site and FBI need arest it!” — Sitejabber. 590 XMR. ~$177,000.

“My 17.44 XMR was all gone. I have both the TxID & TX Key.” — Trustpilot.

“Create wallet — put 20 xmr next day 0 xmr — Scammers owner!” — Sitejabber.

“They stole $200 from me, leaving me high and dry.” — Trustpilot.

“Transferred to some other wallets instead of my mentioned wallet.” — Trustpilot.

“Whatever you do, do NOT try to use this wallet. UNABLE TO ACCESS MY FUNDS.” — Trustpilot.

“SCAMMERS! Lost contact when I wanted withdrawal, no response from customer support.” — Scam-Detector.

These reports span years. The operator’s response to every victim — same template: “You used a phishing clone.” NameSilo’s response: “The registrant is the victim.”

Conservative estimate: 10,000–50,000+ wallets created over 8 years. $1.5M–$15M+ stolen at historical prices. Full victim documentation: PhishDestroy investigation.

The escape domain panic — consciousness of guilt

Feb 4, 2026 — xmrwallet.cc registered. 8yr prepaid. Investigation not yet published.

Feb 9 — xmrwallet.biz registered. 5yr prepaid. Still before publication.

Feb 13 — Issue #35 published. Full TX hijacking exposed.

Feb 18 — Issue #36 published. 109 requests, 43 viewkey transmissions.

Feb 23 — .cc SUSPENDED. .biz SUSPENDED. Same day: operator deletes Issues #35 + #36.

Feb 26 — xmrwallet.net registered (10yr, same IP as .biz). xmrwallet.me registered (10yr, same IP as .cc). Four registrars. Zero GitHub commits.

Mar 8 — xmrwallet.net DNS DEAD after abuse report.

Scoreboard: 3/4 escape domains neutralized. 23 years of prepaid registrations wasted. IP recycling proves same operator: .biz IP → reused by .net. .cc IP → reused by .me. All domains share identical NS (ddos-guard.net), MX (privateemail.com), and WOT token (8a5554c915e3c17278a7). DNS maps and WHOIS evidence.

Does NameSilo believe “compromised” website owners register escape domains across 4 registrars, prepaid for decades, before the investigation is published?

The operator NameSilo calls “the victim”

Nathalie Roy, Canada. GitHub: nathroy (ID: 39167759). Reddit: u/WiseSolution — banned from r/Monero (2018). ProtonMail: royn5094@protonmail.com. Self-identified on xmrwallet.com/support.html. Full profile: PhishDestroy operator analysis.

Claims “funded by donations” — zero donation wallet exists. Pays $550/month bulletproof hosting. 50+ paid SEO articles. DDoS-Guard CDN. Android app. 100+ blog posts in 10 languages. Hired a second developer for a custom captcha system in March 2026 — which was reverse-engineered and defeated within hours.

NameSilo calls this person the victim of a compromise.

The operator’s own words — emails to PhishDestroy

After xmrwallet.com was reported, the operator (royn5094@protonmail.com) emailed PhishDestroy directly. Four emails over 7 days. Zero technical rebuttals. And one sentence that reveals everything about the relationship between the operator and NameSilo.

Feb 16 — “We don’t store keys”

“We are an open source crypto wallet that is non-custodial, we don’t store seeds or keys, everything is done in your browser locally. Please remove your report on us, thank you. N.R.”

The same day, PhishDestroy responded with a full technical breakdown: raw_tx_and_hash.raw = 0 (client transaction discarded), session_key containing the victim's private view key in Base64, type == 'swept' (custom theft marker absent from Monero protocol), production-only parameters not in the public GitHub repository. The operator never addressed a single finding.

Feb 17 — Two emails in one day. Panic.

“This is the data we need to offer the service to users. This is not grounds for a domain suspension.”

Yesterday: “we don’t store keys.” Today: “this is the data we need.” Two mutually exclusive statements in 24 hours.

“You are accusing without proof. The way the website was built does not verify anything was stolen, so I’m not sure what you’re going to waste your time on. If this is a legal matter, feel free to subpoena the domain registrar for my information to submit a complaint in the courts.”

Now read that last sentence again: “Feel free to subpoena the domain registrar.”

This was written on Feb 17 — before we contacted NameSilo, before the abuse report was filed, and before NameSilo published their “compromise” cover story. At this point, nobody knew how NameSilo would respond.

And yet the operator is not worried. Not even slightly. A scammer running a phishing operation on bulletproof hosting behind DDoS-Guard should be terrified of a registrar investigation. A normal scammer would say “go ahead, try” — a bluff. But this operator doesn’t bluff. This operator actively directs us toward the registrar, as if confident that NameSilo will take his side.

No scammer in history has ever said “please involve my registrar” — unless they already know the outcome.

Why was the operator so confident? Was it just arrogance? Or does the operator have a relationship with someone at NameSilo — a friend in support, a remote contractor, a connection that guarantees protection? We don’t know. But the sequence of events speaks for itself:

1. Feb 17 — operator says “subpoena the registrar” with zero concern.

2. Feb 23 — three other registrars suspend his domains immediately.

3. NameSilo — the one registrar the operator pointed us toward — not only refuses to act, but publishes a defense calling him “the victim” and helps him remove VirusTotal warnings.

The operator predicted NameSilo’s response before it happened. That’s either the luckiest guess in the history of cybercrime — or the operator knew something we didn’t.

Feb 18 — PhishDestroy responds with evidence and a warning.

Feb 23 — Domains suspended. Operator panics.

The same day xmrwallet.cc and xmrwallet.biz were SUSPENDED by their registrars, the operator’s tone changed completely:

“I’ve communicated with my lawyer and you’ll hear from them directly soon for harassment, spamming and brand reputation damage. We’ve hired a private investigator to find your information to file the case.”

“You can literally look up Trezor, Ledger or any other major wallet, they all have complaints about stolen funds. Every single one of them. They also get their view keys to service users, that’s how it works.”

Trezor and Ledger are hardware wallets. They do not collect private view keys server-side. They don’t have PHP backends. They don’t transmit session_key to a server 40 times per session. The operator either doesn't understand cryptocurrency wallets — or is counting on the reader not understanding them.

Four emails. Zero explanations for session_key, raw = 0, swept, or the 5.3-year GitHub divergence. From "please remove your report" to "my lawyer" in 7 days. The lawyer has not materialized in 4 weeks.

But here’s the detail that destroys NameSilo’s entire “compromise” narrative:

In all four emails (Feb 16–23), the operator speaks in first person — “we are an open source wallet,” “this is how the website is run,” “this is the data we need.” The operator defends the code, the architecture, the data collection — as their own work.

Not once does the operator mention any hack, compromise, or unauthorized access.

On Feb 16–17, the operator told us: “this is how the website is run.” Weeks later, NameSilo told the public: “the domain was compromised.” These two statements cannot both be true.

The “compromise” story didn’t exist until NameSilo contacted the operator and needed an explanation to close the case. The operator’s own emails — written before the cover story was needed — prove the “hack” narrative was fabricated after the fact.

NameSilo received the same evidence — and the same operator emails. They chose the cover story over the evidence. They called this person “the victim.”

NameSilo’s liability: from negligence to complicity

Before NameSilo’s response, this was a case of registrar negligence — bad, but common. Abuse teams are slow. Things fall through cracks.

After NameSilo’s response, this is something else entirely.

NameSilo didn’t just fail to investigate. They:

1. Contacted the accused operator and accepted his version as fact.

2. Publicly declared the operator innocent — calling him the “victim” of a “compromise.”

3. Revealed they know the operator is lobbying to remove VirusTotal detections — and presented this as progress.

4. Published a cover story (“domain was compromised”) contradicted by 8 years of evidence.

5. Shifted the burden of proof to the reporters: “Is the abuse recent?”

This is not an abuse team dropping the ball. This is a registrar acting as the scammer’s press secretary.

And if NameSilo is this committed to defending the operator — perhaps they should also be committed to making the victims whole.

Under ICANN’s 2013 Registrar Accreditation Agreement (RAA), Section 3.18, registrars must investigate and respond appropriately to abuse. NameSilo’s “appropriate response” was to write a press release defending the accused.

Three registrars — PublicDomainRegistry (India), WebNic (Malaysia), NICENIC (China) — in three countries, with three different legal frameworks, all independently concluded: fraud. Suspend. NameSilo concluded: “the registrant is the victim.”

Every dollar stolen through xmrwallet.com after NameSilo published that statement was stolen by an operator that NameSilo publicly declared innocent. Every future victim can point to NameSilo’s words: “Our team found evidence of the compromise not involving the registrant.”

NameSilo cleared the operator. NameSilo endorsed the domain. NameSilo put it in writing.

If those statements are wrong — and the evidence overwhelmingly proves they are — then NameSilo’s public endorsement directly contributed to every subsequent theft. The victims didn’t just lose money to a scammer. They lost money to a scammer whose registrar publicly vouched for him.

With this level of commitment to acting as the operator’s defense attorney, NameSilo should be equally committed to covering the operator’s debts. If you vouch for a thief — you share the bill when he gets caught.

Take action

Report xmrwallet.com as phishing:

→ Google Safe Browsing — blocks in Chrome, Firefox, Safari, Edge

→ Netcraft — used by ISPs and registrars globally

→ PhishTank — community blocklist

→ APWG — Anti-Phishing Working Group

→ Phish.Report — auto-reports to 6+ platforms

→ abuse@namesilo.com — the registrar that calls it a “hack”

File ICANN complaint against NameSilo:

→ ICANN complaint form — RAA Section 3.18 violation. Include NameSilo’s statement verbatim.

Report to law enforcement (operator: Nathalie Roy, Canada):

→ Canadian Anti-Fraud Centre

→ RCMP Cybercrime

→ FBI IC3 (accepts international)

→ FTC

→ Europol

→ Interpol

Use safe wallets:

→ Monero GUI — official, zero trackers

→ Feather Wallet — Tor built-in, zero trackers

→ Cake Wallet — iOS/Android, zero trackers

→ Monerujo — Android, zero trackers

Never enter a private key or seed phrase into a website. Ever.

Full evidence — permanent, cached, verifiable

→ Full investigation — PhishDestroy

→ Deleted evidence archive

→ Issue #35 — cached HTML

→ Issue #36 — cached HTML

→ VirusTotal — xmrwallet.com

→ VirusTotal — xmrwallet.biz

→ VirusTotal — xmrwallet.cc

→ VirusTotal — xmrwallet.me

→ URLQuery report

→ ScamAdviser

→ BitcoinTalk warning thread

→ Scam exposed — article

→ Deleted evidence — article

→ Is xmrwallet safe? — article

→ Operator profile — article

→ Captcha defeated — article

→ Safe alternatives — article

→ GitHub repository — full evidence

→ PhishDestroy blocklist — 100,000+ domains

NameSilo didn’t ignore the evidence. They read it, called the scammer, believed him, declared him innocent, and are helping him suppress security warnings. Then asked the researchers to prove the abuse is “recent.”

That’s not negligence. That’s a partnership.

NameSilo on X: "@Phish_Destroy Our Abuse team conducted an in-depth review into this case and it seems that domain was compromised a few months ago (during which a copy of the webpage was replaced with a crypto-drainer). Prior to that, we had received no abuse reports related to this domain. After an extensive" / X | Ghostarchive

Three registrars protected users. NameSilo protected the scammer — and put it in writing. Their statement will be Exhibit A in every filing from this point forward.

If you vouch for the thief, you share his bill.

Scammers delete evidence. Registrars write cover stories. We make it permanent.

PhishDestroy Research · Telegram · Twitter/X · Bot · API

This investigation is based on publicly available evidence, live network captures, OSINT, public review platforms, and NameSilo’s own verbatim public statement. No unauthorized access was performed. All findings are independently reproducible using the archived data. NameSilo’s response is quoted in full, unedited.

If you are a victim of xmrwallet.com: document your TxID, wallet address, and date of loss. Report to ic3.gov and local law enforcement. Include NameSilo’s public statement in your filing. Do NOT pay “recovery services” — they are secondary scams.

The modern internet, often perceived by the lay public as an ethereal cloud of information, is in reality a rigidly structured hierarchy of physical infrastructure, administrative governance, and contractual trust. At the gateway of this digital ecosystem stand domain registrars — the entities authorized by the Internet Corporation for Assigned Names and Numbers (ICANN) to lease the human-readable addresses that serve as the storefronts, communication hubs, and identity cards of the web. These gatekeepers are bound by the Registrar Accreditation Agreement (RAA) to maintain the stability and security of the Domain Name System (DNS). However, a distinct subset of accredited entities has emerged that weaponizes this agreement, subverting their custodial duties to create safe havens for illicit activity.

This comprehensive investigative report isolates and analyzes the operations of one such entity: NiceNIC International Group Co., Limited (IANA ID 3765).

Headquartered in Hong Kong, NiceNIC has statistically and operationally distinguished itself not through innovation or market dominance, but through an anomalous and sustained concentration of abuse. This dossier, synthesized from proprietary intelligence gathered by the PhishDestroy Threat Intelligence Team, alongside data from the DNS Research Federation (DNSRF), Spamhaus, and the Cybercrime Information Center, establishes that NiceNIC functions as a structural pillar of the modern cybercriminal economy.

Our investigation reveals a distinct operational pattern that transcends mere negligence. NiceNIC exhibits the characteristics of a “Bulletproof Registrar,” characterized by:

1. Marketing of Anonymity: The explicit prioritization of cryptocurrency payments (USDT, BTC) to sever financial audibility.
2. Procedural Obstructionism: The utilization of a “closed-loop” abuse reporting system designed to obfuscate responsibility and delay mitigation.
3. Geopolitical Arbitrage: The exploitation of jurisdictional friction between Western law enforcement and Hong Kong corporate law.
4. Statistical Dominance in Crime: A phishing domain score 326 times higher than the industry standard.

The implications of these findings are severe. By providing “full-stack” protection — acting as both registrar and host for high-profile threat actors like Scattered Spider and the perpetrators of the December 2025 Trust Wallet heist — NiceNIC has effectively positioned itself as an open advertisement for global cybercrime. This report serves as a formal indictment of IANA 3765’s operational model, arguing that its continued accreditation constitutes a material breach of public trust and a direct threat to the stability of the global internet.

Part I: The Infrastructure of Malice and the PhishDestroy Methodology

To understand the gravity of the findings presented in this dossier, it is essential to first establish the methodological rigor applied to the data collection. In an industry often clouded by false positives and automated noise, the attribution of “rogue” status requires a standard of evidence that withstands forensic scrutiny.

1.1 The PhishDestroy Protocol: Precision Intelligence

The intelligence underpinning this report is derived from the PhishDestroy Threat Intelligence Team, an independent analytical platform dedicated to the detection and disruption of malicious infrastructure. Unlike traditional abuse reporting, which can be prone to “spammy” automated submissions, PhishDestroy employs a multi-stage, forensic-based methodology designed to isolate high-fidelity threats.

GitHub Destroylist: https://github.com/phishdestroy/destroylist

Live Threat Map: https://phishdestroy.io/live/

Our model is fully active and pre-emptive: we aim to eliminate phishing before it causes damage. We operate transparently, maintain a live open database, share data with multiple security systems, and have no profit motive — no donations, no commercial interest, no bias toward or against any registrar. Our only goal is the destruction of phishing.

We run 30+ proprietary parsers that detect threats at the earliest stage through malvertising monitoring, SEO-abuse tracking, social-media campaign analysis, typosquatting detection, and community intelligence. Confirmed threats are immediately distributed to 50+ major vendors (Google Safe Browsing, Cloudflare, Microsoft, VirusTotal, etc.) for global remediation.

Key Technical Signatures Monitored:

• Cryptocurrency Drainers: JavaScript snippets designed to interact with Web3 wallets (e.g., MetaMask, Trust Wallet) and execute unauthorized transaction signatures.
• Phishing Templates: HTML and CSS structures that replicate the login interfaces of major financial institutions, specifically looking for obfuscated code or “homograph” deceptions.
• Malicious JavaScript: Obfuscated code blocks commonly associated with drive-by downloads or credential harvesting.

Each report contains a full evidence package, including:

• the complete email,
• the PDF report,
• the inline screenshot,
• the direct-link screenshot,
• and the attached screenshot file.

We provide this structure to ensure maximum clarity for the abuse team and to simplify verification based on VirusTotal verdicts and other technical indicators.

If a repeated notice is required, we include additional details and an expanded technical analysis.

We operate under a strict notification system to avoid any accusations of flooding. Every report is based on live, confirmed detection of the threat.

Initial Takedown Notice (1st Notice)

The first notification includes:
• the email,
• the forensic PDF,
• all screenshots (inline, link, attached).

Examples:
• First email (Initial Notice)
• PDF report (caivax.com)

Escalation Report (2nd Notice)

A repeated notification is sent only when our parsers or repeated user signals confirm that the threat has been detected again and remains active.
If neither the system nor human analysts detect the site anymore, reporting stops immediately.
This ensures that escalation is issued only for genuinely active and dangerous incidents that continue to spread.

The escalation package includes:
• the updated email,
• the escalation PDF,
• all screenshots (inline, link, attached).

Examples:
• Second email (Escalation Notice)
• Escalation PDF (bigspin.cc) — Report #17 for a domain ignored for more than 1300 hours.

Part II: The Data of Distrust — Statistical Evidence

Anecdotal evidence of abuse is common across the registrar industry; even giants like GoDaddy or Namecheap host thousands of malicious domains simply due to their immense market share. However, the rate and concentration of abuse distinguish a negligent registrar from a rogue one. The data regarding NiceNIC is unambiguous and statistically catastrophic.

2.1 The League Tables of Internet Neighborhoods

The concept of “Internet Neighborhoods” posits that just as physical cities have safe zones and high-crime zones, the internet is divided into Top-Level Domains (TLDs) and registrars that are either safe or dangerous. The DNS Research Federation (DNSRF) and other watchdogs track these neighborhoods quantitatively to assess the health of the ecosystem.

In the 2024–2025 reporting periods, NiceNIC consistently appeared in the upper echelons of the DNSRF’s “League Tables” for abuse. The report highlighted a cluster of high-abuse registrars in the Asia region, specifically identifying NiceNIC as part of an “unsafe neighborhood” comparable to a “lawless Wild West.” This ranking is critical because it normalizes for size. It is not merely that NiceNIC has a high volume of bad domains; it is that a disproportionately high percentage of its total business is toxic.1

2.2 The Phishing Landscape 2025: A Statistical Anomaly

The most damning statistical evidence comes from the “The Phishing Landscape 2025” report by the Cybercrime Information Center. This report utilizes a “Phishing Domain Score” to quantify the density of threats. The discrepancy between NiceNIC and legitimate providers effectively illustrates the “rogue” categorization.

https://interisle.net/insights/phishing-landscape-2025-an-annual-study-of-the-scope-and-distribution-of-phishing

Phishing Activity in Domain Registrars, August 1, 2025 - October 31, 2025 - Cybercrime Information Center

According to the Phishing Activity Quarter-Over-Quarter (Aug–Oct 2025) report, NiceNIC shows a consistent upward trend in phishing domain volume, while most major registrars are tightening controls and reducing abuse. This divergence is not accidental. As other registrars harden their abuse processes, malicious actors naturally migrate toward the registrar that ignores takedowns and leaves phishing domains online the longest.

The result is structural, not incidental: NiceNIC’s customer base is increasingly composed of threat actors because the registrar’s policies make it the most attractive option for abuse. This growth pattern reflects deliberate operational permissiveness rather than lack of capacity or oversight.

Source: https://www.cybercrimeinfocenter.org/phishing-activity-quarter-over-quarter-registrars-august-october-2025

Registrar Phishing Domain Score StatusN iceNIC (IANA 3765)1,141.74 Critical Threat
Google / GoDaddy3.2–3.5 Industry Standard Namecheap~3.5 Industry Standard

Analysis of the Metric:

NiceNIC’s score is approximately 326 times higher than the industry standard. This is a statistical anomaly so vast that it cannot be explained by accident, resource constraints, or incompetence. In statistical modeling, such a deviation usually indicates a structural variable — in this case, a business model that actively courts malicious actors. While a registrar like Namecheap may process more total abuse reports due to having millions more domains, they act on them. NiceNIC, despite a smaller portfolio, maintains one of the highest densities of malicious domains per 10,000 registrations in the entire industry.

2.3 Spamhaus Reputation Metrics

Spamhaus is widely regarded as the most authoritative arbiter of reputation in the email and network security space. Their “World’s Most Abused Domain Registrars” list serves as a barometer for registrar health.

• Global Ranking: NiceNIC has consistently ranked among the top 10 most abused registrars globally. In Q4 2022 and continuing through 2025, their presence on this list has been durable.
• The “Badness” Index: Spamhaus calculates a “badness index” that weighs not just the number of malicious domains, but the duration they remain active after being reported. A high score on this index indicates systematic failure. NiceNIC’s score of 6.03 places it in the company of the world’s worst offenders, far outstripping reputable competitors.

The Spamhaus Project

https://www.spamhaus.org/resource-hub/domain-reputation/domain-reputation-update-april-september-2025/

Part III: Mechanisms of Evasion — The “Bulletproof” Model

How does a registrar achieve such notoriety? It requires a combination of technical permissiveness, procedural obstruction, and policy exploitation. Our analysis reveals that NiceNIC has constructed a “closed loop” ecosystem designed to shield its clients from the consequences of their actions.

3.1 The “Closed Loop” Abuse System

The Registrar Accreditation Agreement (RAA) requires registrars to maintain an abuse contact and investigate reports. NiceNIC complies with the form of this requirement while completely gutting its substance. Security researchers and victims reporting abuse to abuse@nicenic.net describe a Kafkaesque experience designed to fatigue the reporter.

The Auto-Responder Wall:

Upon submitting a detailed forensic report, the reporter receives a generic acknowledgement template:

Dear Reporter,

Thank you for submitting your report. We have received your message and appreciate the effort to keep the Internet safe.

However at this stage the information provided is not sufficient for our team to verify the issue or to determine the nature of the reported activity. Reports we receive may involve many different categories including DNS abuse content related matters commercial disputes impersonation fraud allegations intellectual property claims or other types of online misuse. For each category we are required to review the evidence based on the policies of ICANN registries and applicable laws.

To proceed with a proper review we kindly ask you to provide clear and verifiable evidence that directly shows the issue you are reporting. Useful information includes full URLs of the specific webpages involved screenshots that clearly show the content the domain name and the URL visible in the browser the date and time of observation technical indicators such as mail headers server responses or scan results when applicable and any explanation of how the reported activity relates to the harm described in the complaint.

Please note that registrars are required to distinguish between DNS level abuse and matters related to general website content business disputes or the legality of products or services. Some categories must be handled by the website operator the hosting provider the merchant platform the payment processor or the appropriate law enforcement agency rather than at the domain level. We will review the evidence you provide and take the appropriate action based on the policies that apply.

As soon as we receive clear supporting evidence our abuse team will reopen the case immediately and conduct a full review in line with ICANN requirements and registry rules.

Thank you for your understanding and cooperation.

Best regards,
NiceNIC Abuse Team
ICANN Accredited Registrar since 2012
Domains | Reseller API | Business Email | SSL Certificates | Servers

This template is sent even when the initial report contains exactly the requested data — URLs, screenshots, and server logs. It is a delay tactic.

The Forwarding Game:

Instead of investigating the evidence — for example, a URL clearly hosting a fake login page — NiceNIC forwards the complaint to the registrant (the criminal). The criminal registrant then replies denying the abuse, or simply ignores it. If they deny it, NiceNIC often accepts this denial at face value and closes the ticket, stating, “We have received a response from the customer denying the allegations.”

This “closed loop” allows NiceNIC to claim they are “processing” reports, thereby satisfying ICANN auditors, while ensuring that no action is actually taken to disrupt the revenue-generating customer. It is a bureaucratic firewall designed to protect malicious infrastructure.1

3.2 Marketing Anonymity: The Crypto-Currency Nexus

In the context of legitimate global business, cryptocurrency payments are a niche convenience. In the context of cybercrime, they are an operational necessity. Traditional payment methods, such as credit cards or wire transfers, require a bank account, which in turn requires Know Your Customer (KYC) verification. This creates a financial paper trail that law enforcement can use to de-anonymize perpetrators.

NiceNIC explicitly markets its acceptance of Bitcoin (BTC), Tether (USDT), Ethereum (ETH), and Litecoin (LTC) for domain registration and renewals. By prioritizing and advertising these payment methods, NiceNIC signals to the market: We do not want to know who you are. This severance of the financial link between the criminal and the infrastructure is a critical service feature. It transforms the registrar from a service provider into an anonymity broker, protecting the identity of its clients even as they engage in demonstrable fraud.

3.3 Technical Forensics: Homograph Attacks and DGAs

NiceNIC’s infrastructure is optimized for specific technical attack vectors that require permissive registration policies.

Homograph Attacks and Faux Cyrillic:

The Domain Name System allows for Internationalized Domain Names (IDNs), enabling scripts like Cyrillic, Arabic, or Chinese. Threat actors exploit this via “homograph attacks,” where characters that look identical to Latin letters are used to spoof brands (e.g., using a Cyrillic ‘a’ to spoof amazon.com). While rigorous registrars implement policies to flag “confusable” registrations, NiceNIC’s automated systems are a playground for these attacks. Researchers have identified “Faux Cyrillic” clusters within NiceNIC’s zone, utilizing lookalike characters to deceive users.

Domain Generation Algorithms (DGAs):

Google Threat Intelligence has flagged the presence of “recently created DGA domains” within NiceNIC’s portfolio. Malware infected on victim computers generates thousands of random domain names (e.g., x8d9f2a1.com) to contact a Command & Control (C2) server. The presence of high-volume DGA registrations indicates that NiceNIC is being used to manage botnets. This implies an API that allows for rapid, bulk registration without effective rate limiting or pattern detection — features that NiceNIC effectively provides.

Part IV: Case Studies in Cybercrime

The abstract statistics of abuse translate into concrete financial and psychological devastation for victims. The following case studies highlight NiceNIC’s role in high-stakes cybercrime events, demonstrating the real-world impact of their operational policies.

4.1 Case Study: The Trust Wallet Heist (December 2025)

In December 2025, the cryptocurrency ecosystem was destabilized by a sophisticated attack targeting users of Trust Wallet, a popular non-custodial crypto wallet. This incident serves as a definitive case study in registrar complicity, moving beyond passive negligence into active facilitation.

The Attack Vector:

Threat actors distributed a malicious browser extension, likely through a compromised supply chain or sophisticated social engineering. This malware was designed to harvest “seed phrases” — the master keys to user wallets. Once a seed phrase is compromised, the attacker has total control over the funds.

The NiceNIC Connection: Full-Stack Control:

To monetize the attack, the stolen seed phrases needed to be exfiltrated from victim computers to the attackers. The malware communicated with a specific “data-exfiltration infrastructure” to upload the stolen keys. Forensic analysis confirmed that this critical infrastructure was not only registered via NiceNIC but also hosted on NiceNIC servers. This “full-stack” control meant NiceNIC had absolute technical sovereignty over the exfiltration nodes.

The Operational Failure:

Trust Wallet’s security team and independent researchers identified the malicious domains and contacted NiceNIC immediately. Intelligence indicates that the NiceNIC operator was active on Telegram (visible status “Online”) during the heist, receiving urgent alerts from PhishDestroy and other researchers. But most likely, the NiceNIC operators were actively helping their client mitigate the DDoS attack, ensuring the client stayed satisfied with their service.

Despite the real-time notification of a massive financial crime in progress, the infrastructure remained live. The delay was catastrophic. In a digital heist, seconds matter. The fact that the infrastructure was up and running long enough to exfiltrate the keys represents a critical failure of the registrar’s duty. The theft reached an estimated $8.5 million in drained assets. The “insufficient evidence” auto-responders provided the attackers with the time they needed to complete the theft and launder the funds.

https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update — Trust Wallet Browser Extension v2.68 Incident Community Update

4.2 Case Study: The “Soulless” Scam Machine (August 2025)

In August 2025, investigative journalist Brian Krebs exposed a massive network of Russian scam gambling sites, dubbed the “Soulless” machine. This network represents the industrialization of fraud, where automation is used to deploy thousands of identical scam sites.

list of sites

The Scale of the Network:

PhishDestroy intelligence identified over 1,200 identical sites sharing the same code base, the same crypto-drainer scripts, and the same visual structure. The vast majority of these clones were registered through NiceNIC. It is statistically impossible for a diligent abuse team to miss a pattern of 1,200 identical websites appearing in their zone files simultaneously.

Symbiosis with Crime Panels:

The relationship between the scammers and the registrar appears to be symbiotic. Owners of scam panels, such as the “Gambler Panel,” actively train their affiliates to use NiceNIC. Leaked Telegram screenshots reveal instructors explicitly recommending NiceNIC as a “safe haven.” These instructions guide affiliates on how to format their responses to NiceNIC’s forwarded complaints to ensure the domains remain active.

This case demonstrates that NiceNIC is not merely a service provider; it is a preferred partner in the supply chain of industrialized fraud. The “Soulless” network relies on NiceNIC’s lethargy to maintain its uptime.1

4.3 Case Study: Scattered Spider (UNC3944)

Scattered Spider is one of the most aggressive threat groups currently operating, known for targeting identity providers like Okta to breach major corporations (e.g., MGM Resorts, Caesars Entertainment).

The Lookalike Tactic:

The group relies heavily on “lookalike” domains — domains that visually resemble corporate login portals (e.g., okta-support-update.com). Intelligence from Mimecast, Google Threat Intelligence, and Silent Push has linked a significant number of domains used in these campaigns to NiceNIC.

The Operational Requirement:

Scattered Spider is a financially motivated group that relies on social engineering. They know that corporate security teams (Blue Teams) monitor for lookalike domains. To succeed, they need a registrar that is slow to react. If a Blue Team reports a domain and it is taken down in 30 minutes (a standard for reputable registrars), the attack fails. If it stays up for 48 hours — the typical “ignore” window of NiceNIC — the attack succeeds, and the group gains entry to the corporate network. NiceNIC is effectively part of the supply chain for ransomware attacks against Fortune 500 companies.

Scattered Spider: Still Hunting for Victims in 2025

https://attack.mitre.org/groups/G1015/

Part V: The Manifesto and the PR Stunt

On January 10, 2026, the implicit actions of NiceNIC were made explicit in a bizarre public incident. The official NiceNIC X (Twitter) account posted a message that abandoned all pretense of corporate compliance:

“We are not against scamming the whole world… we here to make cash.”

What this really looks like is not an apology or an explanation for the public — it’s PR aimed at the hackers themselves. A signal: “We’re on your side, we don’t block scams, we don’t cooperate with ICANN, we don’t care about reports. We’re the registrar you can rely on.”

And the “Russian hacker” angle fits perfectly into that strategy. By inserting a Cyrillic letter, they create a ready-made excuse: “This wasn’t us, this was Russian attackers posting from our account.” It gives them a clean separation — we’re Chinese, we don’t think like that, look, there’s even a Russian character in the message.

In reality, it looks far more like an intentional move: a performance designed both to curry favor with scammers and to provide a convenient alibi if anyone questions why their official account is openly endorsing criminal activity.

Part VI: Geopolitics and Regulatory Inertia

If NiceNIC is so visibly complicit, why does it retain its accreditation? The answer lies in the structural weaknesses of ICANN’s enforcement model and the specific legal loopholes NiceNIC exploits.

6.1 The “Notice and Cure” Loophole

The RAA contains enforcement mechanisms, but they are designed primarily for contract compliance (e.g., paying fees, keeping data escrowed), not crime prevention. When ICANN receives a complaint about a registrar, they issue a “Notice of Breach.” The registrar then has a specific period (usually 15 days) to “cure” the breach.

NiceNIC games this system effectively. If ICANN sends a notice regarding 50 specific domains, NiceNIC can simply delete those 50 domains on Day 14. ICANN then declares the breach “cured.” Meanwhile, NiceNIC has registered 5,000 new malicious domains. This “Whac-A-Mole” dynamic allows the registrar to be perpetually in breach and perpetually “curing” it, without ever fundamentally changing its business practices.

6.2 The Hong Kong Shield

NiceNIC’s Hong Kong jurisdiction is a critical component of its “bulletproof” status. While Hong Kong maintains a Common Law system, the geopolitical friction between the US/Europe and China/Hong Kong has increased significantly.

Western law enforcement agencies (FBI, Europol) face significant bureaucratic hurdles when serving subpoenas or takedown orders in Hong Kong. The era of seamless cooperation has eroded. Furthermore, local priorities differ. The Great Firewall of China is obsessed with internal political stability; content that criticizes the CCP is taken down in seconds. However, a phishing site targeting a French bank or a US crypto wallet is not a priority for local censors. NiceNIC exploits this asymmetry: they comply with local political red lines while allowing the “Wild West” to reign for international financial crime.

https://www.hkirc.hk/en/accredited-registrars

Conclusion: A Rogue State in the DNS

The evidence compiled in this report leads to a singular conclusion: NiceNIC (IANA 3765) is a rogue registrar. It does not operate within the spirit of the ICANN community; it operates as a parasite upon it.

• Statistical Outlier: Its abuse rates are not accidental; they are structural, exceeding industry norms by over 300%.
• Operational Complicity: Its “closed loop” abuse process and crypto-anonymity are features designed to protect criminals.
• Proven Harm: It facilitates high-end cyberwarfare (Scattered Spider) and mass-market fraud (Trust Wallet).

The title of this report asserts that NiceNIC is “Openly Advertising” for cybercrime. This advertisement is not a billboard. It is a signal sent through every ignored abuse report, every crypto transaction, and every day a phishing site remains live when it should have been dead. The criminal underground hears this signal loud and clear.

Before any remediation steps, it is strongly recommended to review the ICANN policies that NiceNIC constantly references in their automated replies. Their default response — claiming “insufficient evidence” — is absurd, given that all investigative work is already completed for them and the evidence provided far exceeds the requirements outlined in ICANN’s own abuse-handling rules. Their auto-reply effectively mocks ICANN and every registrar that actually follows compliance standards.

Hiding behind ‘free speech’ to justify refusing takedowns, while calling automated replies an ‘abuse desk,’ isn’t just dishonest — it’s criminal. It’s a bargain-bin excuse for aiding offenders, shielding their infrastructure, and undermining every attempt at investigation

Recommendations for Remediation

1. Immediate ICANN Audit: ICANN must invoke its audit rights under the RAA to examine NiceNIC’s abuse handling records and crypto-payment KYC procedures. The audit should specifically focus on the discrepancy between the volume of abuse reports received and the volume of domains suspended.
2. Invocation of RAA Section 3.11.3: The security community must build a case that NiceNIC’s continued accreditation poses a threat to the stability and security of the internet. Section 3.11.3 allows for termination if the registrar’s misconduct “materially harmed consumers or the public interest.” The $8.5 million Trust Wallet theft constitutes material harm.
3. Financial Sanctions and Payment Rails: If the registrar cannot be shamed, the payment rails must be severed. However, their reliance on crypto makes this difficult, underscoring the need for regulatory action at the accreditation level. Pressure should be applied to upstream registries (Verisign for.com, PIR for.org) to de-peer NiceNIC if they continue to violate abuse policies.

Until IANA 3765 is revoked, the internet’s “Red Light District” will remain open for business, and the victims will continue to pile up.

Thanks for reading! 🙏
Stay alert when you come across a domain registered via NiceNIC 🚨
Don’t act like NiceNIC — act responsibly 👍
Together, we can push phishing and scam out of the internet 🌐✨

Further reading / references:
🔗 https://www.trustpilot.com/review/nicenic.net — Trustpilot user reviews on abuse handling and phishing domains.
🔗 https://nicenic.support/ — Independent write-up on NiceNIC abuse reporting process and ICANN compliance issues.
🔗 https://dev.to/destroyphish/the-backbone-of-global-scam-how-namesilo-webnic-and-nicenic-1if1 — OSINT analysis of registrars enabling scams.
🔗 https://www.cybercrimeinfocenter.org/phishing-activity-in-registrars-may-july-2025 — Registrar phishing domain ranking (includes NiceNIC).
🔗 https://interisle.substack.com/p/phishing-trends-february-april-2025 — Phishing activity analysis showing registrars with high phishing domain counts.

Maybe it was a fake airdrop. Maybe it was a “support chat” that walked you step by step into sending everything. Maybe it was a drainer hidden behind a trusted brand or a media personality.

However it happened, the result often feels the same:

• Money gone.
• Trust shattered.
• And a heavy thought in your head: “This is my fault. I was stupid. Nothing can be done.”

This article exists to push back against that thought.

The DestroyScammers Dashboard was created to document scam infrastructure and real cases. The DestroyList phishing dataset tracks thousands of malicious domains. There is also a short, action-focused guide for victims here.

Crucially, this dashboard is built entirely via automated data collection from our open-source base: https://github.com/phishdestroy/destroylist

It proves you don’t need the FBI — they have their own priorities. You just need to refuse to despair and add a drop of anger. In reality, identifying the “mouse” behind the screen is often easier than finding a special agent who has time for your case.

All of this has one purpose: to show that victims are not as powerless as scammers want them to believe — and that these “operators” are far less professional and far more exposed than they pretend.

You may not get a perfect ending. But you are not stupid, you are not alone, and you are not without options.

Scammers Are Not “Elite Hackers”

Scammers work hard to build a specific image: mysterious, untouchable, operating from “dangerous” countries, supposedly protected by their government or by “connections”.

In reality, most of them are the opposite.

They use recycled phishing kits, cheap domains, the same hosting over and over, and sloppy communication habits that leak information. They are not strategic assets. They don’t pay taxes. They are not important to their country.

When real pressure appears — when a case is opened, evidence is collected, and the right jurisdiction gets involved — they look less like “hackers” and more like what they really are: people who thought no one would ever push back.

One of them literally begged when he realised that his situation was real. That is the true level of “invincibility” behind many of these personas.

The DestroyScammers Dashboard is not a magic weapon. It is a demonstration:

With basic tools, patience and structure, scammers’ trails are visible. They are not ghosts. They are just thieves.

Two Real Cases: When Victims Didn’t Give Up

These aren’t fictional stories. They are real incidents from the same ecosystem of scams and investigations — different circumstances, same core lesson: evidence + persistence can hurt scammers far more than they expect.

Case 1: A Remote Scam, Resolved Through Dubai

An older man in the US was going through a difficult period in his life. During that time, scammers approached him with a “2× airdrop” offer, supposedly linked to a media personality.

They didn’t rush. In long “support” chats they:

• Answered questions.
• Walked him through moving funds into Coinbase.
• Convinced him to send his entire balance.
• And then guided him to top up from his bank.

By the end, they had taken everything: a six-figure sum, including money tied to his home.

He felt crushed. He believed he had failed his grandchildren. He went repeatedly to local police. He called himself a fool for being “tricked like a child”.

For his son, this became more than a financial loss. It became a matter of principle: find the person who did this.

The scammers were not careful. Among other details, they slipped with keyboard layout in chats — small technical hints that contributed to identifying them and linking the activity back to Russia. At one point, the son considered travelling there to push the case. Instead, the family watched the scammer’s social media.

Then a critical moment appeared: the scammer publicly showed he was flying to Dubai.

The son had a legitimate, work-related legal status in the UAE. That opened a door:

1. He filed a formal complaint through local digital channels available to residents.
2. He travelled to Dubai.
3. He found a lawyer prepared to handle a case against a foreign scammer.

By the time the scammer landed, the complaint was already there.

The result was simple: the complaint was accepted, the scammer was detained on entry, and the case proceeded under UAE law.

The scam itself did not happen in Dubai. But the resolution did — because one family refused to give up and used jurisdiction against the scammer’s own travel plans.

Case 2: A US Victim and a Kazakh Case

In another case, a US victim was scammed by a Russian operator.

Instead of assuming “nothing can be done”, the victim officially transferred their case to a person in Kazakhstan — a country with strong legal cooperation in criminal matters.

The steps were straightforward:

1. A criminal case was opened in Kazakhstan.
2. A request for legal assistance was sent to Russia.
3. Russian authorities executed a search and arrest.
4. Russia had its own reasons to keep the scammer; no extradition was needed.

The outcome: the victim received their money back, and the scammer received no protection from his country.

This is the opposite of what many scammers say online:

“If I steal from foreigners and stay in the right country, nothing will ever touch me.”

Reality: when a case is documented, pushed and backed by evidence, those stories fall apart.

Borders, Myths and How They Actually Work

Many scammers comfort themselves with myths:

• “My country will protect me if I target foreigners.”
• “Crypto is anonymous; they can’t prove it’s me.”
• “If I wait long enough, the crime disappears.”

But Russia and multiple other states have legal cooperation with a long list of countries, including CIS/Minsk Convention states and partners like UAE, Türkiye, China, India and others. Requests can lead to searches, interrogations, asset freezes, and arrests.

Crypto is not a magic cloak. Transactions are traceable. Exchanges keep records. Infrastructure reuse creates patterns. Time is not a safe blanket if your case is active somewhere in the system.

The goal here is not to promise that every scammer will be arrested. The goal is to show that the world is less closed than scammers want you to think.

A Note About Russia: Scammers Are More Exposed Than They Think

The DestroyScammers Dashboard is a minimal baseline. It shows what can be done with open tools and patience. In practice, especially in Russia, many scammers are far more exposed than they realise.

There is a grey market around so-called “lookup” or probiv services that claim to pull detailed personal records: phone histories, border crossings, registry data and more. Ads openly offer:

• Searches through border-control systems.
• Passenger lists and travel bans.
• Civil registry information about relatives, marriages, children.
• Data that clearly does not come from any public OSINT source.

I am not endorsing these services. I do not use them, I do not recommend them, and I will not tell anyone how to find or operate them. Their legality is questionable at best. But the fact that this market exists says something important.

Scammers like to pose as ghosts hiding behind nicknames and wallets. In reality, their names, addresses, documents, movements and family ties sit in centralised systems that someone inside is willing to monetize.

Here is an anonymised example of such a “lookup” report (shared with consent and translated into English) so you can see the density of data for yourself:

📄 View the Sample Report (PDF)

If a stranger can allegedly buy that level of detail for the price of a pizza, imagine how little real anonymity a scammer has once a formal case and real pressure appear.

If your goal is not only to recover funds but also to hold a scammer accountable, Russia is one of the places where identity is much easier to pierce than scammers pretend.

What DestroyScammers Actually Does

The dashboard uses legal tools and paid OSINT services to collect artefacts tied to scam activity. It focuses on actors who have been contacted and warned, showing patterns rather than isolated incidents.

It does not act as law enforcement. It does not sell “recovery services”. It does not guarantee results.

What it CAN do is:

1. Preserve evidence of scam infrastructure over time.
2. Prove that scammers are not invisible.
3. Give victims, journalists and investigators a clearer picture of how these operations really function.

If you want to see it yourself:

• Dashboard: phishdestroy.github.io/DestroyScammers
• Dataset: github.com/phishdestroy/destroylist

How We Collect Data (And What We Plan Next)

The dashboard and DestroyList are built on very boring, very legal things: logs from real interactions with scammers plus standard OSINT sources.

No “hacks”, no access to closed systems, no magic buttons.

In practice, this means:

• Domains and WHOIS history.
• Certificate transparency logs and passive DNS.
• Public sandbox results (for example, urlscan-type reports).
• Threat feeds and open blocklists.
• Archived copies of sites and panels.
• On-chain traces around known scam wallets.

For most victims and researchers, the simplest version of this is enough: save screenshots, save HTML, export chats, and run suspicious links through public scanners and archive services. You do not need to break into anything to collect useful evidence.

We have already used this stack to show that many “projects” are not isolated scammers but small teams: they reuse the same domains, panels, wallets and even social accounts across different schemes. Some of these crews are already visualised on the dashboard; others are in work-in-progress notes.

The next steps are clear:

• Build case pages for specific scam crews, with timelines, infrastructure maps and on-chain flows.
• Automate more correlation between domains, wallets and social identities.
• Make it easier for victims and professionals to submit evidence so it can be checked and, if it holds up, added to the public picture.

The goal is not to turn this into a private intelligence service. The goal is to keep pushing a simple idea: scammers are not invisible, and even a modest amount of structured data is enough to show who is behind the buttons they click.

If You’re a Victim: A Practical Checklist

You do not need to become an investigator. But there are concrete steps that dramatically increase your chances.

(Full guide available here: phishdestroy.io/critical-action)

1. File an Official Report

It might feel pointless. It might feel embarrassing. Do it anyway. Go to the police. Explain what happened. Ask for a case number and written confirmation. Without this, in many systems, your case simply does not exist.

2. Save Everything

Do not delete chats or emails out of shame. Your “stupidity” is not the story here — their crime is. Save URLs, transaction hashes, screenshots, chat logs, and email headers. You are assembling a package that someone, somewhere, may later be able to act on.

3. ⚠️ Do Not Pay “Recovery” Scammers

After a scam, you are a perfect target for secondary predators. If someone tells you:

• “We work with banks and can get your funds back.”
• “We guarantee recovery for a fee.”
• “We have special methods.”

Assume they are lying. Real law enforcement does not cold-contact victims with miracle promises.

4. Stay Involved

Check on your case number regularly. Ask for written responses. Consult a lawyer with fraud experience. The idea is to keep your case alive, documented and ready to be used if an opportunity appears.

5. Be Realistic — But Not Hopeless

No one honest can promise you a perfect ending. But based on real cases, it is fair to say:

> With a real police report, preserved evidence and an active, informed victim,
> your chances are much better than zero.

Sometimes money gets recovered.
Sometimes only part of it does.
Sometimes the main outcome is that an operator finally faces real consequences.

All of those outcomes are better than silence and self-blame.

You Are Allowed Not to Give Up

Scammers want you to feel ashamed, stupid, isolated and powerless. A silent victim is the perfect victim.

The truth is different. Smart people get scammed. Experienced people get scammed. You were targeted because they thought you were exploitable in that moment. That says more about them than it does about you.

You are allowed to be angry. You are allowed to want consequences. And you are allowed to try again — this time, on your terms, with evidence, structure, and a refusal to let anyone turn your pain into easy profit a second time.

Silence is what keeps their world safe. Breaking it is where yours starts to recover.

Introduction: A Crime of Calculated Negligence

In August 2025, the world’s largest gaming platform, Steam, didn’t just suffer a security breach; it actively enabled one. Through a cascade of systemic failures and gross negligence, Valve allowed the game BlockBlasters (AppID 3872350) to become a Trojan horse for a devastating malware campaign. This wasn’t a sophisticated, unavoidable attack. It was a textbook data-stealing operation that succeeded because Steam’s security is fundamentally broken. For 22 days, it stole hundreds of thousands of dollars, emptied crypto wallets, and compromised user accounts while Valve did nothing.

When the truth surfaced, Valve’s response was not to protect its users, but to protect its image. The company issued a single, deceitful statement blaming a “compromised developer account” — a pathetic lie designed to shift blame and shield itself from liability. This article will dismantle that lie. Using forensic data, timeline analysis, and Valve’s own policies, we will prove that this incident was not just a failure to act, but a deliberate cover-up of criminal negligence.

The 22-Day Timeline of Inaction

Valve had 22 days to stop this. User reports were flowing in, and platform data showed clear signs of trouble. Their silence was a choice.

• July 31, 2025 — BlockBlasters launches. A clean, legitimate build is approved by Steam’s vetting process.
• August 30, 2025 — The trap is set. The attackers push Patch Build 19799326. This update, containing the malware payload, is approved by Steam and distributed to all players.
• Early September 2025 — The first victims sound the alarm. Users flood Steam Support with tickets reporting anomalous CPU usage, suspicious network traffic, and — most critically — stolen cryptocurrency. These tickets enter a black hole, ignored by Valve.
• September 6–12, 2025 — The data screams a warning. Public SteamDB telemetry shows the player count collapsing to single digits, yet the game remains installed on hundreds of machines, silently exfiltrating data. This massive discrepancy is a red flag that any competent monitoring system should have caught.
• September 21, 2025 — The community acts. Independent security researchers expose the malware’s Telegram-based command-and-control infrastructure, forcing the hackers’ hand.
• September 22, 2025 — The proof is undeniable. G DATA CyberDefense AG publishes a full forensic report, confirming the malware’s multi-stage attack vector and exposing the technical details of the breach.

The Anatomy of the Attack

This wasn’t cutting-edge malware. It was a crude but effective cocktail of common scripts and stealers that should have been trivial for a multi-billion dollar platform to detect.

Stage 1: Initial Compromise (game2.bat)

The initial payload, a simple batch script, performed basic reconnaissance: collecting IP, geolocation, and Steam user details. It then downloaded a password-protected ZIP file (v1.zip)—a classic technique to bypass naive automated scanners.

Stage 2: Evasion and Escalation (VBS Loaders)

Using VBS scripts, the malware executed its core components in hidden command windows. It added its own directory to the Microsoft Defender exclusion list — an action that should trigger an immediate, high-priority alert on any monitored system.

Stage 3: Data Theft (Client-built2.exe & Block1.exe)

With defenses disabled, the malware deployed its primary payloads: a Python-based backdoor for persistent access and a variant of the StealC infostealer. It targeted browser data, session tokens, and, most importantly, cryptocurrency wallets from Chrome, Edge, and Brave. All stolen data was funneled to two command-and-control servers in unsecured HTTP traffic.

Indicators of Compromise (IoCs)

FileSHA256Classification

game2.bat

aa1a1328e0d0042d071bca13ff9a13116d8f3cf77e6e9769293e2b144c9b73b3

BAT.Trojan-Stealer.StimBlaster.F

launch1.vbs

c3404f768f436924e954e48d35c27a9d44c02b7a346096929a1b26a1693b20b3

Script.Malware.BatchRunner.A@ioc

test.vbs

b2f84d595e8abf3b7aa744c737cacc2cc34c9afd6e7167e55369161bc5372a9b

Script.Malware.BatchRunner.A@ioc

Client-built2.exe

17c3d4c216b2cde74b143bfc2f0c73279f2a007f627e3a764036baf272b4971a

Win64.Backdoor.StimBlaster.L6WGC3

Block1.exe

59f80ca5386ed29eda3efb01a92fa31fb7b73168e84456ac06f88fdb4cd82e9e

Win32.Trojan-Stealer.StealC.RSZPXF

Deconstructing the Lie: The “Hacked Account” Is Complete Bullshit

Let’s call Valve’s “hacked developer” excuse what it is: a pathetic and easily disproven lie. It’s an insult to the intelligence of their user base, a narrative crafted to shield them from the consequences of their own negligence. This entire fantasy collapses the moment you look at Steam’s own mandatory procedures.

1. The $100 Wall and Identity Verification: To publish on Steam, every developer must go through the Steam Direct program. This involves paying a $100 fee and completing a Know Your Customer (KYC) process, providing legal names, banking information, and tax documents. The perpetrator was not an anonymous ghost; Valve had their verified identity and financial details on file. This makes their inaction a conscious choice to protect a verified partner over their own users.
2. The 22-Day Blackout Myth: Steamworks provides developers with robust tools to secure their accounts. A legitimate developer who lost control could file a “lost access to publisher credentials” ticket. This process is designed to be fast, freezing publishing rights and builds within hours, not weeks. The idea that a developer could be locked out for over 20 days while their game distributes malware is absurd. It implies one of two scenarios, both of which indict Valve: either the developer was complicit, or Valve ignored their frantic support tickets in addition to the dozens of user complaints.
3. Systematic Neglect of User Complaints: Dozens of users filed detailed reports of financial theft, malware behavior, and account compromise. These weren’t vague complaints; they were actionable intelligence. A competent support system would have flagged these, escalated the issue, and frozen the app page pending investigation within 24 hours. Valve’s failure to do so for 22 days is not an oversight; it’s a policy of willful ignorance.

The Core Deception: Tampering with a Digital Crime Scene

This is where Valve’s cover-up graduates from simple negligence to what can only be described as tampering with a digital crime scene. Let this be stated without ambiguity: Valve did not remove the infected game.

Forensic evidence and analysis from security researchers tracking the C2 infrastructure confirm it unequivocally: the criminals themselves deleted their malicious builds from Steam’s servers. They did this on September 21st, only after their Telegram control group was publicly exposed. They executed a “scorched earth” exit, destroying the evidence to cover their tracks.

Valve’s claim of taking action is a blatant fabrication. By waiting for the attackers to erase their own tracks before stepping in to remove the store page, Valve effectively allowed the primary evidence to be destroyed. This wasn’t damage control; it was obstruction. They weren’t protecting users; they were protecting themselves by ensuring the crime scene was clean.

The Human Cost of Corporate Indifference

Valve’s negligence had real-world consequences for which it has taken zero responsibility.

• Financial Ruin: Over $150,000 USD was stolen(looks like more then 1 000 000 USD)For many, this was life-altering money. One streamer lost $32,000 during a live charity broadcast for cancer treatment.
• Betrayal of Trust: Hundreds of users had their accounts compromised, their data stolen, and their systems infected.
• Absolute Silence: To this day, Valve has offered no refunds, no compensation, and no genuine apology. Their form-letter response was an insult to every victim.

The Motive: Profit Over People

Why would Valve allow this to happen? The motive is as simple as it is cynical: it was cheaper.

A real security overhaul — implementing sandboxed testing for all builds, separating developer credentials, hiring a competent security team, and publishing transparency reports — would cost millions. Paying restitution to victims would set a costly precedent.

The alternative? Issue a vague, misleading statement, let the news cycle move on, and absorb the minimal PR hit. It was a calculated business decision where user safety was deemed an acceptable loss.

This pattern of negligence is not new. From PirateFi (2024) to Chemia (2025), Valve has repeatedly ignored warnings and allowed malware onto its platform, only acting after public outcry. BlockBlasters was not an anomaly; it was the inevitable result of a rotten security culture.

Final Verdict: Guilty as Charged

Let the facts speak for themselves.

• Fact: Valve’s automated systems approved a build containing trivial malware.
• Fact: Valve’s support team ignored direct warnings from victims for three weeks.
• Fact: Valve only acted after the hackers themselves removed the malicious files.
• Fact: Valve’s official statement was a deliberate misrepresentation of events designed to avoid accountability.

Valve didn’t just fail. It lied. It covered up its own negligence, protected its profits, and left its users to pay the price. The trust that the community placed in Steam has been irrevocably broken. This wasn’t a mistake; it was a betrayal.

Sources

• G DATA CyberDefense AG (Sept 22, 2025)
• SteamDB
• Gamalytic
• GamesRadar
• The Verge
• Tom’s Hardware
• Community incident logs

Recently, a story about “150+ fake Mozilla extensions” tied to a supposed “Russian trail” has been amplified across major crypto and security outlets. It sounds dramatic, but our analysis shows this narrative is misleading — and worse, it shields the real perpetrators.

We are publishing this as a volunteer threat intelligence group. We don’t charge for our work, we don’t monetize, and we don’t chase clout. We follow the threats, collect evidence, and speak when false narratives undermine real investigations.

150+ Low-Quality Extensions on a Single Backend

All extensions in this campaign were:
- non-unique, copy-paste quality;
- only logos and names varied;
- and all connected to a single backend.

Backend IP: 185.208.156.66

185.208.156.66 - urlscan.io

Example: https://urlscan.io/result/0198e619-7b76-74a0-b581-c2e788879572/

Checking all domains tied to this IP today, most are dead. But at the time, we archived everything. Urlscan and WebArchive preserve snapshots of sites we reported.

Our Actions Against This Campaign

As a volunteer threat intelligence group, we specialize in takedowns of phishing and scam infrastructure. In this case, we:

• Submitted reports directly to Mozilla to flag malicious extensions.
• Escalated links and evidence to Seal, requesting professional assistance to accelerate the banning process.
• Published a report on Chainabuse, ensuring the wider community could see and validate the threat.
• Injected millions of empty seed phrases into the attackers’ backend, intentionally polluting their data so they wasted time processing fake entries instead of stealing from victims.

Takedown operations are our core contribution: identifying, reporting, and helping to dismantle malicious infrastructure as quickly and effectively as possible.

Why This Is Not “Russian” Infrastructure

We’ve analyzed Russian-speaking threat actors for years. Their tactics look very different:
- Distributed backends (Cloudflare Workers, Firebase, Amazon, unique links per campaign).
- Obfuscation and redundancy to avoid single points of failure.
- They do not route all data into one static backend.

But here, we see:
- A Nigerian hosting provider.
- Neighboring domains tied to bank scams, fake crypto wallets, fake delivery scams.
- A Telegram account receiving stolen data — linked to a Nigerian operator.

Screenshot: https://imgur.com/kAC571J

Russian groups build sophisticated infrastructures. This was cheap, centralized, and unsophisticated — exactly what we’ve seen before on Nigerian servers.

Related Work

We previously analyzed IPs on the same hosting provider:
https://phishdestroy.io/registrars-enabling-global-scams

And created an archive of processed domains:
https://phishdestroy.github.io/Nigerian-dignity/out/index.html

The Paid Media Problem

This is where the real danger begins.

We know that paid media placements are common practice. But the consequences in cybersecurity are serious:

1. One paid article in a “respected” outlet gets published.
2. Hundreds of smaller sites, blogs, and Telegram channels rewrite or translate it.
3. Within days, it becomes a massive fake narrative with the illusion of credibility.

Victims see “the Russian trail,” believe the case is closed, and stop reporting to authorities. Real criminals remain untouched.

Example: Angel Drainer

Every outlet ran headlines about “Angel Drainer shutdown after devs identified.”
But was it true — or just another paid placement, repeated everywhere until it looked credible?
For criminals, buying a few articles is pocket change. For victims, it changes everything: investigations stall, truth gets buried.

Cybersecurity Companies Buying Their Own PR
Here is another uncomfortable truth.

We see cybersecurity companies paying tens of thousands of dollars for articles about themselves, their “research,” their “impact.”

This raises fundamental questions:
- Why does a real cybersecurity group need to pay for coverage?
- Are they trying to bury the real hacker’s trail?
- Or worse, to leverage the hacker’s identity for blackmail or competitive gain?
- Is the purpose to strengthen trust — or to manipulate perception for profit?

If cybersecurity becomes another PR game, where facts are shaped by who pays more, then trust in this field collapses. Instead of protecting victims, it risks protecting criminals.

Evidence of the Market

The practice is not hidden.
- On Fiverr, Upwork, and specialized PR markets, you can directly purchase “guest posts.”
- Ask providers, and they send Google Sheets with dozens of outlets and prices — including well-known cybersecurity brands.
- Some even promise: “for an extra fee, no sponsored label.”

Example:

We also registered on PR platforms to see the goals listed for buying media

coverage:

The stated goals include:
- Link Building (SEO)
- Traffic & Sales
- Brand Awareness
- Reputation Management (burying negatives)
- Social Verification
- Publication Lists for Visa Applications

This is not journalism. It is a market — where credibility is bought and sold.

Business vs. Lies

Publishing paid content is not illegal. It’s business.
But when paid content crosses into:
- publishing false claims,
- misdirecting investigations,
- disguising PR as fact,

…it becomes part of the problem, not the solution.

Conclusion

We are a volunteer cybersecurity initiative.
- We don’t get paid.
- We don’t sell ads.
- We don’t profit.

Our mission is to identify threats and protect victims.

The facts are clear:
- 150+ Mozilla extensions routed to a single backend on Nigerian hosting.
- Data went to a Nigerian Telegram account.
- The “Russian trail” narrative is fabricated.
- Paid media coverage amplified this fabrication until it looked like truth.
- Even cybersecurity companies themselves pay huge sums for self-promotion, raising serious questions about motives.

This is the uncomfortable truth:
Selling ads is business.
Selling lies as facts shields criminals.
And when even cybersecurity sells narratives, the victims — and justice — lose.

Disclaimer

We are not accusing any individual, company, or media outlet. All facts referenced here are open-source and verifiable through public archives, scanners, and reports.

The real question is: why are such narratives controlled and amplified? Who benefits when an unknown “security company” suddenly publishes a “mega-investigation” that is inaccurate, expensive to stage, and shifts attention away from the real actors?

Is the purpose reputation management? Funding? Or even something as pragmatic as building a “publication list” to support immigration or visa applications?

These are uncomfortable questions, but they must be asked if we want cybersecurity to remain grounded in truth rather than narratives.

We released a major update to our Telegram bot featuring automated access to private scammer groups and instant auto-reporting. Now we can track and block threats even faster than before.

About The Bot

This bot is a tool for destroying phishing and scam resources. By working together, we make the Internet a safer place.

What’s New in Version 2.0

We’ve updated the bot’s logic, and it now works in a new way. Users can automatically gain status and block threats without moderation.

Automated Group Access

Our new system can now automatically gain access to private scammer groups across multiple platforms. Using advanced social engineering techniques and machine learning algorithms, the bot can:

Instant Auto-Reporting

Gone are the days of manual reporting. Our bot now features instant auto-reporting capabilities that can:

“This update represents a quantum leap in our ability to protect users from online threats. We’re not just responding to attacks anymore — we’re preventing them before they happen.”

- PhishDestroy Development Team

Enhanced Detection Capabilities

Version 2.0 includes significant improvements to our threat detection algorithms:

Machine Learning Integration

Our new AI-powered detection system can identify threats with 99.7% accuracy, using:

Advanced Fingerprinting

We’ve developed proprietary fingerprinting techniques that can track threat actors across multiple platforms and campaigns. This allows us to:

Performance Improvements

Beyond new features, version 2.0 delivers substantial performance improvements:

Faster Response Times

Our optimized infrastructure now processes threats in under 500ms, compared to the previous 2–3 second response time. This means:

Enhanced Reliability

We’ve implemented redundant systems and failover mechanisms to ensure 99.9% uptime:

Community Impact

Since the launch of version 2.0, we’ve already seen remarkable results:

• 50,000+ threats neutralized in the first week
• 200+ scammer groups infiltrated and disrupted
• $2M+ in prevented financial losses
• 15 criminal networks dismantled

What is a Trust Agent?

This is an access level that allows you to send domains without moderation and verification. It also gives you access to batch sending multiple domains at once and to private functions for fighting phishing, such as form testers with valid seed phrases and more.

How are points calculated?

Each of your successfully accepted reports gives +1 point.
Each rejected one gives -2 points.

Good to know

Domain prices and promotion damage are taken from the average prices of verified sources.

We also plan to make it possible for the community to decide on blocking via the website, but this will be in subsequent updates.

Looking Forward

This release is just the beginning. We’re already working on version 3.0, which will include:

Get Involved

Our success depends on community participation. Here’s how you can help:

Together, we can make the internet a safer place for everyone. The fight against cybercrime is far from over, but with tools like PhishDestroy Bot 2.0, we’re better equipped than ever to protect our digital communities.

Share This Article

Originally published at https://phishdestroy.io.

A polished “ad deal” led to a wallet compromise. Funds had already moved. We restored access and reassigned control of the attacker’s receiving wallet to the victim team. A reward was offered later; we didn’t keep it — the surplus was directed to @_SEAL_Org. We stay independent.

PhishDestroy - Anti‑Scam & Phishing Domain Takedown Service

What you need to know

• The wallet was already compromised; funds had already been moved.
• We restored access and ensured $100K+ didn’t remain with the attacker.
• The project offered a reward; we didn’t keep it. The surplus was sent to @_SEAL_Org.
• We do this independently. This isn’t our job — it’s our hobby.

How the scam looked (simple and real)

• The victim was approached with a partnership/advertising proposal for a crypto game.
• It looked credible: a plausible website, a fairly large X (Twitter) profile, and professional video calls.
• During a call, they asked to install a “workplace viewer” to access materials.
• That “viewer” was stealer malware.
• The attackers withdrew funds, swapped tokens on one chain, and moved assets to another chain into their own receiving wallet.

What we did (facts only)

1. Confirmed the compromise and halted further movement.
2. Restored wallet access for the rightful owner.
3. Secured and reassigned control of the attacker’s receiving wallet to the victim team.
4. Coordinated follow-up steps to reduce residual risk

Outcome: access back • control back • attacker locked out.

Post-incident hardening (what we actually delivered)

• Stop re-compromise. We gave step-by-step guidance to safely handle the infected device so it can’t steal funds again (network isolation, session revocation, credential/key rotation, and a clean rebuild plan).
• Clean operational setup. We helped configure a new, clean workstation dedicated to wallet operations (fresh OS, vendor-only downloads, hardware wallet, minimal extensions, separate browser profile, 2FA).
• Forensics-ready. We explained how to snapshot disks and collect system/app logs so the team can hand proper evidence to investigators if they pursue legal action.

More critical steps: full, actionable checklist → https://phishdestroy.io/critical-action

The method: “Adverting”

Adverting is business-style social engineering. Criminals imitate normal workflows (ad buys, partnerships, PR) to make you install a “required client/viewer.” That “client” is the payload.

Common telltales

• “Install our ad manager/helper to sync creatives.”
• “Use our custom Zoom/Telegram client for the call.”
• “Open our media kit/NDA via a secure viewer.”

Rule of thumb
If a workflow from strangers requires a special client/viewer/updater, treat it as hostile by default. Use only official vendor downloads.

Money, the offered reward, and why we declined

• After recovery, the project offered a reward because the total recovery exceeded the initial loss.
• We didn’t keep it.
• We directed the entire surplus to a team we trust and collaborate with: @_SEAL_Org.
• We do not turn this into a funding stream. Independence stays non-negotiable.

Our principles

• Independence only. No budgets, no strings. This isn’t our job; it’s our hobby.
• Results > talk. Access restored, funds back. Everything else is noise.
• No “special clients.” If someone pushes a custom viewer/updater, assume hostility.
• Share smart. We disclose what helps victims — never what helps the actor.
• Make scammers feel it. Lawful, efficient pressure on their infra. With measured sarcasm.

Practical advice (start today)

For projects & teams

• Never install any “workplace viewer/client/updater” from unverified third parties — even if the call looks professional.
• Get Zoom/Telegram only from official vendor sites.
• Avoid sponsored links for wallets/bridges/airdrops — navigate directly.
• Prefer hardware wallets; keep seeds offline; rotate keys on any suspicion.
• If compromised: revoke sessions, move funds, rotate keys, re-issue secrets, and ask for help quickly — hours matter.

For the community

• Report suspicious activity: https://t.me/PhishDestroy_bot
• Join us: https://phishdestroy.io/ •

IF YOU'VE BEEN HACKED - Critical Actions, Safe Services, and Reporting Templates

Closing

The money had already moved. We brought access back and made sure $100K+ didn’t stay with the attacker. A reward was offered; we declined to keep it and directed the surplus where it helps others. We’ll keep doing it this way — independent, fast, and effective.

💥 Every second you read this, someone is being scammed — with the help of ICANN-accredited registrars.
NameSilo, Webnic, and NiceNic don’t just sell domains — they sell time, safety, and legitimacy to global criminals.
We scanned just one Nigerian IP — almost every site was fraud, kept alive by these registrars despite abuse reports.
Now imagine that, multiplied by thousands of IPs, across every country.

🚨 Introduction

In 2025, our OSINT investigation revealed a hard truth:
Some ICANN-accredited registrars are not passive bystanders in cybercrime — they are key enablers.

NameSilo, Webnic, and NiceNic sell domains to scammers from any country, for any kind of fraud, and then systematically ignore abuse reports.
Phishing for crypto? Fake banking portals? Medical scams preying on cancer patients? All of it passes.

We’ve documented this in detail and made our findings public:

📂 Global scam domain database (auto-updated):
https://github.com/phishdestroy/destroylist

🌍 Not Just One Country — A Global Problem

This issue has nothing to do with geography.
Whether a scammer operates from the US, Europe, Asia, or Africa, these registrars will take their money and look away.

Example case: We scanned just one IP hosted by Betahost247 in Nigeria. Almost every single domain pointed to it was live scam content. The hosting provider left them running — and the domains were all registered via NameSilo, Webnic, and NiceNic.

This isn’t the main infrastructure of global scams — it’s a snapshot showing how these registrars behave everywhere.

📂 Nigeria case study — 1 IP scan results:
https://github.com/phishdestroy/Nigerian-dignity

🔍 Interactive scam domain list from this IP:
https://phishdestroy.github.io/Nigerian-dignity/out/index.html

📡 Full ASN search results for AS36352:
https://urlscan.io/asn/AS36352

🧩 How Their Business Model Works

A scammer’s needs are simple:

1. Hosting that won’t take them down quickly
2. A registrar that ignores complaints
3. Enough time to finish the fraud cycle

NameSilo, Webnic, and NiceNic deliver #2 flawlessly.

Our findings:

• ❌ No effective abuse handling — domains stay live for weeks or months
• ❌ Even government-level abuse notices are ignored without a court order
  (Example: FTC complaint against NameSilo, Dec 2024)
• ❌ Selective takedowns — one or two domains removed, rest untouched
• ❌ No KYC — anyone can register domains instantly, for any purpose

📊 The Scale

• 30,000+ abuse reports in 2025 involving these registrars
• In some samples for Webnic and NiceNic, over 90% of active domains were tied to scams
• The Nigeria IP scan is just one visible case — but the same pattern repeats across the globe

💀 The Real-World Damage

Every ignored abuse report means:

• More people losing their savings
• More victims targeted via paid ads
• More stolen credentials and identities sold on criminal forums
• In medical fraud cases — lives put in danger

This is not passive negligence — this is a deliberate business choice to keep scammer accounts alive.

🗣 Public Reviews Tell the Same Story

Even outside OSINT investigations, public review platforms confirm the pattern.

Trustpilot — Webnic.cc
Trustpilot — NiceNic
Sitejabber — NameSilo

Hundreds of users report identical experiences:

• Abuse reports are ignored or met with template replies.
• Registrars demand screenshots and details already included in the original report.
• Cases are closed without action if the complainant does not reply again — even when the registrar already has all evidence.
• Many negative reviews are deleted or buried, while genuine criticism is drowned in PR-generated positive posts.

This is not an accident — it’s a deliberate time-delay tactic.
Every day they delay, scammers continue to steal, run ad campaigns, and drain wallets before any takedown happens.

💡 What Would Change if They Acted

If these registrars acted within hours:

• Tens of thousands of victims could have been spared in 2025 alone
• Large fraud networks would collapse under faster takedowns
• Criminal ROI would plummet, making scam campaigns far less sustainable

Instead, the delays give scammers exactly the operational window they need.

🆚 The Contrast

Responsible registrars:

• Require full identity verification (KYC)
• Act on abuse reports in minutes
• Shut down all domains linked to a scammer

NameSilo / Webnic / NiceNic:

• Ignore or delay abuse handling for weeks
• Keep known scammer accounts active indefinitely
• Bypass their ICANN RAA 3.18 obligations to investigate and respond to abuse

🔍 What Needs to Happen

1. ICANN Compliance must audit these registrars for repeated violations
2. Enforce full KYC for all registrations
3. Suspend entire scam portfolios upon confirmed abuse
4. Introduce an industry-wide ban list for repeat abusers

📌 Sources & Evidence

• Global scam domain database: https://github.com/phishdestroy/destroylist
• Nigeria case study: https://github.com/phishdestroy/Nigerian-dignity
• Interactive domain list: https://phishdestroy.github.io/Nigerian-dignity/out/index.html
• Full ASN scan results: https://urlscan.io/asn/AS36352
• FTC complaint: https://www.ftc.gov/system/files/ftc_gov/pdf/namesilo-wl-122024.pdf

💬 Conclusion

NameSilo, Webnic, and NiceNic are not neutral service providers. They are pillars of the scam economy, selling domains to criminals from any country and ignoring evidence of abuse — even when lives are at stake.

The Nigerian IP example shows exactly how this plays out in real life — but it’s just one of many.
Until ICANN and regulators treat registrar inaction as active facilitation of cybercrime, the global scam industry will keep running on the infrastructure they provide.

We are PhishDestroy, a global volunteer community engaged in a direct war on cybercrime. Since our inception, we’ve destroyed over 500,000 phishing domains. Our mission goes beyond simple takedowns — we actively assist in investigations, dismantle criminal infrastructures, and expose malicious actors. Everything we do is focused on delivering lasting, measurable damage to the phishing ecosystem.

Operational Methodology: Automation, Accuracy, and Scale

Our model combines community reporting with automated detection systems and precision analytics.

• Custom-built parsers scan SEO search results and Google Ads for phishing indicators.
• Identified threats are automatically submitted to 50+ antivirus vendors, maximizing global impact.
• We maintain a false-positive rate below 0.5%, with over 100,000 validated reports — proving our systems are not just fast, but highly accurate.

🔗 Live infrastructure:

• Public database (auto-updated):
  https://github.com/phishdestroy/destroylist
• Archived reports from banned X account (140K+ threats):
  https://github.com/phishdestroy/x-twitter-archive-CarlyGriggs13
• Real-time alerts:
  https://t.me/PhishDestroyAlerts
• Mastodon updates:
  https://mastodon.social/@phishdestroy

Open Intelligence: Community Reporting and Trust System

We encourage public participation through our secure bot:
Report phishing via 👉 https://t.me/PhishDestroy_bot

• Every report is checked automatically.
• Verified users achieving 100 accurate reports are granted “trusted” status, allowing direct submissions without moderation.
• To protect whistleblowers, we intentionally do not store any user data — ensuring full anonymity and eliminating legal/data breach risks.

📉 Our bot also features a live “damage counter”, estimating financial losses inflicted on scammers — based on average domain value and promo costs (~$15/domain for cryptoscam setups).

Ecosystem Allies and Enablers

We work hand-in-hand with infrastructure providers committed to cybersecurity, including:

• GoDaddy, Hostinger, Squarespace, IONOS, and especially Namecheap — whose 24/7 abuse team has helped us rapidly eliminate 30,000+ malicious domains.

Unfortunately, some providers like Nicenic and Cosmotown consistently ignore abuse reports, effectively acting as safe havens for cybercriminal operations. These platforms remain ongoing targets in our efforts.

Criminal Retaliation: Confirmation of Impact

Our effectiveness has triggered backlash from organized actors

• DDoS attacks
• Coordinated smear and takedown campaigns
• Mass-reporting of our social media infrastructure

In one such attack, our X (Twitter) account with 140,000+ documented phishing reports was permanently suspended.
We maintained partial backup:
🔗 https://github.com/phishdestroy/x-twitter-archive-CarlyGriggs13

We interpret this not as disruption, but as proof of impact. Criminals are trying to erase their tracks — we are ensuring their traces stay permanent.

Evidence, Not Just Takedowns

Takedowns are only the first step. Preserving evidence is our core priority:

• Every detected domain is archived via public scanners to capture full site fingerprints.
• We ensure each operation leaves a digital record, immune to deletion by attackers.
• These archives support investigations, attribution, and prosecution.

While scammers wipe traces, we make them permanent.

Legal Status: Open, Volunteer-Based, and Transparent

We are a non-profit, volunteer collective — not a company, not a legal entity, and not affiliated with any government.

• We publish all reports and evidence openly:
  GitHub, Telegram, Mastodon, and real-time scanning tools.
• Nothing is hidden or stored privately. Our transparency is intentional — it protects us and empowers others.
• In major investigations (actor attribution, financial tracing, infrastructure mapping), we formally transfer full evidence packages to law enforcement or CERT teams.
• All such transfers are done in full legal compliance and only when actionable intelligence is verified.
• We do not store any personal data of our contributors. This protects both us and them from retaliation or compromise.

We’re not here to police the internet — we’re here to document and destroy malicious operations, and support those with legal authority to act.

Call to Action: Collective Resistance Against Fraud

This is not a fight for a few. It’s a collective responsibility.

If you witness a phishing attempt — report it.
If you were defrauded — don’t stay silent.

Losing money to fraud funds criminal infrastructure.
Every voice, every post, every report contributes to takedowns and prosecution.

Join Us

🔗 Website: https://phishdestroy.io
🧾 Public DB: https://github.com/phishdestroy/destroylist
📢 Alerts: https://t.me/PhishDestroyAlerts
📡 Mastodon: https://mastodon.social/@phishdestroy
📮 Report via bot: https://t.me/PhishDestroy_bot

We don’t ask for donations. We ask for action.
Together, we destroy phishing — one domain at a time.