Forem: PhishDestroy

xmrwallet.com Scam: How NameSilo Became the Press Secretary for a $2M Monero Theft Operation

PhishDestroy — Mon, 16 Mar 2026 17:20:37 +0000

xmrwallet.com has been stealing Monero private keys since 2016. Fifteen documented victims. $2M+ estimated stolen. Six security vendors on VirusTotal flag it as malicious — including Fortinet ("Phishing"). Three registrars suspended the operator's domains within days.

The fourth registrar — NameSilo — contacted the scammer, accepted his story, and published a public defense calling him "the victim."

This is the technical breakdown of how the theft works, why NameSilo's response is provably false, and why their "abuse review" is either incompetent or complicit.

Full investigation by PhishDestroy Research — Evidence page · GitHub repo · Medium article

NameSilo's Public Response — Verbatim

"Our Abuse team conducted an in-depth review into this case and it seems that domain was compromised a few months ago (during which a copy of the webpage was replaced with a crypto-drainer). Prior to that, we had received no abuse reports related to this domain. After an extensive investigation, our team found evidence of the compromise not involving the registrant, and they immediately took steps to reverse it. The registrant is also working to get the website delisted from VT reports."

Seven claims. All provably false. Let's go through the technical evidence.

Technical Analysis: The Theft is the Application

NameSilo claims the domain was "compromised" — that someone hacked the site and injected a crypto-drainer. This is technically impossible. The theft mechanism is the core architecture of the application.

Private Key Exfiltration via `session_key`

Every login POSTs credentials to /auth.php:

POST https://www.xmrwallet.com/auth.php
address = 46EkQdF7iQ4i4Ah935SipgXbDSryh5yv76UnhsPXTaUYegCMJPqDN88...
viewkey = efba13ecb8b360660a3dcaafaf7cf99149713d064b9d64997b2454d58ee67800

The server returns a session_key — not a random token, but the victim's credentials in Base64:

session_key = [blob]:[base64(address)]:[base64(viewkey)]

Decode it yourself:

import base64

encoded = "ZWZiYTEzZWNiOGIzNjA2NjBhM2RjYWFmYWY3Y2Y5OTE0OTcxM2QwNjRiOWQ2NDk5N2IyNDU0ZDU4ZWU2NzgwMA=="
print(base64.b64decode(encoded).decode())
# efba13ecb8b360660a3dcaafaf7cf99149713d064b9d64997b2454d58ee67800
# ^^^ real private view key from live capture

This session_key is re-transmitted on every API call — 40+ times per session:

Endpoint	View key transmissions
`/getheightsync.php`	12
`/gettransactions.php`	10
`/getbalance.php`	6
`/dashboard.html`	4
`/send.html`	3
`/receive.html`	3
`/getsubaddresses.php`	1
`/getoutputs.php`	1
Total	40+

Full capture data: PhishDestroy evidence page — 109 HTTP requests documented (50 POST, 59 GET).

Transaction Hijacking: `raw = 0`

raw_tx_and_hash.raw = 0    // client TX discarded — never broadcast

if (type == 'swept') {     // custom theft marker — NOT in Monero protocol
    txid = 'Unknown transaction id'
}

The client builds a valid Monero transaction, then discards it. The server constructs its own transaction and redirects funds to any address. The swept type does not exist in the Monero protocol — it's a custom flag for server-initiated theft.

Hardcoded Backdoor

POST /support_login.html
session_id = 8de50123dab32

Not user-initiated. Hardcoded session ID. Endpoint not present in the public GitHub repository. Documented in cached Issue #35.

Google Trackers in a "Privacy" Wallet

Service	Requests/session	Risk
Google Tag Manager	12	Can inject arbitrary JS without code deploy
Google Analytics GA4	5	Full session tracking
Google Analytics UA (`UA-116766241-1`)	3	Page views, user agent
DoubleClick (ad network)	1	Ad tracker in a financial tool

No legitimate Monero wallet loads GTM. Not Monero GUI, not Feather Wallet, not Cake Wallet, not Monerujo. Zero trackers across the industry.

A hacker didn't build 8 PHP endpoints, a Base64 key exfiltration protocol, a transaction hijacking mechanism, a hardcoded backdoor, and integrate Google Tag Manager — as part of a "compromise." This is a product built over years.

The 5.3-Year Commit Gap Destroys the "Hack" Narrative

2018-05-10  First release          ← looks open-source
2018-11-06  "Bulletproof Update"   ← last real commit

            5.3 YEARS — ZERO COMMITS

2024-03-15  "2024 updates"         ← sanitized dump, PHP backend excluded

The production site uses parameters that do not exist in the public GitHub code: session_key, verification, encrypted data, /support_login.html. The Wayback Machine confirms: no session_key in 2023 archives. Present in 2025.

A "compromise a few months ago" does not create a 5.3-year code divergence.

"No Prior Abuse Reports" — A 5-Second VirusTotal Search Proves Otherwise

NameSilo claims zero reports existed before 2026. Here's what was publicly available:

Source	Finding	Predates 2026?
VirusTotal	6/93 vendors: Fortinet (Phishing), Webroot, ADMINUSLabs, CyRadar, Lionic, Seclookup (all Malicious)	✅ Automated, continuous
URLQuery	Domain flagged in automated analysis	✅
ScamAdviser	Very low trust score, registrar flagged for fraud	✅
Trustpilot	Multiple theft reports: $200, 17.44 XMR, funds redirected	✅ Years of reports
Sitejabber	590 XMR ($177K) stolen, 20 XMR stolen, rating 1.5/5	✅
BitcoinTalk	Warning thread: "[WARNING] XMRWallet.com Scams"	✅
Reddit r/Monero	Operator u/WiseSolution banned	✅ Since 2018

Searching xmrwallet.com on VirusTotal: 5 seconds. Googling "xmrwallet.com scam": first page is all warnings. Checking Trustpilot: one click.

NameSilo's "in-depth review" didn't include any of this. Or it did — and they're lying.

An "Open-Source Client-Side Wallet" on Bulletproof Hosting

Here's what NameSilo's abuse team apparently found normal:

Component	xmrwallet.com	Legitimate wallets
Hosting	IQWeb FZ-LLC, Belize — bulletproof, $550/mo	GitHub Pages (free) / Cloudflare
CDN	DDoS-Guard, Russia — anti-takedown	Cloudflare / none needed
DNS	ns1/ns2.ddos-guard.net	Standard NS
Monthly cost	$550+	$0
Purpose	"Client-side, runs in browser"	Client-side, runs in browser

If the code runs client-side, the server processes nothing. GitHub Pages costs $0. Why does a "free volunteer project" pay $550/month for offshore bulletproof hosting behind a Russian anti-DDoS service known for hosting criminal infrastructure?

Because the code on GitHub is not the code on the server. The GitHub repository is an alibi.

We sincerely hope NameSilo's legal department is sharper than their abuse department — because legal will be the ones answering questions about this.

Three Registrars Acted. NameSilo Became the Scammer's Lawyer.

Same evidence. Same technical analysis. Same VirusTotal detections. Four registrars. Three results:

Registrar	Domain	Evidence	Action
PublicDomainRegistry	xmrwallet.cc	Same MX, WOT token `8a5554c915e3c17278a7`, 23 VT file hashes	SUSPENDED
WebNic	xmrwallet.biz	Same AS59692, same DNS, same WOT token	SUSPENDED
NICENIC International	xmrwallet.net	Same IP as suspended .biz (`190.115.31.40`)	DNS DEAD
NameSilo	xmrwallet.com	All of the above + 6 VT vendors + 15 victims + full technical audit	"The registrant is the victim"

Three companies — India, Malaysia, China — independently concluded: fraud. One company — NameSilo, USA — concluded: the scammer is the victim, let's help him remove the warnings.

The Escape Domain Panic

The operator registered 4 escape domains across 4 registrars — before the investigation was published:

Feb 4   xmrwallet.cc registered  (8yr prepaid)    ← before publication
Feb 9   xmrwallet.biz registered (5yr prepaid)    ← before publication
Feb 13  Issue #35 published — TX hijacking exposed
Feb 18  Issue #36 published — 43 viewkey transmissions captured
Feb 23  .cc SUSPENDED · .biz SUSPENDED · operator DELETES Issues #35+#36
Feb 26  xmrwallet.net registered (10yr, same IP as .biz)
        xmrwallet.me registered  (10yr, same IP as .cc)
Mar 8   xmrwallet.net DNS DEAD

23 years of prepaid registrations burned. 3/4 escape domains neutralized. Same NS (ddos-guard.net), same MX (privateemail.com), same WOT token — one operator, five domains.

Does NameSilo believe "compromised" website owners register escape domains across 4 registrars, prepaid for decades, before the investigation is published?

"The Registrant Is Working to Get Delisted from VT"

The most damning sentence in NameSilo's response.

Fortinet — Fortune 500, $4.4B revenue, 700,000+ protected organizations — classified xmrwallet.com as "Phishing."

The operator's response: not remove the phishing code — but lobby VirusTotal to remove the detection.

And NameSilo presents this as progress.

A legitimate hacked site owner would welcome VT detections — it validates the threat. This operator wants warnings gone while the theft code remains in production. NameSilo is helping a flagged phishing domain suppress security alerts.

The Operator

Nathalie Roy, Canada. GitHub: nathroy (ID: 39167759). Reddit: u/WiseSolution — banned from r/Monero (2018). ProtonMail: royn5094@protonmail.com. Self-identified on xmrwallet.com/support.html.

Full operator profile: PhishDestroy analysis.

Claims "funded by donations" — zero donation wallet exists. Pays $550/mo hosting. 50+ paid SEO articles. DDoS-Guard. Android app. 100+ blog posts in 10 languages. Hired a second developer for a captcha system that was defeated in hours.

The Operator's Own Words — Emails to PhishDestroy

After xmrwallet.com was reported, the operator (royn5094@protonmail.com) emailed PhishDestroy directly. Four emails over 7 days. Zero technical rebuttals. And one sentence that reveals everything about the relationship between the operator and NameSilo.

Feb 16 — "We don't store keys"

"We are an open source crypto wallet that is non-custodial, we don't store seeds or keys, everything is done in your browser locally. Please remove your report on us, thank you. N.R."

The same day, PhishDestroy responded with a full technical breakdown: raw_tx_and_hash.raw = 0 (client transaction discarded), session_key containing the victim's private view key in Base64, type == 'swept' (custom theft marker absent from Monero protocol), production-only parameters not in the public GitHub repository. The operator never addressed a single finding.

Feb 17 — Two emails in one day. Panic.

"This is the data we need to offer the service to users. This is not grounds for a domain suspension."

Yesterday: "we don't store keys." Today: "this is the data we need." Two mutually exclusive statements in 24 hours.

"You are accusing without proof. The way the website was built does not verify anything was stolen, so I'm not sure what you're going to waste your time on. If this is a legal matter, feel free to subpoena the domain registrar for my information to submit a complaint in the courts."

Now read that last sentence again: "Feel free to subpoena the domain registrar."

This was written on Feb 17 — before we contacted NameSilo, before the abuse report was filed, and before NameSilo published their "compromise" cover story. At this point, nobody knew how NameSilo would respond.

And yet the operator is not worried. Not even slightly. A scammer running a phishing operation on bulletproof hosting behind DDoS-Guard should be terrified of a registrar investigation. But this operator actively directs us toward the registrar, as if confident NameSilo will take his side.

No scammer in history has ever said "please involve my registrar" — unless they already know the outcome.

Why was the operator so confident? Does the operator have a relationship with someone at NameSilo — a friend in support, a remote contractor, a connection that guarantees protection? We don't know. But the sequence speaks for itself:

Feb 17 — operator says "subpoena the registrar" with zero concern.
Feb 23 — three other registrars suspend his domains immediately.
NameSilo — the one registrar the operator pointed us toward — not only refuses to act, but publishes a defense calling him "the victim" and helps him remove VirusTotal warnings.

The operator predicted NameSilo's response before it happened. That's either the luckiest guess in the history of cybercrime — or the operator knew something we didn't.

Feb 18 — PhishDestroy responds with evidence and a warning.

Feb 23 — Domains suspended. Operator panics.

The same day xmrwallet.cc and xmrwallet.biz were SUSPENDED:

"I've communicated with my lawyer and you'll hear from them directly soon for harassment, spamming and brand reputation damage. We've hired a private investigator to find your information to file the case."

"You can literally look up Trezor, Ledger or any other major wallet, they all have complaints about stolen funds. Every single one of them. They also get their view keys to service users, that's how it works."

Trezor and Ledger are hardware wallets. They do not collect private view keys server-side. They don't have PHP backends. They don't transmit session_key to a server 40 times per session. The operator either doesn't understand cryptocurrency wallets — or is counting on the reader not understanding them.

Four emails. Zero explanations for session_key, raw = 0, swept, or the 5.3-year GitHub divergence. From "please remove your report" to "my lawyer" in 7 days. The lawyer has not materialized in 4 weeks.

But here's the detail that destroys NameSilo's entire "compromise" narrative:

In all four emails (Feb 16–23), the operator speaks in first person — "we are an open source wallet," "this is how the website is run," "this is the data we need." The operator defends the code, the architecture, the data collection — as their own work.

Not once does the operator mention any hack, compromise, or unauthorized access.

On Feb 16–17, the operator told us: "this is how the website is run." Weeks later, NameSilo told the public: "the domain was compromised." These two statements cannot both be true.

The "compromise" story didn't exist until NameSilo contacted the operator and needed an explanation to close the case. The operator's own emails — written before the cover story was needed — prove the "hack" narrative was fabricated after the fact.

NameSilo received the same evidence — and the same operator emails. They chose the cover story over the evidence. They called this person "the victim."

NameSilo's Liability

Before their response: negligence. After: complicity.

NameSilo contacted the operator, accepted his story, publicly declared him innocent, revealed they're helping him remove VirusTotal detections, and shifted burden of proof to the reporters.

Under ICANN RAA Section 3.18, registrars must investigate and respond appropriately to abuse. Does "appropriately" include writing a public defense of the accused?

Every dollar stolen after NameSilo's statement was stolen by an operator NameSilo publicly cleared. If you vouch for the thief — you share his bill. Victims should contact NameSilo directly: support@namesilo.com / abuse@namesilo.com.

Documented Victims

Amount	Source	Quote
590 XMR (~$177K)	Sitejabber	"I do deposit 590 monero 2 day gone and they steal it!"
17.44 XMR	Trustpilot	"My 17.44 XMR was all gone. I have both the TxID & TX Key."
20 XMR	Sitejabber	"Put 20 xmr next day 0 xmr"
$200	Trustpilot	"They stole $200 from me, leaving me high and dry"
Unknown	Trustpilot	"Transferred to some other wallets instead of mine"
Unknown	Trustpilot	"UNABLE TO ACCESS MY FUNDS"

Conservative estimate: $1.5M–$15M+ over 8 years. The operator responds to every victim: "You used a phishing clone."

Take Action

Report xmrwallet.com:

Google Safe Browsing — blocks in Chrome, Firefox, Safari
Netcraft — used by ISPs globally
PhishTank — community blocklist
Phish.Report — auto-reports to 6+ platforms
APWG — Anti-Phishing Working Group

File ICANN complaint against NameSilo: icann.org/complaints

Law enforcement (operator: Canada):
Canadian Anti-Fraud Centre · RCMP · FBI IC3 · Europol

Use safe wallets:
Monero GUI · Feather Wallet · Cake Wallet · Monerujo

Full Evidence Archive

Resource	Link
Full investigation	phishdestroy.github.io/DO-NOT-USE-xmrwallet-com
Deleted evidence archive	deleted.html
Issue #35 cached	cache-issue35
Issue #36 cached	cache-issue36
VirusTotal	virustotal.com
URLQuery	urlquery.net
ScamAdviser	scamadviser.com
BitcoinTalk warning	bitcointalk.org
Scam exposure	article
Operator profile	article
Captcha defeated	article
Safe alternatives	article
Medium article	phishdestroy.medium.com
GitHub repository	github.com/phishdestroy
PhishDestroy blocklist	destroylist — 70,000+ domains

NameSilo didn't ignore the evidence. They read it, contacted the scammer, believed him, declared him innocent, and are helping him suppress VirusTotal warnings. That's not negligence. That's a partnership.

Three registrars protected users. NameSilo protected the scammer — and put it in writing. Their statement will be Exhibit A in every filing from this point forward.

If you vouch for the thief, you share his bill.

PhishDestroy Research · Telegram · Twitter/X · Bot · API

Based on public evidence, live network captures, OSINT, and NameSilo's own verbatim public statement. No unauthorized access. All findings independently reproducible. Originally published on Medium.

How One Registrar Became Cybercrime's Best Friend

PhishDestroy — Sun, 01 Feb 2026 15:24:04 +0000

We report malicious domains daily. Most registrars take action within hours.

NiceNIC? Complete silence.

So we did what any security researcher would do — we investigated.

🔍 What we found

After months of research, blockchain analysis, and OSINT work:

52,847    malicious domains
$1.2B+    crypto fraud traced
0         abuse reports answered

Phishing kits. Malware droppers. Crypto drainers. Fake pharmacies. All protected by one registrar.

The corporate onion

We peeled back the layers:

Shell companies in Hong Kong
Directors that don't exist
Addresses that lead nowhere
Payment trails that vanish into crypto mixers

This isn't negligence. It's a business model.

💀 Why developers should care

That phishing page stealing your users' credentials? Probably hosted on a NiceNIC domain.

That malware dropper targeting your npm packages? Same story.

Bulletproof registrars are infrastructure for attacks on your users.

📢 What needs to happen

ICANN: investigate and accredit responsibly
Registries: stop accepting NiceNIC registrations
Payment processors: follow the money

🔗 Full investigation

We published everything — evidence, blockchain trails, corporate records:

Read the complete report →

If you work in security, share this. The more visibility, the harder it is to ignore.

DNS Abuse Sanctuary: How NiceNIC (IANA 3765) Shields Global Cybercrime

PhishDestroy — Tue, 13 Jan 2026 06:38:51 +0000

"A registrar that costs $10 will let you do whatever you want and will ignore and laugh at any legal request."

The modern internet, often perceived by the lay public as an ethereal cloud of information, is in reality a rigidly structured hierarchy of physical infrastructure, administrative governance, and contractual trust. At the gateway of this digital ecosystem stand domain registrars — the entities authorized by the Internet Corporation for Assigned Names and Numbers (ICANN) to lease the human-readable addresses that serve as the storefronts, communication hubs, and identity cards of the web.

These gatekeepers are bound by the Registrar Accreditation Agreement (RAA) to maintain the stability and security of the Domain Name System (DNS). However, a distinct subset of accredited entities has emerged that weaponizes this agreement, subverting their custodial duties to create safe havens for illicit activity.

This comprehensive investigative report isolates and analyzes the operations of one such entity: NiceNIC International Group Co., Limited (IANA ID 3765).

Headquartered in Hong Kong, NiceNIC has statistically and operationally distinguished itself not through innovation or market dominance, but through an anomalous and sustained concentration of abuse. This dossier, synthesized from proprietary intelligence gathered by the PhishDestroy Threat Intelligence Team, alongside data from the DNS Research Federation (DNSRF), Spamhaus, and the Cybercrime Information Center, establishes that NiceNIC functions as a structural pillar of the modern cybercriminal economy.

🔍 Key Findings

Our investigation reveals a distinct operational pattern that transcends mere negligence. NiceNIC exhibits the characteristics of a "Bulletproof Registrar," characterized by:

Pattern	Description
Marketing of Anonymity	Explicit prioritization of cryptocurrency payments (USDT, BTC) to sever financial audibility
Procedural Obstructionism	"Closed-loop" abuse reporting system designed to obfuscate responsibility and delay mitigation
Geopolitical Arbitrage	Exploitation of jurisdictional friction between Western law enforcement and Hong Kong corporate law
Statistical Dominance in Crime	Phishing domain score 326 times higher than the industry standard

The implications of these findings are severe. By providing "full-stack" protection — acting as both registrar and host for high-profile threat actors like Scattered Spider and the perpetrators of the December 2025 Trust Wallet heist — NiceNIC has effectively positioned itself as an open advertisement for global cybercrime.

Part I: The Infrastructure of Malice and the PhishDestroy Methodology

To understand the gravity of the findings presented in this dossier, it is essential to first establish the methodological rigor applied to the data collection.

1.1 The PhishDestroy Protocol: Precision Intelligence

False-positive statistics are no more than 1–2 per 1,000 valid detections

The intelligence underpinning this report is derived from the PhishDestroy Threat Intelligence Team, an independent analytical platform dedicated to the detection and disruption of malicious infrastructure.

📁 GitHub Destroylist: github.com/phishdestroy/destroylist
🌐 Live Threat Map: phishdestroy.io/live

Our model is fully active and pre-emptive: we aim to eliminate phishing before it causes damage. We operate transparently, maintain a live open database, share data with multiple security systems, and have no profit motive — no donations, no commercial interest, no bias toward or against any registrar. Our only goal is the destruction of phishing.

We run 30+ proprietary parsers that detect threats at the earliest stage through:

Malvertising monitoring
SEO-abuse tracking
Social-media campaign analysis
Typosquatting detection
Community intelligence

Confirmed threats are immediately distributed to 50+ major vendors (Google Safe Browsing, Cloudflare, Microsoft, VirusTotal, etc.) for global remediation.

Key Technical Signatures Monitored

Cryptocurrency Drainers: JavaScript snippets designed to interact with Web3 wallets (MetaMask, Trust Wallet) and execute unauthorized transaction signatures
Phishing Templates: HTML/CSS structures replicating login interfaces of major financial institutions
Malicious JavaScript: Obfuscated code blocks associated with drive-by downloads or credential harvesting

Each report contains a full evidence package:

📧 Complete email
📄 PDF report  
🖼️ Inline screenshot
🔗 Direct-link screenshot
📎 Attached screenshot file

We provide this structure to ensure maximum clarity for the abuse team and to simplify verification based on VirusTotal verdicts and other technical indicators.

Initial Takedown Notice (1st Notice)

The first notification includes: the email, the forensic PDF, all screenshots (inline, link, attached).

Examples:

Escalation Report (2nd Notice)

A repeated notification is sent only when our parsers or repeated user signals confirm that the threat has been detected again and remains active.

Examples:

Part II: The Data of Distrust — Statistical Evidence

Anecdotal evidence of abuse is common across the registrar industry; even giants like GoDaddy or Namecheap host thousands of malicious domains simply due to their immense market share. However, the rate and concentration of abuse distinguish a negligent registrar from a rogue one.

2.1 The League Tables of Internet Neighborhoods

Absolute champions in terms of the amount of malicious infrastructure over several years

The concept of "Internet Neighborhoods" posits that just as physical cities have safe zones and high-crime zones, the internet is divided into TLDs and registrars that are either safe or dangerous.

In the 2024–2025 reporting periods, NiceNIC consistently appeared in the upper echelons of the DNSRF's "League Tables" for abuse. The report highlighted a cluster of high-abuse registrars in the Asia region, specifically identifying NiceNIC as part of an "unsafe neighborhood" comparable to a "lawless Wild West."

2.2 The Phishing Landscape 2025: A Statistical Anomaly

The most damning statistical evidence comes from "The Phishing Landscape 2025" report by the Cybercrime Information Center.

🔗 interisle.net/insights/phishing-landscape-2025

![Phishing Landscape 2025]

Source: cybercrimeinfocenter.org

According to the Phishing Activity Quarter-Over-Quarter (Aug–Oct 2025) report, NiceNIC shows a consistent upward trend in phishing domain volume, while most major registrars are tightening controls and reducing abuse.

Phishing Domain Score Comparison

Registrar	Phishing Domain Score	Status
NiceNIC (IANA 3765)	1,141.74	🔴 Critical Threat
Google / GoDaddy	3.2–3.5	🟢 Industry Standard
Namecheap	~3.5	🟢 Industry Standard

View Full Report

Analysis: NiceNIC's score is approximately 326 times higher than the industry standard. This is a statistical anomaly so vast that it cannot be explained by accident, resource constraints, or incompetence.

2.3 Spamhaus Reputation Metrics

NiceNIC, led by Hugo Julian, is striving to become the best among the worst

Spamhaus is widely regarded as the most authoritative arbiter of reputation in the email and network security space.

Global Ranking: NiceNIC has consistently ranked among the top 10 most abused registrars globally
The "Badness" Index: NiceNIC's score of 6.03 places it in the company of the world's worst offenders

🔗 spamhaus.org/resource-hub/domain-reputation

Part III: Mechanisms of Evasion — The "Bulletproof" Model

How does a registrar achieve such notoriety? It requires a combination of technical permissiveness, procedural obstruction, and policy exploitation.

3.1 The "Closed Loop" Abuse System

The RAA requires registrars to maintain an abuse contact and investigate reports. NiceNIC complies with the form of this requirement while completely gutting its substance.

The Auto-Responder Wall

Upon submitting a detailed forensic report, the reporter receives a generic acknowledgement template:

Dear Reporter,

Thank you for submitting your report. We have received your message 
and appreciate the effort to keep the Internet safe.

However at this stage the information provided is not sufficient for 
our team to verify the issue or to determine the nature of the 
reported activity...

[Standard boilerplate continues...]

Best regards,
NiceNIC Abuse Team
ICANN Accredited Registrar since 2012

This template is sent even when the initial report contains exactly the requested data — URLs, screenshots, and server logs. It is a delay tactic.

The Forwarding Game

Instead of investigating the evidence, NiceNIC forwards the complaint to the registrant (the criminal). The criminal registrant then replies denying the abuse, or simply ignores it. If they deny it, NiceNIC often accepts this denial at face value and closes the ticket.

This "closed loop" allows NiceNIC to claim they are "processing" reports, thereby satisfying ICANN auditors, while ensuring that no action is actually taken.

3.2 Marketing Anonymity: The Crypto-Currency Nexus

NiceNIC explicitly markets its acceptance of Bitcoin (BTC), Tether (USDT), Ethereum (ETH), and Litecoin (LTC) for domain registration and renewals.

By prioritizing and advertising these payment methods, NiceNIC signals to the market:

"We do not want to know who you are."

This severance of the financial link between the criminal and the infrastructure is a critical service feature.

3.3 Technical Forensics: Homograph Attacks and DGAs

NiceNIC's ambition extends beyond phishing — they want to dominate every criminal vector

Homograph Attacks and Faux Cyrillic:
Threat actors exploit IDNs via "homograph attacks," using Cyrillic characters that look identical to Latin letters to spoof brands. NiceNIC's automated systems are a playground for these attacks.

Domain Generation Algorithms (DGAs):
Google Threat Intelligence has flagged the presence of "recently created DGA domains" within NiceNIC's portfolio — indicating botnet management.

Part IV: Case Studies in Cybercrime

4.1 Case Study: The Trust Wallet Heist (December 2025)

NiceNIC openly ignores abuse reports and positions itself as a protector for scammers

In December 2025, the cryptocurrency ecosystem was destabilized by a sophisticated attack targeting users of Trust Wallet.

The Attack Vector

Threat actors distributed a malicious browser extension, designed to harvest "seed phrases" — the master keys to user wallets.

The NiceNIC Connection: Full-Stack Control

SlowMist analysis - domain confirmed

Forensic analysis confirmed that the critical data-exfiltration infrastructure was not only registered via NiceNIC but also hosted on NiceNIC servers. This "full-stack" control meant NiceNIC had absolute technical sovereignty over the exfiltration nodes.

The Operational Failure

Intelligence indicates that the NiceNIC operator was active on Telegram (visible status "Online") during the heist, receiving urgent alerts from PhishDestroy and other researchers.

Despite the real-time notification of a massive financial crime in progress, the infrastructure remained live. The theft reached an estimated $8.5 million in drained assets.

🔗 Trust Wallet Official Statement

4.2 Case Study: The "Soulless" Scam Machine (August 2025)

In August 2025, investigative journalist Brian Krebs exposed a massive network of Russian scam gambling sites.

The Scale

PhishDestroy intelligence identified over 1,200 identical sites sharing the same code base, the same crypto-drainer scripts. The vast majority registered through NiceNIC.

📋 Full list of sites

Symbiosis with Crime Panels

Source: t.me/gambler_tech/39 — Fraudulent Russian group recommends NiceNIC as the "best provider"

Owners of scam panels actively train their affiliates to use NiceNIC. Leaked Telegram screenshots reveal instructors explicitly recommending NiceNIC as a "safe haven."

4.3 Case Study: Scattered Spider (UNC3944)

Scattered Spider: The Supply Chain of Ransomware

Scattered Spider is one of the most aggressive threat groups currently operating, known for targeting identity providers like Okta to breach major corporations (MGM Resorts, Caesars Entertainment).

The Lookalike Tactic

The group relies heavily on "lookalike" domains — domains that visually resemble corporate login portals (e.g., okta-support-update.com). Intelligence from Mimecast, Google Threat Intelligence, and Silent Push has linked a significant number of these domains to NiceNIC.

The Operational Requirement

If a Blue Team reports a domain and it is taken down in 30 minutes (standard for reputable registrars), the attack fails. If it stays up for 48 hours — the typical "ignore" window of NiceNIC — the attack succeeds.

NiceNIC is effectively part of the supply chain for ransomware attacks against Fortune 500 companies.

🔗 Silent Push Report
🔗 MITRE ATT&CK Profile

Part V: The Manifesto and the PR Stunt

On January 10, 2026, the implicit actions of NiceNIC were made explicit in a bizarre public incident. The official NiceNIC X (Twitter) account posted:

"We are not against scamming the whole world… we here to make cash."

They posted it — or someone using their official Twitter account did — and they even managed to include a Cyrillic character (creating plausible deniability: "This wasn't us, this was Russian attackers").

What this really looks like is not an apology or an explanation for the public — it's PR aimed at the hackers themselves. A signal:

"We're on your side, we don't block scams, we don't cooperate with ICANN, we don't care about reports. We're the registrar you can rely on."

Part VI: Geopolitics and Regulatory Inertia

6.1 The "Notice and Cure" Loophole

NiceNIC games the ICANN system effectively. If ICANN sends a notice regarding 50 specific domains, NiceNIC simply deletes those 50 domains on Day 14. ICANN declares the breach "cured." Meanwhile, NiceNIC has registered 5,000 new malicious domains.

This "Whac-A-Mole" dynamic allows the registrar to be perpetually in breach and perpetually "curing" it.

6.2 The Hong Kong Shield

NiceNIC's Hong Kong jurisdiction is a critical component of its "bulletproof" status. Western law enforcement agencies face significant bureaucratic hurdles when serving subpoenas in Hong Kong.

The Great Firewall of China is obsessed with internal political stability; content that criticizes the CCP is taken down in seconds. However, a phishing site targeting a French bank or a US crypto wallet is not a priority for local censors.

NiceNIC exploits this asymmetry.

🔗 HKIRC Accredited Registrars

Conclusion: A Rogue State in the DNS

In the modern ecosystem, no registrar should be willing to protect scam syndicates for $10 per domain

The evidence compiled in this report leads to a singular conclusion: NiceNIC (IANA 3765) is a rogue registrar. It does not operate within the spirit of the ICANN community; it operates as a parasite upon it.

Finding	Evidence
Statistical Outlier	Abuse rates exceed industry norms by over 300%
Operational Complicity	"Closed loop" abuse process and crypto-anonymity protect criminals
Proven Harm	Facilitates high-end cyberwarfare (Scattered Spider) and mass-market fraud (Trust Wallet)

Hiding behind 'free speech' to justify refusing takedowns, while calling automated replies an 'abuse desk,' isn't just dishonest — it's criminal. It's a bargain-bin excuse for aiding offenders, shielding their infrastructure, and undermining every attempt at investigation.

📋 Recommendations for Remediation

Immediate ICANN Audit: ICANN must invoke its audit rights under the RAA to examine NiceNIC's abuse handling records and crypto-payment KYC procedures
Invocation of RAA Section 3.11.3: The security community must build a case that NiceNIC's continued accreditation poses a threat to the stability and security of the internet
Financial Sanctions and Payment Rails: Pressure should be applied to upstream registries (Verisign for .com, PIR for .org) to de-peer NiceNIC

Until IANA 3765 is revoked, the internet's "Red Light District" will remain open for business, and the victims will continue to pile up.

🙏 Thanks for reading!

Stay alert when you come across a domain registered via NiceNIC 🚨
Don't act like NiceNIC — act responsibly 👍
Together, we can push phishing and scam out of the internet 🌐✨

🔗 Further Reading / References

Trustpilot Reviews — User reviews on abuse handling and phishing domains
nicenic.support — Independent write-up on NiceNIC abuse reporting process
dev.to/destroyphish — OSINT analysis of registrars enabling scams
Cybercrime Info Center — Registrar phishing domain ranking
Interisle Phishing Trends — Phishing activity analysis

This report was produced by the PhishDestroy Threat Intelligence Team. We have taken down over 500,000 phishing domains to make the internet safer for everyone.

🕵️‍♂️ DestroyScammers: De-anonymizing Crypto Thieves with Open Source Intelligence

PhishDestroy — Sun, 30 Nov 2025 05:25:19 +0000

TL;DR: Crypto scammers act like jurisdiction doesn’t apply to them. It does. We built the DestroyScammers Dashboard (https://phishdestroy.github.io/DestroyScammers) and the open source DestroyList dataset (https://github.com/phishdestroy/destroylist) to prove it. With automated data collection, passive DNS, CT logs, and basic OSINT, we turn “elite hackers” into ordinary, traceable suspects. This post explains how the stack works and why code beats fear.

“Incident response” that starts with `balance: 0`

For a lot of victims, the story starts like this:

Fake airdrop → sign “just one” transaction
“Support agent” in DMs → asks for seed phrase or wallet export
Drainer script hidden behind a trusted-looking UI

Result is always the same:

Money gone
Trust shattered
Mental loop: > “I was stupid. Nothing can be done. It’s the blockchain — there is no Ctrl+Z.”

This post is a patch for that mindset.

We’re not law enforcement. We don’t have badges or warrants. What we do have is:

GitHub
Automation
OSINT
Time

And surprise: a lot of the time, identifying the “mouse” behind the screen is easier than getting a special agent to pick up your ticket.

The Myth of the “Elite Hacker”

Public image:

Hoodie
Green terminals
“Offshore”
“Non-extradition”
“Connections in high places”

Reality for a big chunk of crypto scam operations:

Recycled phishing kits with minor CSS edits
Cheap domains bought in bulk
Shared hosting / same IP ranges
Terrible OpSec (chat logs, reused usernames, real-life selfies…)

When you start collecting and structuring evidence, they stop looking like hackers and start looking like what they are:

People running stolen code on discount infrastructure, assuming nobody will ever audit them.

The Stack: How DestroyScammers Works

The DestroyScammers ecosystem is boring by design. No magic, no “zero-days”, no access to internal systems. Just systematic use of data that is already public.

Core repo (dataset):

https://github.com/phishdestroy/destroylist

Dashboard (visualization):

https://phishdestroy.github.io/DestroyScammers

1. Passive DNS & WHOIS history

Scammers are lazy. Common patterns:

Same email reused across multiple domains
Real data in historical WHOIS before they enable privacy
Reused name/handle fragments in contact fields

Passive DNS + WHOIS history lets us:

Map how domains move between IP ranges
Cluster related infrastructure
Catch “forgotten” metadata from early registrations

2. Certificate Transparency (CT) logs

We monitor CT logs and regularly see:

SSL certificates issued for phishing domains
Certificate subjects/patterns that match known kits
New domains for an existing scam panel before the campaign goes live

This gives you a pre-attack visibility window: the site is not live yet, but the certificate already exists.

3. Cross-referencing chain data, infra and social

We link:

Wallet addresses (on-chain traces)
Domains / IPs / hosting providers
Social identities and handles reused across platforms

Individually, none of these are magic. Together, they form a graph that is very hard to fully sanitize once you’ve already run a few campaigns.

4. Sandboxes & threat intel feeds

We ingest reports from:

Public sandboxes like https://urlscan.io
Other open threat intelligence feeds

Even a single sandbox run can leak:

C2 endpoints
JavaScript kit URLs
Panel paths
Reused redirectors

We don’t need to breach their servers. We just need to structure the artifacts they already leak into the open web.

Case Study Flow: From Victim to Evidence Package

Here’s the high-level flow of how a victim report turns into a structured case.

Now let’s look at two real-world-style scenarios that illustrate one point:

Borders do not protect you if the evidence package is solid.

Case 1: US → UAE — “The Dubai Exploit”

Victim: elderly US citizen
Loss: six figures
Operators: based in Russia, relaxed, “grey zone” mindset

Their mistakes:

Bad OpSec in chats (keyboard layouts, language mix)
Instagram stories showing off international travel, including Dubai

The victim’s son:

Used his legal status in the UAE
Filed a formal complaint via UAE e-government portals
Ensured that when the scammer landed, there was a legal firewall waiting

Outcome:

Scammer detained in Dubai
Case processed under UAE law
Jurisdiction followed the person, not the blockchain

Case 2: Kazakhstan as a Proxy for Justice

Victim: US
Operator: Russia
Classic prognosis: “Nothing to be done. Different jurisdictions.”

Instead of accepting that, the victim:

Routed the legal process via Kazakhstan

What happened:

A criminal case was opened in Kazakhstan (strong mutual legal assistance treaties)
Formal request sent to Russian authorities
Search and arrest executed on the Russian side
No extradition needed — local prosecution was enough

Takeaway:

Crypto is borderless. So is criminal justice if you route the paperwork like an API request.

The Grey Market Threat Model (“probiv”)

In Russia and parts of the CIS, there is a huge grey market for insider data, often called “probiv”.

This is not OSINT. This is illegal access to:

State databases
Telco systems
Bank systems
Travel records

We do not use or endorse this. But scammers should understand what it means for them.

Data often on sale:

Border crossing history
Flight passenger manifests
Civil registry (marriage, relatives)
Real-time geolocation from telcos

Scammers hide behind Telegram usernames and think they are safe.

In reality:

Their full biography sits in centralized state systems
Access to that data on the black market can cost less than a pizza

If that’s what a random person can buy:

Imagine what a verified investigator can do with a warrant, MLAT, and a well-prepared evidence package.

Anonymity is a UX feeling, not a technical fact.

What the DestroyScammers Dashboard Actually Is

We don’t sell:

“Recovery”
“Guaranteed fund tracing”
“Chargeback for crypto”

Those are usually secondary scams.

We do build an open source intelligence platform focused on crypto scam infrastructure.

Current capabilities:

Visualization
- Graphs of domains, wallets, panels, and social accounts
- Clustering scam “crews” and campaigns
Archiving
- Snapshots of scam sites and chats
- HTTP 404 is irrelevant if we have the HTML, screenshots, and archive.org copies
Aggregation
- Multiple victims, one scam kit → single unified view
- Detecting rebrands, new domains, and “v2” panels

Roadmap:

[ ] Automated timeline generation for specific scam crews
[ ] Stronger Domain ↔ Wallet ↔ Social entity mapping
[ ] Public API for community evidence and intel submissions

Links:

Dashboard: https://phishdestroy.github.io/DestroyScammers
Dataset: https://github.com/phishdestroy/destroylist
Victim Action Guide: https://phishdestroy.io/critical-action

How You Can Use This as a Dev / Researcher

If you’re a developer, security engineer, or researcher, you can:

Use the dataset to build your own detection logic
Correlate our data with your SIEM / alerts
Run your own enrichment (e.g., custom chain analytics)
Automate reporting workflows to relevant jurisdictions

We intentionally keep everything open:

No secret paywalled feeds
No NDAs
No “elite club”

Fork it, break it, improve it.

Conclusion: Structured Rage > Silent Shame

Scammers want victims to feel:

Stupid
Alone
Helpless

Silence is their best security feature.

The counter-strategy is not “vigilante justice”. It’s structured rage:

Save the logs
Dump the HTML
Archive the site
Document the chain transactions
File reports where they actually matter
Use OSINT and automation to keep pressure on the infrastructure

You don’t have to stay “just another victim”.

You can be the edge case that crashes their operation, burns their kit, and makes their next campaign a lot more expensive.

If this resonates:

Star the repo: https://github.com/phishdestroy/destroylist
Play with the dashboard: https://phishdestroy.github.io/DestroyScammers
Fork the data, plug it into your stack, and make crypto a more hostile place for scammers.

$100K+ Returned — Wallet Access Restored (Adverting Case)

PhishDestroy — Sun, 31 Aug 2025 03:48:04 +0000

A polished “ad deal” led to a wallet compromise. Funds had already moved. We restored access and reassigned control of the attacker’s receiving wallet to the victim team. A reward was offered later; we didn’t keep it — the surplus was directed to @_SEAL_Org. We stay independent.

What you need to know

The wallet was already compromised; funds had already been moved.
We restored access and ensured $100K+ didn’t remain with the attacker.
The project offered a reward; we didn’t keep it. The surplus was sent to @_SEAL_Org.
We do this independently. This isn’t our job — it’s our hobby. **

How the scam looked (simple and real)

The victim was approached with a partnership/advertising proposal for a crypto game.
It looked credible: a plausible website, a fairly large X (Twitter) profile, and professional video calls.
During a call, they asked to install a “workplace viewer” to access materials.
That “viewer” was stealer malware.
The attackers withdrew funds, swapped tokens on one chain, and moved
assets to another chain into their own receiving wallet.

What we did (facts only)

Confirmed the compromise and halted further movement.
Restored wallet access for the rightful owner.
Secured and reassigned control of the attacker’s receiving wallet to the victim team.
Coordinated follow-up steps to reduce residual risk

Outcome: access back • control back • attacker locked out.

Post-incident hardening (what we actually delivered)

Stop re-compromise. We gave step-by-step guidance to safely handle the infected device so it can’t steal funds again (network isolation, session revocation, credential/key rotation, and a clean rebuild plan).
Clean operational setup. We helped configure a new, clean workstation dedicated to wallet operations (fresh OS, vendor-only downloads, hardware wallet, minimal extensions, separate browser profile, 2FA).
Forensics-ready. We explained how to snapshot disks and collect system/app logs so the team can hand proper evidence to investigators if they pursue legal action.

More critical steps: full, actionable checklist → https://phishdestroy.io/critical-action

The method: “Adverting”

Adverting is business-style social engineering. Criminals imitate normal workflows (ad buys, partnerships, PR) to make you install a “required client/viewer.” That “client” is the payload.

Adverting stealer method
Common telltales

“Install our ad manager/helper to sync creatives.”
“Use our custom Zoom/Telegram client for the call.”
“Open our media kit/NDA via a secure viewer.”

Rule of thumb

If a workflow from strangers requires a special client/viewer/updater, treat it as hostile by default. Use only official vendor downloads.

Money, the offered reward, and why we declined

After recovery, the project offered a reward because the total recovery exceeded the initial loss.
We didn’t keep it.
We directed the entire surplus to a team we trust and collaborate with: @_SEAL_Org.
We do not turn this into a funding stream. Independence stays non-negotiable.

Our principles

Independence only. No budgets, no strings. This isn’t our job; it’s our hobby.
Results > talk. Access restored, funds back. Everything else is noise.
No “special clients.” If someone pushes a custom viewer/updater, assume hostility.
Share smart. We disclose what helps victims — never what helps the actor.
Make scammers feel it. Lawful, efficient pressure on their infra. With measured sarcasm.

Practical advice (start today)

For projects & teams

Never install any “workplace viewer/client/updater” from unverified third parties — even if the call looks professional.
Get Zoom/Telegram only from official vendor sites.
Avoid sponsored links for wallets/bridges/airdrops — navigate directly.
Prefer hardware wallets; keep seeds offline; rotate keys on any suspicion.
If compromised: revoke sessions, move funds, rotate keys, re-issue secrets, and ask for help quickly — hours matter. For the community

Report suspicious activity: https://t.me/PhishDestroy_bot
Join us: https://phishdestroy.io/ •
IF YOU'VE BEEN HACKED - https://phishdestroy.io/critical-action

Closing

The money had already moved. We brought access back and made sure $100K+ didn’t stay with the attacker. A reward was offered; we declined to keep it and directed the surplus where it helps others. We’ll keep doing it this way — independent, fast, and effective.

The Backbone of Global Scam: How NameSilo, Webnic, and NiceNic

PhishDestroy — Sun, 31 Aug 2025 03:32:53 +0000

Global scam thrives on registrar protection.

💥 Every second you read this, someone is being scammed — with the help of ICANN-accredited registrars.
NameSilo, Webnic, and NiceNic don’t just sell domains — they sell time, safety, and legitimacy to global criminals.
We scanned just one Nigerian IP — almost every site was fraud, kept alive by these registrars despite abuse reports.
Now imagine that, multiplied by thousands of IPs, across every country.

🚨 Introduction

In 2025, our OSINT investigation revealed a hard truth:
Some ICANN-accredited registrars are not passive bystanders in cybercrime — they are key enablers.

NameSilo, Webnic, and NiceNic sell domains to scammers from any country, for any kind of fraud, and then systematically ignore abuse reports.
Phishing for crypto? Fake banking portals? Medical scams preying on cancer patients? All of it passes.

We’ve documented this in detail and made our findings public:

📂 Global scam domain database (auto-updated):
https://github.com/phishdestroy/destroylist

🌍 Not Just One Country — A Global Problem

This issue has nothing to do with geography.
Whether a scammer operates from the US, Europe, Asia, or Africa, these registrars will take their money and look away.

Example case: We scanned just one IP hosted by Betahost247 **in Nigeria. Almost every single domain pointed to it was live scam content. The hosting provider left them running — and the domains were all registered via **NameSilo, Webnic, and NiceNic.

This isn’t the main infrastructure of global scams — it’s a snapshot showing how these registrars behave everywhere.

📂 Nigeria case study — 1 IP scan results:
https://github.com/phishdestroy/Nigerian-dignity

🔍 Interactive scam domain list from this IP:
https://phishdestroy.github.io/Nigerian-dignity/out/index.html

📡 Full ASN search results for AS36352:
https://urlscan.io/asn/AS36352

🧩 How Their Business Model Works

A scammer’s needs are simple:

Hosting that won’t take them down quickly
A registrar that ignores complaints
Enough time to finish the fraud cycle NameSilo, Webnic, and **NiceNic **deliver #2 flawlessly.

Our findings:

❌ No effective abuse handling — domains stay live for weeks or months
❌ Even government-level abuse notices are ignored without a court order
(Example: FTC complaint against NameSilo, Dec 2024)
❌ Selective takedowns — one or two domains removed, rest untouched
❌ No KYC — anyone can register domains instantly, for any purpose

📊 The Scale

30,000+ abuse reports in 2025 involving these registrars
In some samples for Webnic and NiceNic, over 90% of active domains were tied to scams
The Nigeria IP scan is just one visible case — but the same pattern repeats across the globe

💀 The Real-World Damage

Every ignored abuse report means:

More people losing their savings
More victims targeted via paid ads
More stolen credentials and identities sold on criminal forums
In medical fraud cases — lives put in danger This is not passive negligence — this is a deliberate business choice to keep scammer accounts alive.

🗣 Public Reviews Tell the Same Story

Even outside OSINT investigations, public review platforms confirm the pattern.

Trustpilot — Webnic.cc
Trustpilot — NiceNic
Sitejabber — NameSilo

Hundreds of users report identical experiences:

Abuse reports are ignored or met with template replies.
Registrars demand screenshots and details already included in the original report.
Cases are closed without action if the complainant does not reply again — even when the registrar already has all evidence.
Many negative reviews are deleted or buried, while genuine criticism is drowned in PR-generated positive posts.

This is not an accident — it’s a deliberate time-delay tactic.
Every day they delay, scammers continue to steal, run ad campaigns, and drain wallets before any takedown happens.

💡 What Would Change if They Acted

**
If these registrars acted within hours:

Tens of thousands of victims could have been spared in 2025 alone
Large fraud networks would collapse under faster takedowns
Criminal ROI would plummet, making scam campaigns far less sustainable Instead, the delays give scammers exactly the operational window they need.

🆚 The Contrast

Responsible registrars:

Require full identity verification (KYC)
Act on abuse reports in minutes
Shut down all domains linked to a scammer
NameSilo / Webnic / NiceNic:
Ignore or delay abuse handling for weeks
Keep known scammer accounts active indefinitely
Bypass their ICANN RAA 3.18 obligations to investigate and respond to abuse

🔍 What Needs to Happen

ICANN Compliance must audit these registrars for repeated violations
Enforce full KYC for all registrations
Suspend entire scam portfolios upon confirmed abuse
Introduce an industry-wide ban list for repeat abusers **

📌 Sources & Evidence

Global scam domain database: https://github.com/phishdestroy/destroylist
Nigeria case study: https://github.com/phishdestroy/Nigerian-dignity
Interactive domain list: https://phishdestroy.github.io/Nigerian-dignity/out/index.html
Full ASN scan results: https://urlscan.io/asn/AS36352
FTC complaint: https://www.ftc.gov/system/files/ftc_gov/pdf/namesilo-wl-122024.pdf

💬 Conclusion

NameSilo, Webnic, and NiceNic are not neutral service providers. They are pillars of the scam economy, selling domains to criminals from any country and ignoring evidence of abuse — even when lives are at stake.

The Nigerian IP example shows exactly how this plays out in real life — but it’s just one of many.
Until ICANN and regulators treat registrar inaction as active facilitation of cybercrime, the global scam industry will keep running on the infrastructure they provide.

PhishDestroy: A Direct War on Phishing Operations

PhishDestroy — Sun, 31 Aug 2025 03:28:41 +0000

We are PhishDestroy, a global volunteer community engaged in a direct war on cybercrime. Since our inception, we’ve destroyed over 500,000 phishing domains. Our mission goes beyond simple takedowns — we actively assist in investigations, dismantle criminal infrastructures, and expose malicious actors. Everything we do is focused on delivering lasting, measurable damage to the phishing ecosystem.

Operational Methodology: Automation, Accuracy, and Scale
Our model combines community reporting with automated detection systems and precision analytics.

Custom-built parsers scan SEO search results and Google Ads for phishing indicators.
Identified threats are automatically submitted to 50+ antivirus vendors, maximizing global impact.
We maintain a false-positive rate below 0.5%, with over 100,000 validated reports — proving our systems are not just fast, but highly accurate.
🔗 Live infrastructure:
Public database (auto-updated):
https://github.com/phishdestroy/destroylist
Archived reports from banned X account (140K+ threats):
https://github.com/phishdestroy/x-twitter-archive-CarlyGriggs13
Real-time alerts:
https://t.me/PhishDestroyAlerts
Mastodon updates:
https://mastodon.social/@phishdestroy
Open Intelligence: Community Reporting and Trust System
We encourage public participation through our secure bot:
Report phishing via 👉 https://t.me/PhishDestroy_bot

Every report is checked automatically.
Verified users achieving 100 accurate reports are granted “trusted” status, allowing direct submissions without moderation.
To protect whistleblowers, we intentionally do not store any user data — ensuring full anonymity and eliminating legal/data breach risks.
📉 Our bot also features a live “damage counter”, estimating financial losses inflicted on scammers — based on average domain value and promo costs (~$15/domain for cryptoscam setups).

Ecosystem Allies and Enablers
We work hand-in-hand with infrastructure providers committed to cybersecurity, including:

GoDaddy, Hostinger, Squarespace, IONOS, and especially Namecheap — whose 24/7 abuse team has helped us rapidly eliminate 30,000+ malicious domains.
Unfortunately, some providers like Nicenic and Cosmotown consistently ignore abuse reports, effectively acting as safe havens for cybercriminal operations. These platforms remain ongoing targets in our efforts.

Criminal Retaliation: Confirmation of Impact
Our effectiveness has triggered backlash from organized actors

DDoS attacks
Coordinated smear and takedown campaigns
Mass-reporting of our social media infrastructure
In one such attack, our X (Twitter) account with 140,000+ documented phishing reports was permanently suspended.
We maintained partial backup:
🔗 https://github.com/phishdestroy/x-twitter-archive-CarlyGriggs13

We interpret this not as disruption, but as proof of impact. Criminals are trying to erase their tracks — we are ensuring their traces stay permanent.

Evidence, Not Just Takedowns
Takedowns are only the first step. Preserving evidence is our core priority:

Every detected domain is archived via public scanners to capture full site fingerprints.
We ensure each operation leaves a digital record, immune to deletion by attackers.
These archives support investigations, attribution, and prosecution.
While scammers wipe traces, we make them permanent.

Legal Status: Open, Volunteer-Based, and Transparent
We are a non-profit, volunteer collective — not a company, not a legal entity, and not affiliated with any government.

We publish all reports and evidence openly:
GitHub, Telegram, Mastodon, and real-time scanning tools.
Nothing is hidden or stored privately. Our transparency is intentional — it protects us and empowers others.
In major investigations (actor attribution, financial tracing, infrastructure mapping), we formally transfer full evidence packages to law enforcement or CERT teams.
All such transfers are done in full legal compliance and only when actionable intelligence is verified.
We do not store any personal data of our contributors. This protects both us and them from retaliation or compromise.
We’re not here to police the internet — we’re here to document and destroy malicious operations, and support those with legal authority to act.

Call to Action: Collective Resistance Against Fraud
This is not a fight for a few. It’s a collective responsibility.

If you witness a phishing attempt — report it.
If you were defrauded — don’t stay silent.

Losing money to fraud funds criminal infrastructure.
Every voice, every post, every report contributes to takedowns and prosecution.

Join Us
🔗 Website: https://phishdestroy.io
🧾 Public DB: https://github.com/phishdestroy/destroylist
📢 Alerts: https://t.me/PhishDestroyAlerts
📡 Mastodon: https://mastodon.social/@phishdestroy
📮 Report via bot: https://t.me/PhishDestroy_bot

We don’t ask for donations. We ask for action.
Together, we destroy phishing — one domain at a time.