Cracked crypto wallet with classified breach data and surveillance feed overlay.

CASE / IANA 1479 WALLET EXPOSED

IANA #1479 Wallet Exposure: The Domain Layer Matters

A reminder that wallet-drainer ecosystems still need domains, and someone still cashes those registration fees.

File 010·Wallet report·6 min read·Editorial mirror

Public record copy. Brand names withheld, public accreditation numbers preserved. If the body below says “we”, that means the original publisher, not this mirror. TER only preserves, redacts, and re-contextualizes.

The End of [REDACTED][.]com: IANA #1479 Lied to Protect a $2M Thief

After 10 years of stealing Monero private keys, the operation is destroyed. Three registrars acted within days. The fourth — IANA #1479 — contacted the scammer, believed his story, and became his press secretary.

March 27, 2026 THE ENABLERS REGISTRY Research 12 min read

Investigation overview: The fall of [REDACTED][.]com and IANA #1479's role in protecting the scammer.

$2M+

Estimated Stolen

Years Active

3/4

Registrars Suspended

IANA #1479 Lies Proven

Theft PHP Endpoints

What [REDACTED][.]com Actually Did

Since 2016, [REDACTED][.]com marketed itself as a free, open-source Monero wallet. Our live network capture on February 18, 2026 proved it was doing something very different: stealing private Monero view keys on every login and hijacking transactions server-side.

Screenshot 1 — The theft mechanism: every wallet login transmitted the victim's private Monero view key to the scammer's server via Base64 encoding.

Core Theft Mechanism

Not injected code — the core architecture. A session system across 8 PHP endpoints, transmitting the victim’s private view key 40+ times per session. When users sent XMR, their transaction was silently discarded (raw_tx_and_hash.raw = 0) and replaced with the scammer’s.

User opens wallet

View key exfiltrated (Base64)

TX hijacked server-side

XMR sent to scammer

Screenshot 2 — The 8 PHP endpoints documented in our GitHub evidence repository. Each endpoint participates in the session_key/view_key exfiltration chain.

Six security vendors on VirusTotal flagged it as malicious. Fifteen documented victims across Trustpilot, Sitejabber, and BitcoinTalk. One victim lost 590 XMR (~$177,000) in a single theft.

Screenshot 3 — VirusTotal: 6/93 vendors flagged [REDACTED] as malicious. Fortinet classified it as “Possibly phishing.”

Screenshot 4 — ScamAdviser: Trust Score 1/100. “Very Likely Unsafe.”

Three Registrars Did Their Job

We filed identical abuse reports with all four registrars hosting [REDACTED] domains. Three acted immediately:

Screenshot 5 — Three registrars locked the doors. IANA #1479 left theirs wide open for the scammer.

IANA #303

[REDACTED].cc

Suspended

India · Days to act

IANA #460

[REDACTED].biz

Suspended

Malaysia · Days to act

IANA #3765

[REDACTED].net

DNS Dead

China · Weeks to act

IANA #1479

[REDACTED]

Refused

USA · Defended scammer

Three countries. Three independent conclusions.

India, Malaysia, China — reviewed the evidence, found fraud, suspended the domains. No questions asked.

IANA #1479 Chose a Different Path

The fourth registrar — [REDACTED] (USA) — hosting the primary domain with the most evidence and most victims — did the opposite. They contacted the scammer, believed his story, and published a public statement defending him:

Screenshot 6 — IANA #1479's public statement on X (Twitter), March 12, 2026. Every claim in this post was false.

“Our Abuse team conducted an in-depth review into this case and it seems that domain was compromised a few months ago... After an extensive investigation, our team found evidence of the compromise not involving the registrant... The registrant is also working to get the website delisted from VT reports.”

— IANA #1479, via X (Twitter)

We analyzed this statement line by line. Every claim was false.

The Operator’s Own Words

Before IANA #1479 intervened, the operator responded directly to our abuse report. His emails confirm awareness and intent:

Screenshot 7 — Operator's response: “This is not possibly phishing, we've been running for over 8 years.”

Screenshot 8 — Operator's second response: “This is the data we need to offer the service.” The “data” was the victim's private view key.

Seven Lies, Exposed

LIE #1: “The domain was compromised”

The theft mechanism is the core architecture — 8 PHP endpoints, Base64 key exfiltration, a 5.3-year GitHub commit gap. This system was built over years, not injected in a hack.

LIE #2: “We had received no prior abuse reports”

Six VirusTotal vendors, Trustpilot complaints going back years, a BitcoinTalk warning thread, the operator banned from r/Monero in 2018. A single Google search would have shown this.

LIE #3: “Not involving the registrant”

The operator registered 4 escape domains across 4 registrars (prepaid 5-10 years each) before the investigation was published. Deleted 21+ GitHub issues. Hired developers for a captcha system. That’s not a victim — that’s an operation.

LIE #4: “They immediately took steps to reverse it”

The theft code was running in production during IANA #1479’s statement. Zero GitHub commits addressing any incident. Nothing was reversed.

LIE #5: “Working to get delisted from VirusTotal”

IANA #1479 praised the scammer for lobbying to remove Fortinet’s “Possibly phishing” detection — without removing the possibly phishing code. That’s not good faith. That’s suppressing security warnings.

LIE #6: “Is the abuse recent?”

Shifting the burden of proof to the reporter so they can close the case. The evidence was in the report. Three peer registrars didn’t need to ask.

LIE #7: “We will re-open the investigation”

“Re-open” implies it was once open. Their investigation consisted of calling the scammer and writing down what he said. That’s not an investigation — that’s dictation.

Infrastructure Evidence

Screenshot 9 — The domain escape network: 4 domains across 4 registrars, all pointing to the same servers. Three neutralized.

Screenshot 10 — URLScan data: all [REDACTED] domains (.com, .cc, .biz, .net, .me, .app) resolving to the same infrastructure.

Screenshot 11 — Our GitHub evidence repository with the complete network capture analysis. 109 requests, 43 view key transmissions documented in a single session.

Timeline: The Fall of [REDACTED]

2016

[REDACTED][.]com begins operation, marketing as “free open-source Monero wallet”

2018

Operator banned from r/Monero. First victim reports appear on Trustpilot

Feb 4, 2026

Escape domain [REDACTED].cc registered (8yr prepaid) — before investigation published

Feb 13, 2026

Issue #35 published — full TX hijacking mechanism exposed

Feb 18, 2026

Issue #36 — live capture: 109 requests, 43 viewkey transmissions in single session

Feb 23, 2026

[REDACTED].cc SUSPENDED (PDR). [REDACTED].biz SUSPENDED (IANA #460). Operator panic-deletes Issues #35 & #36

Feb 26, 2026

More panic: [REDACTED].net and .me registered (10yr prepaid, same IPs as suspended domains)

Mar 8, 2026

[REDACTED].net DNS DEAD (IANA #3765). 3 of 4 escape domains neutralized

Mar 2026

IANA #1479 publishes statement: “The registrant is the victim.” Helps suppress VirusTotal detections

Mar 27, 2026

Formal ICANN complaint filed (RAA Section 3.18). Evidence submitted to law enforcement. This report published.

The Verdict

IANA #1479 didn’t ignore the evidence. They read it, called the scammer, believed him, declared him innocent, and helped suppress security warnings. Then asked the researchers to prove the abuse is “recent.”

That’s not negligence. That’s a partnership.

The domain is down. The scam is over. But the fact that a US registrar chose to publicly fabricate a cover story to shield a $2M crypto thief — that is something that will follow IANA #1479 for a very long time. Their statement will be Exhibit A in every filing from this point forward.

If you vouch for the thief, you share his bill.

Evidence & Resources

Full Investigation on Medium Evidence Repository Investigation Page IANA #1479 Statement (archived)

Related Investigations

Deep Investigation

Anatomy of Crypto Possibly phishing: 8 Seed Phrase Stealers Dissected

[REDACTED] bots, EmailJS, PhaaS backends. 1,824+ stolen credentials. Total cost: $0.

Investigation

Military Aid Possibly phishing: 5 Banks Targeted, Operators Identified

Fake Ukrainian military aid foundation. Bot panel. Full OSINT chain to operators.

Original Investigation

[REDACTED]: 10 Years of Stolen Keys

The original technical investigation that started it all. View key exfiltration exposed.

Registrar Report

When Abuse Reports Go Nowhere

16 antivirus detections. 13 reports. 1,788 hours online. Registrars as silent partners.

This investigation is based on publicly available evidence, live network captures, OSINT, public review platforms, and IANA #1479’s own verbatim public statement. No unauthorized access was performed. All findings are independently reproducible.