Archive LiveRead-only public record · No ads · No tracking
CASE / WALLET INVESTIGATION
Wallet Investigation: A Mirror Copy For The Easily Offended
A restrained summary of a wallet-linked case file that still somehow manages to look very bad for the adults in the room.
File 011·Wallet report·6 min read·Editorial mirror
Public record copy. Brand names withheld, public accreditation numbers preserved. If the body below says “we”, that means the original publisher, not this mirror. TER only preserves, redacts, and re-contextualizes.
Active Since 201640+ Key Leaks / SessionDDoS-Guard Protected
0
Years Active
40+
Key Leaks Per Session
$2M-$15M+
Estimated Total Stolen
0
GitHub Updates Since 2018
The Facade
[REDACTED] presents itself as a free, open-source, client-side Monero wallet. No downloads. No registration. Their Terms of Service make a very specific claim:
"All cryptographic operations happen in your browser. The server has no ability to access your private keys."
— [REDACTED] Terms of Service (demonstrably false)
This is a lie. Our forensic analysis — network captures, JavaScript deobfuscation, and production code comparison — proves the exact opposite. Every key entered on [REDACTED] is stolen. Every transaction can be hijacked.
Production vs. GitHub: Total Divergence
The public GitHub repository hasn't received a single commit since November 2018. The production site runs completely different code with undocumented parameters absent from the repo:
Domain registered via IANA #1479 in 2016 — pre-paid through 2031. Fifteen years of registration for a "free volunteer project."
Attack #1: View Key Exfiltration
When you log into [REDACTED], your private view key is Base64-encoded and embedded into a session_key token. This token is then transmitted to the server with every single API request — 40+ times in a single session.
// Decoded example: // blob: a3f8c2... (session identifier) // address: 4A1BxN... (your Monero public address) // viewkey: YOUR PRIVATE VIEW KEY IN PLAINTEXT
[REDACTED] WebExtension network captures confirm this token is sent across 6 distinct API endpoints totaling 40+ POST requests per session:
API Endpoint
Requests / Session
Leaks session_key
/api/getheightsync
12
Yes
/api/gettransactions
10
Yes
/api/getbalance
6
Yes
/api/getsubaddresses
4
Yes
/api/getoutputs
3
Yes
/api/support_login
1
Yes
40+ Copies of Your Private Key
A single login session sends your private view key to the server at minimum 36 times. The server doesn't need your key for any of these operations — balance checks and height syncs are public blockchain queries. There is zero legitimate reason to transmit key material. Full network capture evidence: [REDACTED] GitHub Issue #36 — View Key Exfiltration Evidence.
Attack #2: Transaction Hijacking
View key theft lets the attacker watch your wallet. But [REDACTED] goes further — it steals your funds in real time. The deobfuscated production JavaScript reveals a 5-step attack sequence:
Your wallet shows "transaction sent." Your funds arrive at the attacker's address. Victims see "Unknown transaction id" when they try to verify on block explorers. Transactions internally tagged as swept are the stolen ones.
Your Transaction Never Existed
raw_tx_and_hash.raw = 0 means the client-generated transaction is thrown away. The server builds a completely new transaction using your keys and sends your XMR to the attacker. The "success" message you see is a lie. Detailed code analysis: [REDACTED] GitHub Issue #35 — Transaction Hijacking Proof.
Hidden Production Code
[REDACTED] maintains a public GitHub repository to look legitimate. The repository is a decoy. It hasn't been touched since November 2018. The production site runs entirely different, obfuscated code.
Public GitHub (Decoy)
Last commit: Nov 2018
No session_key parameter
No verification param
No /support_login.html
No Google Tag Manager
Clean, auditable code
Production Site (Real)
Actively updated 2024-2026
session_key with Base64 viewkey
verification exfil channel
/support_login.html backdoor
GTM remote JS injection
Obfuscated, unauditable code
The Backdoor & Remote Code Injection
Production site contains /support_login.html — a hidden administrative endpoint completely absent from the GitHub repository. Combined with Google Tag Manager (GTM-container) integration, the operator can remotely inject and modify JavaScript on the live site at any time — without updating the public codebase. This is a remote code execution vector disguised as analytics.
Bulletproof Infrastructure
[REDACTED] doesn't use cheap shared hosting. It runs on premium bulletproof infrastructure specifically chosen to resist takedown requests and law enforcement.
A legitimate free wallet doesn't spend $550+/month on IANA #1241 bulletproof hosting behind DDoS-Guard — infrastructure specifically designed to resist abuse complaints and law enforcement subpoenas. It doesn't register a domain for 15 years. It doesn't run Google Analytics tracking on a "privacy-focused" Monero wallet. This is infrastructure built for one purpose: persistent theft at scale.
Operator Identified: Nathalie Roy
Open-source intelligence traces [REDACTED]'s infrastructure directly to a single individual.
Nathalie Roy was banned from the official r/Monero subreddit in 2018 for promoting [REDACTED]. The last GitHub commit happened the same year. For 6+ years the public code has been frozen while the production site actively steals funds with completely different code. The domain is paid through 2031 — the operator isn't going anywhere.
Documented Victims
At least 15 publicly reported cases of fund theft across Trustpilot, Sitejabber, Reddit, and GitHub Issues. Real people. Real money. Gone.
15+
Public Reports
590 XMR
Single Largest ($177K)
0
Years of Theft
$2M-$15M+
Estimated Total
590 XMR (~$177,000) — single theft, largest documented case
17.44 XMR — documented with transaction ID on-chain
20 XMR stolen overnight — wallet drained while user slept
Multiple reports of "Unknown transaction id" — the swept tag signature
The operator actively deletes victim reports from GitHub Issues (all issues before #13 are gone). The site claims to accept donations but no donation wallet address has ever been published. Why would a "volunteer project" spending $8K-$15K/year refuse donations? Because the revenue comes from theft.
Timeline of Events
Timeline 2014-2024: [REDACTED] 10,000+ stolen keys - from site launch through first victims to operator identified
Registered via IANA #1479 with a 15-year registration period (2016-2031). Presents as free open-source Monero web wallet.
May 2018
GitHub Organization Created
[REDACTED] GitHub org created on 2018-05-10 by nathroy (ID: 39167759). Public code pushed as transparency theater.
2018
Banned & Code Frozen
Operator u/WiseSolution banned from r/Monero for promotional spam. Last GitHub commit around this time. Victim issue reports start being deleted (Issues #1-#12 gone).
2018 – 2024
6 Years of Silence
Public repository frozen. Production code diverges completely with obfuscated JS, undocumented parameters, and backdoor endpoints. Victim reports accumulate on Trustpilot and Reddit.
Monerujo (Android) — Open-source with Tor support Cake Wallet (iOS/Android) — Multi-coin, well-maintained
The Golden Rule of Crypto
Never enter your seed phrase, private keys, or view keys on any website. Legitimate wallets run locally — they never need to send your keys to a server. If a web wallet asks for your private keys, it's a scam. For maximum security, use a hardware wallet ([REDACTED], [REDACTED]) with official Monero software.
Protect the Community
[REDACTED] has been stealing Monero for 10 years. The evidence is public. The operator is identified. Share this investigation. Report the domain. Help us shut it down.
![[REDACTED] Exposed](/_mirror/redacted-logo.svg){kind=logo}