There's this long-running Monero web wallet xmrwallet.com

They claim to be client-side JS, which is true, and the keys are generated on client-side, but the issue is that if you check the network tab of your browser and observe the requests made to the server-side PHPs after creating a wallet you'll notice that in first or second periodic balance calls on the dashboard page it'll include a mysterious field named `data`. Value of this field includes your private key with a thin obfuscation. This field stops existing in any subsequent requests.

Unsurprisingly enough the web is full of people claiming to have lost their XMR from addresses generated and used in this web wallet, in way higher proportion than any legit wallet.

Also the owner is using an obviously fake persona, doesn't take genius to see that.

It's quite sad to think that this person has probably stolen more than few million dollars since starting operating 6 years ago, just by wrapping official Monero software behind their PHP and throwing together few novicely-written JS scripts and a dumb landing page.