[SECURITY RESEARCH]
www.xmrwallet.com — Confirmed Private Key Exfiltration | Seeking Affected Users
Our team has been tracking this service for some time. We focus on scam infrastructure analysis, threat attribution, and technical documentation. This is not a commercial effort — we publish findings publicly and work with affected parties only within a legitimate legal framework.
What we've confirmed so far:
This is not a case of poor security practice or an isolated bug. The evidence we've collected points to a systematic, intentional operation designed to harvest private view keys from every wallet opened through the service — including wallets created on the platform.
Our preliminary analysis covered:
Network traffic behavior and request structure
Private key handling and session token encoding
Infrastructure patterns and backend API design
Technical findings are documented publicly:
→
https://github.com/XMRWallet/Website/issues/36→
https://github.com/XMRWallet/Website/issues/35Current status:
We have partial attribution signals. We are not publishing them yet — doing so prematurely would compromise any chance of real accountability.
What we need:
Attribution alone is not actionable without victims willing to formally participate. If you used xmrwallet.com and experienced unexplained fund loss or suspicious activity, your cooperation would allow this investigation to move from analysis to enforcement.
Specifically useful:
Transaction history from the period of use
Wallet addresses used on the platform
Screenshots or logs if available
Willingness to engage with a legal process
Contact via this thread or privately. All communications handled confidentially.
We will continue publishing what can be verified publicly — regardless of whether anyone comes forward.
There's this long-running Monero web wallet xmrwallet.com
They claim to be client-side JS, which is true, and the keys are generated on client-side, but the issue is that if you check the network tab of your browser and observe the requests made to the server-side PHPs after creating a wallet you'll notice that in first or second periodic balance calls on the dashboard page it'll include a mysterious field named `data`. Value of this field includes your private key with a thin obfuscation. This field stops existing in any subsequent requests.
Unsurprisingly enough the web is full of people claiming to have lost their XMR from addresses generated and used in this web wallet, in way higher proportion than any legit wallet.
Also the owner is using an obviously fake persona, doesn't take genius to see that.
It's quite sad to think that this person has probably stolen more than few million dollars since starting operating 6 years ago, just by wrapping official Monero software behind their PHP and throwing together few novicely-written JS scripts and a dumb landing page.
