xmrwallet.com steals your private keys

[xmrwalletScam]

There's this long-running Monero web wallet xmrwallet.com

They claim to be client-side JS, which is true, and the keys are generated on client-side, but the issue is that if you check the network tab of your browser and observe the requests made to the server-side PHPs after creating a wallet you'll notice that in first or second periodic balance calls on the dashboard page it'll include a mysterious field named `data`. Value of this field includes your private key with a thin obfuscation. This field stops existing in any subsequent requests.

Unsurprisingly enough the web is full of people claiming to have lost their XMR from addresses generated and used in this web wallet, in way higher proportion than any legit wallet.

Also the owner is using an obviously fake persona, doesn't take genius to see that.

It's quite sad to think that this person has probably stolen more than few million dollars since starting operating 6 years ago, just by wrapping official Monero software behind their PHP and throwing together few novicely-written JS scripts and a dumb landing page.

[owlcatz]

Interesting. Never heard of this. 6 years and its on github?

Can you show or tell me where in the tree this file that does this resides please?

https://github.com/XMRWallet/Website/tree/master/src/js

Thanks!

[JeromeTash]

I don't know about programming and code, but when I checked their repository on GitHub. I don't to see any open ior closed ssue talking about the vulnerability or stealing off private keys. Don't you think it would be a good thing to open up an issue about it over there for all to see?

https://github.com/XMRWallet/Website/issues

[BitcoinGirl.Club]

Unsurprisingly enough the web is full of people claiming to have lost their XMR from addresses generated and used in this web wallet, in way higher proportion than any legit wallet.

Can you bring some of the posts from the web so that we know some victims. Losing a coin from any wallet mostly users fault. Even after more than a decade, still a majority of the crypto users do not know the usual practices of securing their wallet. I have know people who kept their backup on Google Drive.

[PX-Z]

That's fuck up, they are running 6 years already and no one noticed this. Their source code is in github but no one knows if its fully open source or only partial.

Edit: I checked the website, OP is talking right with data request to /getbalance.php in the /app.js, but you can't read the actual code because it's been obfuscate and i checked the github repo and there's no /getbalance.php file.

Here's the data request on /getbalance.php

[owlcatz]

That's fuck up, they are running 6 years already and no one noticed this. Their source code is in github but no one knows if its fully open source or only partial.

Until this user posts some actual evidence, I'm not one to say. It's been out there  a while, so yeah it's technically open source, but can you understand it?

Maybe this is it?

https://github.com/XMRWallet/Website/blob/master/src/js/monero.js#L3755

[PX-Z]

That's fuck up, they are running 6 years already and no one noticed this. Their source code is in github but no one knows if its fully open source or only partial.

Until this user posts some actual evidence, I'm not one to say. It's been out there  a while, so yeah it's technically open source, but can you understand it?

Maybe this is it?

https://github.com/XMRWallet/Website/blob/master/src/js/monero.js#L3755

The monero.js is an open source made by others to create a wallet and other monero-related stuff.

I have edited my post above upon checking the website. Other files were not existing in the repo. So it's good to say that the project is not fully open source in my POV as i can't read the /app.js as it's obsfucated, especially the POST data requests.

[NotATether]

Here's the data request on /getbalance.php

That's base64 encoding. Can someone try to base64decode it and post the output here (in hex, if it is binary)?

[jastigueta12]

There's this long-running Monero web wallet xmrwallet.com

They claim to be client-side JS, which is true, and the keys are generated on client-side, but the issue is that if you check the network tab of your browser and observe the requests made to the server-side PHPs after creating a wallet you'll notice that in first or second periodic balance calls on the dashboard page it'll include a mysterious field named `data`. Value of this field includes your private key with a thin obfuscation. This field stops existing in any subsequent requests.

Unsurprisingly enough the web is full of people claiming to have lost their XMR from addresses generated and used in this web wallet, in way higher proportion than any legit wallet.

Also the owner is using an obviously fake persona, doesn't take genius to see that.

It's quite sad to think that this person has probably stolen more than few million dollars since starting operating 6 years ago, just by wrapping official Monero software behind their PHP and throwing together few novicely-written JS scripts and a dumb landing page.

God why would I do that? i have been chronicling 8000 monero since 2017 and gave to this site... the jerks above githam nkiak is not affiliated with the site, thanks for your inaction and igshnor check reddit this site has stolen billions already, great community no one cares.

[jastigueta12]

That's fuck up, they are running 6 years already and no one noticed this. Their source code is in github but no one knows if its fully open source or only partial.

Until this user posts some actual evidence, I'm not one to say. It's been out there  a while, so yeah it's technically open source, but can you understand it?

Maybe this is it?

https://github.com/XMRWallet/Website/blob/master/src/js/monero.js#L3755

The monero.js is an open source made by others to create a wallet and other monero-related stuff.

I have edited my post above upon checking the website. Other files were not existing in the repo. So it's good to say that the project is not fully open source in my POV as i can't read the /app.js as it's obsfucated, especially the POST data requests.

lol official xmr - not list this  shit like official all internet in case about scam - they steal a lot of money an d good defend 5m+

[owlcatz]

lol official xmr - not list this  shit like official all internet in case about scam - they steal a lot of money an d good defend 5m+

https://www.getyarn.io/yarn-clip/ca56f96f-72cd-4846-960c-aba3d82dd776

I'm not sure what you're saying, can you be clearer please? I'll have a look at the site again as well as I've always found this interesting.

Edit - their trustpilot looks good, and I see no scam accusations since 2020 out there?

https://www.trustpilot.com/review/www.xmrwallet.com

[jastigueta12]

https://github.com/uBlockOrigin/uAssets/discussions/25202

https://www.sitejabber.com/reviews/xmrwallet.com

https://web.archive.org/web/20240510154440/https://www.trustpilot.com/review/www.xmrwallet.com (we can see how they do real review - now its deleted buy there report) on githab same deleted all true

just seo and report do and stole millons on chain which cant trace  - deo + name of wallet = 6 fag profit

Don’t be naive. It’s not just about what’s on Trustpilot now. The history shows something completely different. Go check the web archive and see how they’ve cleaned up their reputation. The site has been flagged as a scam multiple times, and their GitHub activity shows they’re not open source as they claim. Open source wallets should generate private keys and seed phrases on the client side, not the server side – that’s basic knowledge, and it’s embarrassing not to understand this.

If you want to check, here are some links:

Reddit: XMRWallet Scam - https://www.reddit.com/r/Monero/comments/k0ytgq/statement_from_xmrwalletcom_about_recent_phishing/?rdt=60585
Reddit: XMRWallet Scam - https://www.reddit.com/r/Monero/comments/jh15e3/psa_xmrwalletcom_is_a_scam_who_steals_your_funds/
Scamadviser: XMRWallet Check - https://www.scamadviser.com/check-website/xmrwallet.com
Medium: XMRWallet Scam - https://medium.com/@mosheglasper/xmrwallet-scam-and-lier-5bf21f73f55c
Just be smarter, and don’t forget to Google and use archives to see the full picture. Scammers like this build their reputation on manipulation, not honesty.

Have you ever seen that the purse builds reputation not due to reputable audits, and at the expense of fake reviews and custom purchased articles with the mark (sponsored) funny