README.md
June 24, 2026 · View on GitHub
You made this investigation necessary.
Now you cannot make it disappear.
NameSilo (NASDAQ: URL) — a publicly traded registrar with a 32.2% dead domain rate,
a ten-year fraud under active protection, and a documented pattern of suppressing
the researchers who exposed it.
Every takedown. Every lawyer. Every deleted tweet.
All of it is in the record. All of it makes this louder.
PhishDestroy is a Hydra. You already pulled the first head.
Pedigreeless Russian dogs can write reviews about themselves and buy articles about themselves in the third person.
Spoiler
It is quite baffling that the 'fastest-growing registrar in the world' appears entirely unaware of Section 3.18 of the ICANN Registrar Accreditation Agreement (RAA) and its explicit requirements.
There is no need to lie. Previously, you claimed to have conducted an investigation and inexplicably offered to help clear VirusTotal detections for the operator. Now you are either distorting the facts, or you have finally realized that managing malware detections is entirely outside your jurisdiction.
Either way, you are missing the point. I assure you, I fully understand the legal rights of users and the strict obligations of registrars. A service provider like NameSilo is obligated to take actionable steps against abuse—not to shield perpetrators, ignore reports, or mislead the public.
This is not 2018, and this is no longer just an appeal to ICANN. Based on the factual evidence, I am now calling upon US law enforcement and regulatory authorities to investigate the individuals involved here, as the facts indicate direct complicity in organizing scams and other illicit activities within the United States.
🔴 LIVE INVESTIGATION FEED · Auto-updated · Last fetch
2026-06-24
📦 Domains tracked5,252,306 |
💰 Est. revenue\$36,908,473 |
📡 Deployed61.4% |
✅ Confirmed phishing0.1% (3,750) |
⚡ Fresh (≤7d)0.7% |
🕵️ Serial regs1,342 |
🏷️ Top TLD Zones
| TLD | Count | Avg Reg Period | Est. Revenue |
|---|---|---|---|
.com | 2,250,220 | 1,924d | $20,229,478 |
.sbs | 377,445 | 625d | $1,883,451 |
.xyz | 366,888 | 739d | $546,663 |
.net | 248,803 | 1,591d | $2,485,542 |
.info | 228,072 | 680d | $910,007 |
.cfd | 227,753 | 660d | $1,136,487 |
.org | 225,293 | 1,544d | $2,250,677 |
.click | 99,445 | 516d | $396,786 |
.link | 69,559 | 626d | $277,540 |
.vip | 67,926 | 608d | $338,951 |
🌍 Top Hosting Countries
US ██████████████████ 967,274 (45.5%)
DE ██████████░░░░░░░░ 571,984 (26.9%)
SG █░░░░░░░░░░░░░░░░░ 78,754 (3.7%)
HK █░░░░░░░░░░░░░░░░░ 73,993 (3.5%)
NL █░░░░░░░░░░░░░░░░░ 70,027 (3.3%)
CA █░░░░░░░░░░░░░░░░░ 59,942 (2.8%)
GB ░░░░░░░░░░░░░░░░░░ 44,738 (2.1%)
BG ░░░░░░░░░░░░░░░░░░ 23,142 (1.1%)
📈 Registration Burst Days
| Date | Domains | × Average |
|---|---|---|
2025-07-19 | 17,180 | 37.0× 🚨 |
2025-12-01 | 14,208 | 30.6× 🚨 |
2026-06-09 | 12,371 | 26.7× 🚨 |
2025-12-08 | 12,174 | 26.2× 🚨 |
2025-12-11 | 12,127 | 26.1× 🚨 |
🎯 Top Targeted Brands & Keywords
login (11,144) · support (6,523) · crypto (6,218) · secure (6,136) · trust (5,875) · connect (5,639) · account (4,095) · official (4,047) · farm (3,423) · claim (3,344) · update (3,090) · bridge (3,010) · vault (2,291) · wallet (2,183) · token (2,051)
🕵️ Top Serial Registrants — 50 emails with ≥5 domains
| # | Registrant Email (redacted) | Domains |
|---|---|---|
| 1 | chi***@mail.com | 10,635 |
| 2 | diz***@992fun.com | 6,015 |
| 3 | ser***@atom.com | 4,223 |
| 4 | inf***@brandbucket.com | 1,878 |
| 5 | sal***@brandbucket.com | 1,878 |
| 6 | shu***@outlook.com | 1,505 |
| 7 | diz***@91jqx.com | 1,119 |
| 8 | jac***@greensock.com | 1,092 |
| 9 | pri***@gmail.com | 936 |
| 10 | pun***@gmail.com | 854 |
📥 Download Threat Intelligence
| File | Format | Description |
|---|---|---|
data/all.txt | TXT | All tracked domains |
data/index.json | JSON | Full analytics snapshot |
data/ioc/serial_registrants.json | JSON | Repeat registrants + their domains |
data/ioc/shared_ips.json | JSON | Bulletproof hosting clusters |
data/ioc/brand_domains.json | JSON | Domains by targeted brand |
data/ioc/stix-bundle.json | STIX 2.1 | MISP/OpenCTI ready bundle |
data/ioc/serial_emails.txt | TXT | grep-friendly: email⇥count |
data/ioc/shared_ips.txt | TXT | grep-friendly: ip⇥count⇥country |
📊 Live web dashboard: see Pages link at top · Updated daily 06:00 UTC
🕸️ Network of Complicit Registrars
This investigation is part of a series documenting ICANN-accredited registrars that systematically obstruct anti-phishing enforcement or directly profit from fraud infrastructure.
| # | Registrar | IANA | Zone | Confirmed Malicious | Russian Connection | Investigation |
|---|---|---|---|---|---|---|
| 1 | NICENIC INTERNATIONAL GROUP | #3765 | 349,376 | 18,927 (50% of alive) | 🇷🇺 #2 hosting country (8.5%) | nicenic-evidence · Live Report |
| 2 | Trustname.com / Fewmoretaps ÖÜ | #4318 | 9,343 | 1,114 HIGH (86% alive) | 🇷🇺 Russian-operated, Estonian shell | trustname-evidence · Live Report |
| 3 | NameSilo, LLC (this) | #1479 | 5,251,494 | 183,419 | 🇷🇺 Russian team members, suppression campaign | namesilo-evidence · Live Report |
🇷🇺 Russian Connection & Complicity Record
Russian Presence — The Team Behind the "American" Registrar
NameSilo LLC is registered in Phoenix, Arizona. NameSilo Technologies Corp is listed on the Canadian Securities Exchange (CSE: BZI via Brisio Innovations). But the actual engineering team is a Russian/CIS outsourcing operation spread across Russia, Belarus, Ukraine, Serbia, Argentina, and Latvia. At least 13+ Russian-speaking employees have been identified in the current and recent team:
| Person | Role | Location | Previous Employment |
|---|---|---|---|
| 🚨 Mikhail Chudinov | DevOps — full infrastructure access | Argentina (crypto relocation) | Head of IT at SuperKopilka (Russian financial pyramid, collapsed 2017, ~10 years tenure); COO at AtomX.online (crypto); Poker Club Manager |
| 🇷🇺 Ivan Borzenkov | PHP Backend Developer | Bryansk, Russia (+7 920 602-0…) | TrafficStars (adult/affiliate ad network, grey adtech, Latvia); Skyeng; AdMe.ru |
| 🇷🇺 Vladimir Voskov | Project Development Manager | Moscow, Russia | Zyfra Company (Russian industrial automation, state contracts); АНО Ассоциация участников технологических кружков |
| 🇷🇸 Tatiana Labutina | Senior Project Manager | Belgrade, Serbia (post-2022 Russian relocation hub) | ForexClub Libertex (Russian forex broker, regulatory scandals); Social Quantum (Russian gamedev, St. Petersburg); Avatarico |
| 🇧🇾 Aleksey Podashevskiy | Frontend Developer | Belarus (sanctioned jurisdiction) | Working for a US registrar from a sanctioned country raises OFAC compliance questions |
| 🇷🇺 Konstantin Gorokhov | Backend Developer | Miami, FL (relocated from Russia) | CS Specialist at NameSilo 2019–2021, promoted to backend |
| 🇺🇦 Volodymyr Pohodaiev | Software Engineer | New York (relocated) | Adsimilate Marketing (affiliate marketing, grey area); FinditQuick.com |
The DevOps engineer who holds keys to all NameSilo infrastructure built IT systems for a Russian financial pyramid for 10 years. The PHP developer came from an adult ad network. Project managers sit in Moscow and Belgrade. The frontend developer works from sanctioned Belarus. This is not an American technology company. This is a CIS outsourcing operation with a US mailing address.
This explains everything:
- Why abuse reports are ignored — the team doing the ignoring shares the operator's language and culture
- Why the suppression playbook matches Russian cybercrime patterns
- Why a DMCA takedown request targeting coverage of xmrwallet was filed from Russia
- Why 20+ complaints from international victims and security researchers produced zero action
When you staff your "American registrar" with people whose previous jobs include financial pyramids, adult ad networks, and Russian state-connected companies — you get exactly the kind of registrar that protects a $100M+ phishing operation and calls it "customer service."
NameSilo's PrivacyGuardian privacy-shield service covers hundreds of thousands of domains. Analysis of PrivacyGuardian-shielded domains reveals systematic use by Russian-speaking fraud networks, crypto-drainer operators, and carding infrastructure.
Documented Obstruction
- Offered to clear VirusTotal detections for xmrwallet[.]com operator instead of suspending the domain — direct operational assistance to an active fraud campaign.
- Blacklisted researchers who filed abuse reports, cutting off future reporting channels.
- Suppressed media coverage — coordinated deletion of tweets, articles, and references documenting NameSilo’s complicity.
- 108,000 pages deindexed from Bing in a documented suppression campaign targeting coverage of this investigation.
- Abuse reports with full evidence packages — wallet addresses, victim transaction hashes, phishing kit source, live domain screenshots — met with inaction or active interference.
- As a NASDAQ-listed company, NameSilo’s knowing failure to act on documented fraud infrastructure creates potential securities and regulatory exposure.
- Direct requests with evidence: ignored, delayed, or actively countered.
"NameSilo didn’t just ignore the report. They offered to help the fraudster. That is no longer a compliance failure — it is complicity."
Why NameSilo Earned This Investigation
They didn't end up here because we were looking for them. They ended up here because they came looking for us.
This investigation began not with a zone file, but with a threat.
When PhishDestroy started publishing evidence about xmrwallet[.]com — two parties decided the correct response was intimidation. The operator arrived with lawyers and a private detective. NameSilo arrived with platform suppression and a defamation claim on Twitter.
Every attempt was documented. Every attempt failed. Every attempt is now part of the public record.
Two Tracks. Same Goal. Zero Results.
| 🔴 xmrwallet operator | 🔴 NameSilo, LLC (IANA #1479) |
|---|---|
|
① Direct contact · Feb 16, 2026 Contacted PhishDestroy researchers personally. Did not claim the site was hacked. Defended the operation as his own work. Demanded removal of all abuse reports. We published his email instead. |
① Public defense · Mar 13, 2026 Official corporate account called the operator "the victim", denied receiving 20+ abuse reports, and committed in writing to helping him remove his VirusTotal detections. We rebutted every sentence using his own emails. |
|
② Lawyer threats Threatened a lawsuit. Demanded full retraction under legal pressure. Threat documented and published. |
② @Phish_Destroy locked via X Gold Used X Gold Checkmark live-support access to lock the research account after our rebuttal reached 11,300+ views. X cleared the account in writing on Apr 15: "no violation found." Lock remains. Abuse documented. |
|
③ Private detective threat Claimed to have hired an investigator to identify and expose individual researchers by name. Documented. Researchers unidentified. Investigation continued. |
③ "Defamation" claim · May 11, 2026 Posted publicly on Twitter that our reporting constituted defamation. Threatened legal consequences if we did not stop. The reporting is factual. Every claim is sourced. Threat logged in |
|
④ "Serious consequences" Escalating personal warnings directed at individual community members. Archived. Ignored. Published. |
④ 108,000 pages deindexed from Bing IOC reports, evidence pages, and domain analysis scrubbed from Microsoft Bing search results. Content mirrored to IPFS, Arweave, Codeberg, GitHub simultaneously. |
|
⑤ DMCA takedown · Google Formal copyright claim submitted targeting research pages in Google Search. Content is factual documentation of fraud. No copyrightable material belonging to any complainant. Logged in Lumen Database. Strengthened the legal record. |
What Every Attempt Accomplished
| Action | By | Result |
|---|---|---|
| Demanded report removal | Operator | Email published as evidence |
| Lawyer threats | Operator | Threat documented and published |
| Private detective threat | Operator | Documented · researchers unidentified |
| "Serious consequences" | Operator | Archived · investigation continued |
| Called operator "the victim" | NameSilo | Rebutted line-by-line · archived permanently |
| Locked @Phish_Destroy via X Gold | NameSilo | X cleared account in writing · abuse documented |
| Called reporting "defamation" | NameSilo | Logged · factual record unchanged |
| 108,000 Bing pages removed | NameSilo | Mirrored to 5+ platforms · IPFS permanent |
| DMCA filed with Google | NameSilo | Logged in Lumen · strengthened legal record |
They wanted legal consequences for us.
We want legal consequences for them.
The difference is that we have the evidence.
The investigation is MIT-licensed. It lives on the blockchain. It has been filed with ICANN and submitted to IC3. There is no version of this story that ends with the evidence gone.
Every deletion attempt is itself evidence. Every threat goes into the dossier. Every escalation increases the footprint of this case.
What Happened
NameSilo, LLC (IANA #1479) — US-based, ICANN-accredited, CSE-listed registrar (ticker: URL) — publicly defended xmrwallet[.]com, a Monero wallet drainer operating continuously since ~2016, with estimated victim losses of $10–20M.
PhishDestroy submitted 20+ delivery-receipted abuse reports over three years. NameSilo took no action. On March 13, 2026, their official corporate account published a statement calling the operator "the victim," denying all reports ever arrived, and committing in writing to helping him remove his VirusTotal detections. Three other registrars (PDR, WebNic, NICENIC) reviewed the same evidence and suspended the domain within days. NameSilo wrote a press release for him.
When we proved every sentence false using the operator's own emails, NameSilo used X Gold Checkmark live-support access to lock the @Phish_Destroy research account. X's automated review cleared it in writing on April 15, 2026. The lock is still in place.
NameSilo's only documented response to this investigation: the scammer's domain was quietly transferred to Namecheap.
NameSilo, LLC (IANA #1479) · March 13, 2026 · 11,300 views · Archived
What We Verified
| What | How | Result |
|---|---|---|
| Every NameSilo domain | Complete zone file — 5,269,357 entries, zero sampling | ✓ Full census |
| HTTP response per domain | aiohttp/asyncio · 5s timeout · AWS Lambda 400× + GCP Cloud Run 20×400 | 1,129,114 active |
| Page content classification | active / parking / redirect / phishing / gambling / empty | 87.3% junk |
| Operator identity via favicon | MurmurHash3 on favicon bytes · identical hash = same operator | 12 clusters found |
| Server infrastructure fingerprint | SHA-256(Server header + X-Powered-By + ETag) → 12-char hex | 328,230-domain cluster |
| Brand impersonation | Domain name + page title + favicon hash → known brand list | 3,726 phishing / 201 brand impersonations |
| PrivacyGuardian domains | RDAP validation against rdap.namesilo.com · 4,974,265 candidates | 164,027 confirmed PG-shielded |
| Threat feed cross-check | 25+ independent feeds: Spamhaus DBL, SURBL, PhishTank, URLhaus, ThreatFox… | 183,419 malicious / 109,196 hard (3+ sources) |
| Dead domain rate | Compared against 7 other registrars · 130M total domains | 32.2% vs 14–21% baseline |
| Trustpilot reviews | Wayback Machine snapshots vs. live scrape · Jan 2026 → May 2026 | 129 reviews deleted |
| PR Newswire connection | Both xmrwallet and NameSilo used Cision/PR Newswire · verified dates | Same-day publish Jan 21–22, 2026 |
| Abuse report receipts | Delivery-confirmed submissions through NameSilo's own portal | 20+ reports · 0 action |
Full scan pipeline and raw data:
pkg/raw_data/— gzip archives, up to 499 MB uncompressed
Investigation Scale
| Metric | Value |
|---|---|
| Total domains scanned | 5,269,357 |
| Dead / no DNS / parked (junk rate) | 4,600,249 · 87.3% |
| Brand-phishing domains | 3,726 |
| Gambling cluster (MurmurHash3) | 19,198 |
| Single server fingerprint cluster | 328,230 domains |
| CF-confirmed phishing on cluster | 2,062 |
| Malicious behind PrivacyGuardian | 183,419 |
| Hard-confirmed (3+ sources) | 109,196 |
| Brand impersonations | 201 |
| Dead rate vs. industry | 32.2% vs 14–21% |
| xmrwallet victim losses | $10M–$20M |
| Abuse reports filed, ignored | 20+ |
| Registrars that suspended | 3 of 4 |
⚖️ Legal Notice & Responsible Disclosure
All data in this repository was collected exclusively from publicly accessible sources:
| Source | Method |
|---|---|
| Zone file | ICANN CZDS — accredited access, permissible use |
| WHOIS | Public WHOIS protocol (RFC 3912) |
| HTTP responses | Passive crawl of publicly reachable URLs |
| DNS records | Passive DNS / authoritative queries |
| Screenshots | Rendered pages accessible to any browser |
No non-public systems were accessed. No credentials were tested. No authentication was bypassed. No victim data was processed.
This publication is conducted under:
- ICANN Registrar Accreditation Agreement §3.18 (abuse response obligations)
- CISA Coordinated Vulnerability Disclosure guidelines
- FIRST.org TLP:CLEAR definition — unlimited public sharing permitted
Regarding Reputational Impact
This research documents objectively verifiable facts: domain registration patterns, HTTP response content, and registrar abuse-response latency. These facts were publicly visible before this repository existed.
NameSilo, LLC is an ICANN-accredited registrar operating under contractual obligations to the global internet community. Publication of factual evidence of contractual non-compliance is not defamation — it is the function ICANN's transparency requirements were built to serve.
If NameSilo disputes any finding: submit documented evidence via phishdestroy.io. Findings supported by evidence will be corrected in a timestamped update.
| 📜 License | MIT |
| 🏷 TLP | CLEAR — unlimited distribution |
| 🌐 Contact | phishdestroy.io |
Links by Content
🌐 Live Reports — phishdestroy.github.io/namesilo-evidence
| Report | What's inside |
|---|---|
| Zone Scan Report | Charts, IOC breakdown, methodology, chain of custody |
| Favicon Cluster Analysis | 12 operator clusters identified via MurmurHash3 |
| 107k IOC Domain List | Searchable table — flags, favicons, categories |
| PrivacyGuardian Shield | 183,419 malicious domains behind NameSilo's own WHOIS privacy |
| Review Manipulation | 129 deleted Trustpilot reviews · bot network · PR Newswire link |
📁 Case Documents — case/
| File | Contents |
|---|---|
| INVESTIGATION_DOSSIER_EN.md | Complete investigation dossier · 613 lines |
| ARTICLE_FULL.md | Full investigative article |
| CONNECTION.md | NameSilo ↔ operator evidence chain |
| THE-LIES.md | NameSilo's Mar 13 statement rebutted, line by line |
| NAMESILO-RESPONSE-MAY2026.md | May 11 legal threat tweet, documented |
| NAMESILO_DOMAIN_ANOMALY_REPORT.md | 8-registrar, 130M domain statistical analysis |
| PRESSURE.md | DMCA · DDoS · account suppression campaign log |
🔍 Operator Intelligence — intel/
| File | Contents |
|---|---|
| OPERATOR_PROFILE.md | Identity, domains, IPs, IOCs |
| VICTIMS.md | Documented victims · 2016–2026 timeline |
| SCAM_TECHNICAL.md | xmrwallet: 8 PHP endpoints · session_key exfiltration |
| XMRWALLET_TECHNICAL.md | Server-side key drainer case file |
📸 Evidence — evidence/
16 SHA-256-verified screenshots · full index: case/EVIDENCE_INDEX.md
| Key exhibit | File |
|---|---|
| NameSilo four-lie tweet (Mar 13, 2026) | 03-namesilo-statement-mar13.png |
| Operator email — "no phishing" (Feb 16, 2026) | 01-operator-email-feb16.png |
| X Support — "no violation, restored" (Apr 15, 2026) | 06-x-support-no-violation.png |
Verify integrity:
git clone [https://github.com/phishdestroy/namesilo-evidence.git](https://github.com/phishdestroy/namesilo-evidence.git)
cd namesilo-evidence/evidence && sha256sum -c ../EVIDENCE_HASHES.txt
<img src="https://user-images.githubusercontent.com/74038190/212284100-561aa473-3905-4a80-b561-0d28506553ee.gif" width="100%">