Namecheap: Stop Monero Scams Now!

Exposing monero[.]forex & darknetbible[.]info

What’s Happening?

The domains monero[.]forex and darknetbible[.]info, registered through Namecheap, falsely present themselves as blogs for Monero (XMR) resources. The reality? These are carefully crafted traps directing users to phishing sites like exch[.]best and xchange[.]cheap – clones of legitimate services exch.net and xchange.me.

The goal is clear: stealing cryptocurrency through fake exchanges. 

Update 17 April 2025

The browser (Firefox) blocked access to exch[.]best, displaying a warning message: "Deceptive site ahead."
This advisory was issued based on data from Google Safe Browsing, indicating the domain is flagged for phishing or other malicious activity.

MetaMask has flagged the domain monero[.]forex as potentially deceptive, warning that attackers may try to trick users into performing unsafe actions.
Additionally, the site promotes the phishing domain exch[.]best as if it were a legitimate platform.

Deceptive Tactics Behind darknetbible[.]info and monero[.]forex

Previously, they used phishing domain exch[.]cash (IP: 185.156.46.121, hosted via Serverius), an identical copy of exch.net. After reporting it to the registrar easyDNS and upstream provider Tucows, DNS records were suspended (WHOIS status: “clientHold”).

Screenshot from web ahrchive showing links to fake websites xchange[.]sbs and exch[.]cash, which impersonate the legitimate domains xchange.me and exch.net.


Web Archive 26 Jan. '25 

Note that darknetbible[.]info is a copy of the "DNM bible"
a legitimate resource very well-known in the Tor community
The real DNM Bible onion is: (can be found on tor.taxi)
 http://biblemeowimkh3utujmhm6oh2oeb3ubjw2lpgeq3lahrfr2l6ev6zgyd.onion/
The scammer uses a visually identical copy of the original site, but replaces the legitimate links with connections to other phishing domains.

After the suspension of the exch[.]cash domain, The scammer immediately switched to a new domain exch[.]best (IP: 172.67.128.234, Cloudflare proxy), proving intent.

In the same text there is also a phishing link xchange[.]cheap clone of original site xchange.me.
As well as a reference to the "sister guide" site also monero[.]forex

monero[.]forex also refers visitors to phishing sites. For clearnet site as well as for onion.

monero[.]forex is also linked to the phishing websites exch.cash and xchange.sbs. After these domains were suspended, they were replaced with new, equally fraudulent websites.

Web Archive 12 Jan. 2025

WHOIS Information


Domain Information
Name: darknetbible.info
Internationalized Domain Name: darknetbible.info
Registry Domain ID: 1bb74d2a68174366a290841500d0453e-DONUTS
Domain Status: clientTransferProhibited

Nameservers:
ns1.freehostingtools.net
ns2.freehostingtools.net

Dates
Registry Expiration: 2026-05-01 19:44:00 UTC
Updated: 2025-04-11 13:35:54 UTC
Created: 2022-05-01 19:44:00 UTC

Registrant:
Handle: k31jcyzgvcjzhc19
Name: Redacted for Privacy
Organization: Privacy service provided by Withheld for Privacy ehf
Email: [email protected]
Phone: tel:+354.4212434
Mailing Address: Kalkofnsvegur 2, Reykjavik, Capital Region, 101, IS
REDACTED FOR PRIVACYSome of the data in this object has been removed

Registrar Information
Name: NAMECHEAP INC
IANA ID: 1068
Abuse contact email: [email protected]
Abuse contact phone: tel:+1.9854014545

Domain Information
Name: monero.forex
Internationalized Domain Name: monero.forex
Registry Domain ID: e9ce521b884a4fc0a7322a4271a4c732-DONUTS
Domain Status: clientTransferProhibited

Nameservers:
ns1.freehostingtools.net
ns2.freehostingtools.net

Dates
Registry Expiration: 2026-04-05 05:42:51 UTC
Updated: 2025-03-11 09:16:33 UTC
Created: 2024-04-05 05:42:51 UTC

Contact Information
Registrant:
Handle: 7toxubxljiqly409
Name: Redacted for Privacy
Organization: Privacy service provided by Withheld for Privacy ehf
Email: [email protected]
Phone: tel:+354.4212434
Mailing Address: Kalkofnsvegur 2, Reykjavik, Capital Region, 101, IS
REDACTED FOR PRIVACY: Some of the data in this object has been removed.

Registrar Information
Name: NAMECHEAP INC
IANA ID: 1068
Abuse contact email: [email protected]
Abuse contact phone: tel:+1.9854014545

https://x.com/IWriteAboutXMR

Connection to Suspicious X (Twitter) Account

We have identified a public X (formerly Twitter) account that appears to be directly associated with the reported domains.
The account actively promotes phishing sites, and one of the malicious URLs is even placed in the profile bio.

They even expect tips at [email protected] 

https://x.com/IWriteAboutXMR/status/1882562470742806959

Pinned post from the identified X account directly promotes the domain monero[.]forex.

The post is publicly visible and has accumulated over 2,400 views at the time of capture, representing a potential number of victims reached through this single promotional message.
This strongly suggests that the account is being used intentionally to drive traffic toward the reported phishing domain.

The difference between an original and a fake site is hard to see for those who don't know
The original eXch contains its domains exch.net and exch.cx as well as the original onion link
The scammer has only kept the exch[.]best domain and a link to a fake onion site active. (otherwise, the domain is marked as "dangerous")

A user under the name TrevorBaaddi registered on the Bitcointalk forum with the apparent intention of blackmailing eXch—demanding 2 BTC in exchange for handing over all domains and accounts associated with the exch phishing operation.
(I got this proof from the official eXch representative on the forum)

Question for Namecheap, what exactly is unclear here about scam intent?

"We have 15 new domains for bible and moneronews that you probably haven't found yet (moneronews com, xmr mobi). 20+ for exch. But your actions are so slow we get to use ones for a surprising amount of time. I will sell you the domains as you list them for for 0.025 btc each (sent in Monero). you want .best + .cd+ .cy. +.forex + dnb.info +? Transfered via domain registry, or redirected to whoever you want. I can't give you the register accounts unless you buy them all."

Or

"Do one thing and note that our biggest asset is the network of people in the crypto community we have on our anti browsers. Nearly 500 x, facebook/insta reddit, bct, tele, trustpilot, github, 3+ domain registries, free hosts, and more and growing."

and

"I'll give you the lot for 2 btc and your shut down of anir0y-scams site/s. You get all domains in your list, all domains we have ready for the future, all hostings taken offline tomorrow, plus the master password for all antibrowsers, about 480 active profiles, which includes passwords/logins for all domain registers and emails associated to those (main thing in my opinion, but if you don't want I'll take 1 btc for just all domains. You can lock us out and delete, give to police, or do whatever you think is best with them."

Official (eXch & Xchange) links

eXch

Clearnet: exch.net
Reserve domain: exch.cx
Onion: hszyoqwrcp7cxlxnqmovp6vjvmnwj33g4wviuxqzq47emieaxjaperyd.onion
Contact email: support [at] exch.cx

Xchange

Clearnet: xchange.me
Onion: xmxmrjoqo63c5notr2ds2t3pdpsg4ysqqe6e6uu2pycecmjs4ekzpmyd.onion 
Contact email: support [at] xchange.me

Why Is Namecheap Silent?
Multiple users have reported this scam to Namecheap (ticket [NC-RUN-3890], [NC-OOS-8296], etc.), attaching logs and screenshots. The response? “Unable to validate claim” or “Contact the host.” Suspending hosting isn’t enough – scammers relocate to new solutions within hours.
The solution is domain suspension at the registry level, which is Namecheap’s responsibility under ICANN policies (Domain Name Registration Agreement, Section 3.7.7). 

Question for Namecheap:

How many more XMR transactions (average: 50-100 XMR per victim, ~$10,000-$20,000) must be stolen through your domains before you act? EasyDNS and Tucows proved suspension works – exch[.]cash was neutralized within a reasonable period.
Where’s your efficiency?

Action Is Needed NOW:

  • Suspend monero[.]forex and darknetbible[.]info (WHOIS status: “clientHold” or “serverHold”).
  • Disable DNS resolution and break the scam chain.

How did Namecheap react to the reports so far?

"We have thoroughly investigated your allegation to the extent of our capabilities, but we were unable to validate your claim."

Namecheap

- They cannot verify the accuracy of this report.

"The issue would need to be addressed to the hosting provider to see if their terms of service have been violated and would need to be addressed to the domain registrant as they should be the individual who would control what particular content is being exchanged. We have no way to police these issues as we do not control the hosting company in this instance."

Namecheap

refer to hosting, which is only a temporary solution.

Share this Page!

© Copyright 2025 - NamecheapScamExpose.info

This page is an independent public appeal and not affiliated with any of the mentioned services.