What’s Happening?
The domains monero[.]forex and darknetbible[.]info, registered through Namecheap, falsely present themselves as blogs for Monero (XMR) resources. The reality? These are carefully crafted traps directing users to phishing sites like exch[.]best and xchange[.]cheap – clones of legitimate services exch.net and xchange.me.
The goal is clear: stealing cryptocurrency through fake exchanges.
The browser (Firefox) blocked access to exch[.]best, displaying a warning message: "Deceptive site ahead."
This advisory was issued based on data from Google Safe Browsing, indicating the domain is flagged for phishing or other malicious activity.
MetaMask has flagged the domain monero[.]forex as potentially deceptive, warning that attackers may try to trick users into performing unsafe actions.
Additionally, the site promotes the phishing domain exch[.]best as if it were a legitimate platform.
Previously, they used phishing domain exch[.]cash (IP: 185.156.46.121, hosted via Serverius), an identical copy of exch.net. After reporting it to the registrar easyDNS and upstream provider Tucows, DNS records were suspended (WHOIS status: “clientHold”).
Screenshot from web ahrchive showing links to fake websites xchange[.]sbs and exch[.]cash, which impersonate the legitimate domains xchange.me and exch.net.
Web Archive 26 Jan. '25
After the suspension of the exch[.]cash domain, The scammer immediately switched to a new domain exch[.]best (IP: 172.67.128.234, Cloudflare proxy), proving intent.
In the same text there is also a phishing link xchange[.]cheap clone of original site xchange.me.
As well as a reference to the "sister guide" site also monero[.]forex
monero[.]forex is also linked to the phishing websites exch.cash and xchange.sbs. After these domains were suspended, they were replaced with new, equally fraudulent websites.
Web Archive 12 Jan. 2025
Domain Information
Name: darknetbible.info
Internationalized Domain Name: darknetbible.info
Registry Domain ID: 1bb74d2a68174366a290841500d0453e-DONUTS
Domain Status: clientTransferProhibited
Nameservers:
ns1.freehostingtools.net
ns2.freehostingtools.net
Dates
Registry Expiration: 2026-05-01 19:44:00 UTC
Updated: 2025-04-11 13:35:54 UTC
Created: 2022-05-01 19:44:00 UTC
Registrant:
Handle: k31jcyzgvcjzhc19
Name: Redacted for Privacy
Organization: Privacy service provided by Withheld for Privacy ehf
Email: [email protected]
Phone: tel:+354.4212434
Mailing Address: Kalkofnsvegur 2, Reykjavik, Capital Region, 101, IS
REDACTED FOR PRIVACY: Some of the data in this object has been removed
Registrar Information
Name: NAMECHEAP INC
IANA ID: 1068
Abuse contact email: [email protected]
Abuse contact phone: tel:+1.9854014545
Domain Information
Name: monero.forex
Internationalized Domain Name: monero.forex
Registry Domain ID: e9ce521b884a4fc0a7322a4271a4c732-DONUTS
Domain Status: clientTransferProhibited
Nameservers:
ns1.freehostingtools.net
ns2.freehostingtools.net
Dates
Registry Expiration: 2026-04-05 05:42:51 UTC
Updated: 2025-03-11 09:16:33 UTC
Created: 2024-04-05 05:42:51 UTC
Contact Information
Registrant:
Handle: 7toxubxljiqly409
Name: Redacted for Privacy
Organization: Privacy service provided by Withheld for Privacy ehf
Email: [email protected]
Phone: tel:+354.4212434
Mailing Address: Kalkofnsvegur 2, Reykjavik, Capital Region, 101, IS
REDACTED FOR PRIVACY: Some of the data in this object has been removed.
Registrar Information
Name: NAMECHEAP INC
IANA ID: 1068
Abuse contact email: [email protected]
Abuse contact phone: tel:+1.9854014545
https://x.com/IWriteAboutXMR
We have identified a public X (formerly Twitter) account that appears to be directly associated with the reported domains.
The account actively promotes phishing sites, and one of the malicious URLs is even placed in the profile bio.
They even expect tips at [email protected]
The post is publicly visible and has accumulated over 2,400 views at the time of capture, representing a potential number of victims reached through this single promotional message.
This strongly suggests that the account is being used intentionally to drive traffic toward the reported phishing domain.
A user under the name TrevorBaaddi registered on the Bitcointalk forum with the apparent intention of blackmailing eXch—demanding 2 BTC in exchange for handing over all domains and accounts associated with the exch phishing operation.
(I got this proof from the official eXch representative on the forum)
Question for Namecheap, what exactly is unclear here about scam intent?
"We have 15 new domains for bible and moneronews that you probably haven't found yet (moneronews com, xmr mobi). 20+ for exch. But your actions are so slow we get to use ones for a surprising amount of time. I will sell you the domains as you list them for for 0.025 btc each (sent in Monero). you want .best + .cd+ .cy. +.forex + dnb.info +? Transfered via domain registry, or redirected to whoever you want. I can't give you the register accounts unless you buy them all."
Or
"Do one thing and note that our biggest asset is the network of people in the crypto community we have on our anti browsers. Nearly 500 x, facebook/insta reddit, bct, tele, trustpilot, github, 3+ domain registries, free hosts, and more and growing."
and
"I'll give you the lot for 2 btc and your shut down of anir0y-scams site/s. You get all domains in your list, all domains we have ready for the future, all hostings taken offline tomorrow, plus the master password for all antibrowsers, about 480 active profiles, which includes passwords/logins for all domain registers and emails associated to those (main thing in my opinion, but if you don't want I'll take 1 btc for just all domains. You can lock us out and delete, give to police, or do whatever you think is best with them."
Clearnet: exch.net
Reserve domain: exch.cx
Onion: hszyoqwrcp7cxlxnqmovp6vjvmnwj33g4wviuxqzq47emieaxjaperyd.onion
Contact email: support [at] exch.cx
Clearnet: xchange.me
Onion: xmxmrjoqo63c5notr2ds2t3pdpsg4ysqqe6e6uu2pycecmjs4ekzpmyd.onion
Contact email: support [at] xchange.me
Why Is Namecheap Silent?
Multiple users have reported this scam to Namecheap (ticket [NC-RUN-3890], [NC-OOS-8296], etc.), attaching logs and screenshots. The response? “Unable to validate claim” or “Contact the host.” Suspending hosting isn’t enough – scammers relocate to new solutions within hours.
The solution is domain suspension at the registry level, which is Namecheap’s responsibility under ICANN policies (Domain Name Registration Agreement, Section 3.7.7).
Question for Namecheap:
How many more XMR transactions (average: 50-100 XMR per victim, ~$10,000-$20,000) must be stolen through your domains before you act? EasyDNS and Tucows proved suspension works – exch[.]cash was neutralized within a reasonable period.
Where’s your efficiency?
"We have thoroughly investigated your allegation to the extent of our capabilities, but we were unable to validate your claim."
Namecheap
- They cannot verify the accuracy of this report.
"The issue would need to be addressed to the hosting provider to see if their terms of service have been violated and would need to be addressed to the domain registrant as they should be the individual who would control what particular content is being exchanged. We have no way to police these issues as we do not control the hosting company in this instance."
Namecheap
- refer to hosting, which is only a temporary solution.
This page is an independent public appeal and not affiliated with any of the mentioned services.