I am not. This is an excellent strategy to protect the domain.

In fact, this change may be the reason why Namecheap did not take action. Sometimes change requests take several days, as codes have to be shared during the process. When the process begins, the originating company no longer has that domain in its possession, even though the information is still on its side. For confidentiality reasons, they could not say that it was in the process of moving. I'm not trying to defend them here, just looking for a reason for their more passive attitude.

Most likely, the request for change must have occurred at the beginning of this "campaign". This action began on March 14th, and began to have effects 3 to 5 days later. Seeing what was happening, he activated the registrar transfer request. The request probably occurred on 2025-04-06.


However, in the case of monero[.]forex I found another revealing proof of how the domain is part of the scheme:

https://whoisfreaks.com/tools/whois/history/lookup/monero.forex

In February, the domain was updated to be on the same server as exch[.]cash
This is clear proof that it is the same owner.