Horizon@HorizonXRPL
Official Statement Regarding horizonxrpl.com
20 June 2026
Today, horizonxrpl.com was suspended by our domain registrar, Namecheap, following an allegation that part of the site was involved in phishing.
The material provided to us as evidence included a screenshot of Horizon’s legitimate, optional self-custodial wallet-import interface. The screenshot does not show impersonation, credential transmission, redirection, malware, or exfiltration. It shows a genuine Horizon feature that allows users to manage an XRPL wallet locally within their own browser.
We understand why any interface involving a recovery phrase deserves serious scrutiny. It should be scrutinized. However, a screenshot of an empty recovery-phrase field does not establish phishing. The relevant technical question is whether the interface deceives users or transmits their credentials to another party. Horizon does neither.
Horizon is self-custodial
Horizon is a decentralized exchange and trading platform built on the XRP Ledger. Horizon does not take custody of users’ funds. Users interact from wallets they control, and transactions are executed on-chain. This is also how Horizon has consistently described the platform publicly.
For the optional wallet-import function shown in the submitted screenshot:
- A recovery phrase is processed locally within the user’s browser.
- It is not sent to Horizon’s servers through HTTP requests, WebSockets, forms, analytics, logging systems, or backend APIs.
- The wallet data is encrypted locally using the browser’s Web Crypto API.
- Only encrypted wallet data is persisted in same-origin IndexedDB on the user’s device.
- Key derivation, decryption, and transaction signing take place locally.
- Horizon personnel cannot retrieve, view, reset, export, or use a user’s recovery phrase or private key.
- Public wallet information and signed transactions may be transmitted as required to interact with the XRP Ledger, but private credentials do not leave the device.
As with any locally operated wallet, the browser must momentarily process the recovery phrase to derive the wallet. That is fundamentally different from collecting or transmitting the phrase to a remote operator.
Our review has found no evidence that Horizon was compromised, that an unauthorized deployment took place, or that wallet credentials were transmitted to Horizon infrastructure.
Our response to Namecheap
We immediately submitted a formal appeal to Namecheap’s Legal & Abuse team and requested:
An urgent human technical review;
- Restoration of horizonxrpl.com;
- The precise technical basis for the phishing classification;
- Any network evidence showing alleged credential transmission;
- The exact URL, timestamp, redirect chain, scanner methodology, and indicators relied upon;
- Confirmation of whether the report came from an individual, automated feed, security provider, or Namecheap Trusted Provider;
- Preservation of the original report, attachments, metadata, internal review records, and enforcement history; and
- Disclosure of the reporting source to the extent legally permitted.
We have offered to provide a reproducible test using a newly generated zero-value wallet, a complete browser network capture, a HAR file, relevant source-code excerpts, production deployment records, server logs, and a technical walkthrough.
Namecheap’s own published suspension process permits customers to dispute suspensions they believe are unfair or incorrect.
Namecheap also operates a Phishing Reports API for approved Trusted Providers. Its published terms require those providers to verify that submitted links are genuinely involved in phishing or fraud and to attach supporting evidence. The same terms state that Namecheap independently verifies reported services. We have asked Namecheap to determine whether those verification requirements were properly followed in this case.
The separate Phantom warning
Separately, Horizon users have previously encountered a warning or block affecting horizonxrpl.com through the Phantom browser extension. We have challenged that classification and requested review.
Phantom’s own documentation makes clear that its warnings can arise through several different mechanisms. These include automated domain review, transaction-simulation failures, rule-based domain and website checks, and a community-maintained blocklist. A Phantom warning therefore does not necessarily mean that a named individual manually reported a domain or that phishing was independently proven.
At present, we do not have evidence proving that the Phantom action and the Namecheap suspension were caused by the same individual or organization. We will not publicly identify or accuse anyone without evidence.
However, the repetition and timing of these events give us a legitimate basis to investigate whether Horizon has been affected by:
- Shared and inaccurate security feeds;
- Automated systems misclassifying legitimate self-custodial functionality;
- Confusion with an impersonator or lookalike domain; or
- Knowingly false or coordinated reports submitted to damage Horizon.
We have requested that all relevant records be preserved. We are evaluating appropriate legal remedies in the event that the evidence establishes malicious false reporting, impersonation, or deliberate interference with Horizon’s operations.
What this means for users
This is a registrar-level availability issue. It is not a custody event, wallet breach, or compromise of the XRP Ledger.
Because Horizon is self-custodial, the suspension of the website does not transfer, freeze, or expose users’ on-chain assets. Horizon does not hold those assets.
Until access is restored:
- Do not trust any new or lookalike domain claiming to replace Horizon.
- Horizon has not launched an emergency mirror, migration portal, airdrop, token claim, or recovery service.
- Horizon support will never ask you to send a recovery phrase or private key by email, direct message, Telegram, Discord, or support ticket.
- Do not enter a recovery phrase into any website claiming to be an alternative Horizon interface.
- Rely only on updates published through Horizon’s established official accounts, including @HorizonXRPL on X.
Bad actors often exploit service interruptions by launching impersonator domains or contacting users who are looking for help. Please treat unsolicited messages and unofficial links as hostile.
Our position
We strongly support legitimate anti-phishing protections. Crypto users deserve robust safeguards, and applications involving wallet credentials should be held to a high technical standard.
Those safeguards must also distinguish between an application that steals credentials and a self-custodial wallet interface that processes and encrypts credentials locally. Making that distinction requires examination of network behavior, code paths, storage, and signing architecture—not merely a screenshot of a recovery-phrase input.
We are cooperating fully with Namecheap and are seeking a fair, technically informed review. We are also pursuing correction of the Phantom warning and investigating whether the incidents are connected through a shared source or reporting system.
We will publish further updates when Namecheap or Phantom responds, and we will share technical evidence where doing so does not compromise user security.
Our immediate priorities remain:
- Restoring access to horizonxrpl.com;
- Protecting users from impersonators during the interruption;
- Demonstrating conclusively that Horizon does not collect or transmit wallet credentials; and
- Preserving our rights in relation to any knowingly false or malicious reports.
Thank you to the Horizon community for remaining patient, vigilant, and supportive while we resolve this.
Daniel Newton
Founder and Lead Developer
HorizonXRPL
