• Attackers compromised the official Monero project to spread cryptocurrency stealing malware instead of the legitimate Monero downloads.
  • The compromised files were online for a brief period and that the binaries are now served from another safe source.

A cyberattack was confirmed by the website officials of the Monero cryptocurrency project on Monday, wherein attackers covertly replaced legitimate—and downloadable—Linux and Windows binaries with their malicious versions.

What happened?

A supply chain cyber-attack came in light after a Monero user spotted a mismatch in the cryptographic hash for binaries he downloaded from the official site. It didn't match the hashes provided by the software developers.

  • Following an immediate investigation, the Monero team said that its website, GetMonero.com, was indeed compromised.
  • GetMonero immediately released an update saying, “anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 am UTC and 4:30 pm UTC, to check the hashes of their binaries.”
  • "If they don't match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason," it added.
  • The identity of hackers is still unknown, and the GetMonero team is currently investigating the incident.

How does the malware operate?

An analysis of the malicious binaries was performed by security researcher BartBlaze. It was revealed that the attackers modified legitimate binaries by injecting a few new functions in the software.

  • The malware gets triggered when a user opens or creates a new wallet.
  • It is programmed to automatically steal funds from users' wallets.
  • The malicious functions send users' wallet seed—kind of a secret key that restores wallet access—to a remote attacker-controlled server, allowing attackers to steal funds from the victim without any hassle.

"As far as I can see, it doesn't seem to create any additional files or folders - it simply steals your seed and attempts to exfiltrate funds from your wallet," the researcher said.

Loss claimed by a user

A Monero user on Reddit claimed to have lost funds worth $7000 after installing the malicious Linux binary.

"I can confirm that the malicious binary is stealing coins. Roughly 9 hours after I ran the binary, a single transaction drained my wallet of all $7000," the user wrote. "I downloaded the build yesterday around 6 pm Pacific time."

The aftermath of the findings

The Monero team assured its users that the compromised files were online for a very short amount of time.

  • The compromised files were online for a brief period and that the binaries are now served from another safe source.
  • Meanwhile, the officials advised users to check the hashes of their binaries for the Monero CLI software and ensure they have an official one.
  • The Monero team has issued a detailed advisory if anyone wants to learn how to verify hashes of the files on your Windows, Linux, or macOS system.

Till moment, there’s no clarity on how attackers managed to infiltrate the Monero website and who all got affected and lost their digital funds.

Cyware Publisher