Official Monero website compromised with malware that steals funds

The official website of the Monero cryptocurrency has been compromised to deliver a malware-infected file that steals funds from account owners.

The compromise happened yesterday, November 18. A user spotted the compromised filed and reported the issue on GitHub, with the Monero team confirming the hack in a tweet earlier today.

The hack was discovered after the user downloaded a 64-bit Linux binary for working with Monero cryptocurrency from the Linux command-line interface.

After downloading the installer from the official website, the user noticed that the SHA256 hash for the downloaded file did not match the SHA256 hash listed on the official site — meaning that the file had been altered.

Monero team confirms hack, still investigating

“It appears the box has been indeed compromised and different CLI binaries served for 35 minutes,” the Monero team said in a Reddit post published this morning, confirming the incident.

Although the Monero team claims it intervened to take down the compromised file in less than an hour, the 35-minute window was enough for hackers, and at least one user reported losing funds.

“I can confirm that the malicious binary is stealing coins. Roughly 9 hours after I ran the binary a single transaction drained the wallet of all $7000,” said a user in a Reddit comment.

At the time of writing, the Monero team said it was still investigating how the hacker (group) compromised its download server. Downloads should be safe now, they said, as they’re being delivered from a “fallback source.”

While it’s unclear how many users lost funds in this hack, the incident shows how important a simple action like verifying file hashes for recently downloaded files can sometimes be — a practice that very few people follow.

A version of the malware-infected Monero Linux CLI binary is available for download from here (for reverse-engineering purposes, DON’T RUN). A VirusTotal scan is available here.