Monero core team confirms that the downloadable files of its privacy coin have been compromised in an attempted currency-stealing attack.
The hack was discovered on November 18, after a user downloaded a 64-bit Linux binary for working with Monero from the Linux command-line interface.
Shortly after downloading the installer from the Monero website, the user observed that the SHA256 hash for the downloaded file differed from the SHA256 hash recorded on the official site, denotation that the file had been altered.
Over the next several hours, users started discovering that the miss-matched cryptographic hash for a command-line interface wasn’t the result of an error, but rather an attack designed to infect GetMonero users with malware.
Following the attempted hack, the Monero team said in a blog post:
“It’s strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th, 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries. If they don’t match the official ones, delete the files and download them again.”
According to Monero, all binaries are now free from malware, as they are currently sourced from a secure back-up server.
Analysis Finds ‘Çoin Stealer’ In Monero Code
Although a complete inquiry of the malicious Monero binaries on the official download platform is not yet available, security engineer and contributor to the Monero crypto project ‘Ser Hack’ claims that he was able to trace a coin stealer malware within the code.
According to SerHack, the malicious Windows and Linux CLI binaries downloaded from the official Monero website during the approximately 30 minutes window were also uploaded by moneromanz to an anonymous file hosting server.
The malware sent the cryptographic code used to access the wallet funds to a server at node.hashmonero[.]com, which in turn sent these funds to the servers located at node.xmrsupport[.]co and 45.9.148[.]65.
The Windows version of the malware carried out an almost similar attack sequence, with slight variations in the function names.
Although the Monero team claims it intervened to take down the compromised file, at least one user reported losing funds worth around $7000.
How to Safeguard Funds in Compromised Wallets
Lead maintainer of the Monero project Riccardo Spagni, also known on Reddit as ‘Fluffypony’, published a series of digital signatures that all downloadable programs from the getmonero.org site should feature.
All users are advised to check whether the hash on their downloaded files matches Spagni’s official Monero hashes.
If users have already run the downloaded software, the warning from the Monero team states that they must immediately transfer out any funds into a safe wallet. Additionally, users should not run the compromised binaries for any reason.