Compromised Monero software steals coins from users

Getting your Trinity Audio player ready...

Monero’s official website was compromised to deliver a malware-infected file that steals coins from account owners. The compromise was confirmed on Tuesday, Nov. 19, the XMR Core Development Team member Binaryfate alerted Reddit readers that the binaries of the command-line interface (CLI) wallet users were downloading were briefly altered. The SHA256 hash from the downloaded file did not match the SHA256 hash listed on the official site. For 35 minutes, different CLI binaries were served. 

“If they downloaded binaries in the last 24h, and did not check the integrity of the files, to do so immediately. If the hashes did not match, do not run the download,” Binaryfate further warned Reddit readers. “If you have already run them, transfer the funds out of all wallets that you opened with the (probably malicious) executables immediately, using a safe version of the Monero wallet (the one online as we speak is safe — but check the hashes).”

#Monero Security Warning:

CLI binaries available on https://t.co/UYopePqqdo may have been compromised at some point during the last 24h. Investigations ongoing.https://t.co/BqnONy4PPg

— Monero (XMR) (@monero) November 19, 2019

The report of stolen coins was confirmed on GitHub by a professional investigator using the nickname Serhack. Approximately nine hours after he ran the binary, a single transaction drained his wallet. The build was downloaded yesterday around 6 pm PST. 

XMR Core community team member ErCiccione followed up on Monero’s (XMR) official website explaining an investigation found that a malicious version of the binaries of the CLI wallet was served. The problem occurred on Monday 18th, 2:30 am UTC, and 4:30 pm UTC. XMR holders are advised to delete the corrupted files and download them again from a safer source.

Although the Monero team states it intervened to take down the compromised file, at least one Reddit user reported losing funds.

Two guides have been provided (here and here) to help users check the authenticity of their binaries, while the correct hashes are available here.

This case is not the first time a hacking occurred on a leading blockchain development platform. In September, AirSwap’s developers announced the discovery of a critical vulnerability in the system’s new smart contract. To maintain network integrity, many development teams now offer bounty programs for exposing vulnerabilities. Users still must always check the integrity of the binaries you download.