The official site for the Monero digital coin was hacked to deliver currency-stealing malware to users who were downloading wallet software, officials with GetMonero.org said on Tuesday.
The supply-chain attack came to light on Monday when a site user reported that the cryptographic hash for a command-line interface wallet downloaded from the site didn’t match the hash listed on the page. Over the next several hours, users discovered that the miss-matching hash wasn’t the result of an error. Instead, it was an attack designed to infect GetMonero users with malware. Site officials later confirmed that finding.
“It’s strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries,” GetMonero officials wrote. “If they don’t match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason.“
An analysis of the malicious Linux binary found that it added a few new functions to the legitimate one. One of the functions was called after a user opened or created a new wallet. It sent the wallet seed—which is the cryptographic secret used to access wallet funds—to a server located at node.hashmonero[.]com. The malware then sent wallet funds to the servers located at node.xmrsupport[.]co and 45.9.148[.]65.
A malicious Windows version of the CLI wallet carried out an almost identical attack sequence.
At least one person participating in a Reddit forum claimed to have lost digital coins after installing the malicious Linux binary.
“Roughly 9 hours after I ran the binary a single transaction drained my wallet of all $7000,” the person wrote. “I downloaded the build yesterday around 6pm Pacific time.”
The user said at the time that it wasn’t clear if the malware carried out other nefarious actions on the computer itself. The person made a copy of the malware available for download so that researchers can analyze the code. Under no circumstances should people run this binary on anything other than a test machine that has no access to cryptocurrency wallets.
GetMonero’s advisory didn’t say the site was compromised or if the vulnerabilities that led to the hack had been fixed. Users should stay apprised of this breach in the coming days.
The incident is a graphic reminder of why it’s crucial to check summaries before installing software. The links in the paragraph above this one explain how to do that.