The official website of the Monero cryptocurrency project was hacked and legitimate Linux and Windows binaries available for download were replaced with malicious versions that was programmed to steal funds from users’ wallets.
This supply-chain cyberattack was revealed when a Monero user found that the cryptographic hash for binaries he downloaded from the official site did not match the hashes listed on it.
The Monero conducted an immediate investigation and confirmed that its website, GetMonero.com, was compromised, affecting users who downloaded the CLI wallet between Monday 18th 2:30 am UTC and 4:30 pm UTC.
It is not known how the hackers managed to compromise the Monero website and how many users are affected by the hack.
According to security researcher BartBlaze, who analysed the malicious binaries, the attackers modified legitimate binaries to inject some new functions in the software that executes after a user opens or creates a new wallet.
The malicious functions are designed to automatically steal and send users’ wallet seed which is a kind of a secret key that restores access to the wallet, to a remote attacker-controlled server, allowing attackers to steal funds easily. It does not create any additional files or folders.
A GetMonero user claimed to have lost funds worth $7000 after installing the malicious Linux binary.
GetMonero officials assured its users that the compromised files were online for a very short time and that the binaries are now served from another safe source.
They also recommend the users to check the hashes of their binaries for the Monero CLI software and delete the files if they don’t match the official ones. Download the new files again and do not run the compromised binaries.
Those users who need to learn how to verify hashes of the files on your Windows, Linux, or macOS system, can check the advisory by the official GetMonero team.
The identity of hackers is also not known and the GetMonero team is currently investigating the incident.