Monero Website Hacked, CLI Binaries Infected With Cryptocurrency-Stealing Malware By Hacker

by Sunny Hoi

The official website of the Monero (XMR) cryptocurrency has been hacked, and the software available for download on the site was compromised to steal cryptocurrency funds from account owners, according to a November 19 Reddit post published by XMR Core Team member binaryFate.

According to the Reddit post, some Monero users realized that the hash of the downloaded binaries failed to match the expected one.

Several users have reported and confirmed the security issue on various other platforms such as GitHub and Twitter.

Monero’s core development team had acknowledged that the infected files had been delivered from the site for approximately 35 minutes before they changed to a secure fallback source for providing downloads.

The Reddit post also cautioned users who had downloaded binaries over the past 24 hours without verifying the integrity of the files, requesting them to do so right away. Furthermore, the XMR Core Team member asked users not to run them in the event that the hashes do not correspond.

In situations where the binaries had already been run, the Monero core team member requested users to transfer funds out of every wallet opened with the feasible malicious executables utilizing a secure version of the Monero wallet.

The security incident was initially discovered by GitHub user nikitasius who published on the official Monero project repository that he had noticed that the SHA256 hash for the downloaded file failed to match the SHA256 hash displayed on the official Monero website. This illustrated that the file had been modified.

On closer inspection, nikitasius also observed that the hashes for monero-wallet-cli didn’t correspond either.

At the time of publication, the Monero team is still investigating the security incident to establish how the files were compromised. Despite the fact that it is not currently known yet how many users downloaded the infected software, at least one individual has revealed that their Monero wallet had been depleted after downloading and running the infected binary file.

Reddit user moneromanz said:

“I can confirm that the malicious binary is stealing coins. Roughly 9 hours after I ran the binary a single transaction drained my wallet of all $7,000. I downloaded the build yesterday around 6pm Pacific time.”

Moreover, moneromanz stated that it seemed that the “the attacker forked from commit f07c326f1 in the public repo” and cautioned Monero users not to run the binary for the purpose of checking the version.

Note that the automod in the r/Monero subreddit seems to have deleted the original for reasons not known.

The Correct Hashes

A link to the correct hashes for all Monero binaries was shared by the XMR Core Team member which is available on the official website:

Verifying if the downloaded binaries possess the rectified hashes are available to view for Windows here and Linux and macOS here.

Downloading The Malware-Infected Monero Linux CLI Binary For Analysis & Reverse-Engineering Purposes

For security researchers and individuals interested in reverse-engineering, a version of the Monero Linux CLI binary which was infected with malware by the unknown attacker can be downloaded from here.

The malicious binaries were uploaded by moneromanz to an anonymous file hosting server and are available for anyone to analyze.

A VirusTotal scan may be found here.


Hashes are irreversible mathematical functions which, in this instance, are deployed to produce an alphanumeric string from a file that should have been distinct if the attacker was to render modifications to the file.

A common mitigation strategy used by users and security professionals is to save the hash produced from software available for download and retain it on another server.

With such a mitigation tactic openly available for deployment, users can produce a hash from the file they downloaded and verify it against the expected result.

In the event that the hash produced from the downloaded file is distinct, then it is possible that the version disseminated by the server has been replaced by the hacker with a malicious variation.

The Price Of Monero

The price of Monero suddenly dropped by more than five percent Monday morning – from $62.43 to $59.12 in less than three hours. After dropping further to $58.56 overnight, Monero has since started to recover its position and is currently trading at $60.03.

Who Is The Hacker?

It is not known whether the hacker is a state-sponsored actor, though some XMR users believe the attacker was a state actor.

Evidently, the attacker has not been identified. Based on the hacker’s technical capabilities, it may be extremely difficult for the Monero team or law enforcement investigators to identify the individual or individuals responsible for the hack.

Based on our observations on platforms like Reddit, we can at least conclude that the hacker was at least financially motivated or just saw the financial opportunity available.

Related Posts