Monero’s official website appears to have been hacked this week. Malicious actors were able to upload a compromised version of Monero’s Command Line Interface wallet that sent private keys to an external server.
On Monday, the community alerted developers on GitHub that the hash of the official release mismatched with the one available for download on the website. Hashes are used as a software fingerprint to identify exactly these kinds of manipulations — even one changed byte would completely alter the resulting hash string.
The issue lasted for about 14 hours on Monday, after which Monero developers changed the source of the wallet’s binaries.
An analysis from a security researcher shows that the modified wallet contained a malicious line that leaked the private keys of any new or existing wallet added to the software. The data was sent to a server at xmrsupport.co, what appears to be a domain created specifically for this attack. This may have been a preventative measure to not trigger system firewalls, as requests to raw IP addresses could be registered as suspicious and blocked.
The hack appears to have been at least partially successful, with one Reddit user claiming to have lost $7,000 as a consequence of the attack.
The breach is nevertheless unlikely to have affected large portions of the Monero community. Though a compromised Windows binary appears to have been created, the malware was only served to Linux users. This issue appears to be only affecting the command line wallet, which is naturally less used than the graphical interface version.