The website of the Monero open-source cryptocurrency was
compromised, and some users downloaded a modified binary that contained malware
designed to steal funds from people’s wallets.
When a Linux user downloaded the latest Monero binary
from the website, he did something that we should all do whenever we download a
file. He compared the SHA256 secure hash algorithm of the downloaded file to
the one listed on the website and noticed a difference. It turned out the
website was compromised, and a modified binary was offered to users.
One of the MD5 or SHA256 hash roles is to help people
compare the download files with those on the server. A different hash could signal
a problem with your system’s RAM but also show you’ve downloaded a different
file than the original.
In the case of Monero, hackers had compromised the
official website and download servers and replaced the file with their own
version, laced with malware used to transfer funds from people’s wallets.
“Some users noticed the hash of the binaries they
downloaded did not match the expected one:
It appears the box has been indeed compromised and
different CLI binaries served for 35 minutes. Downloads are now served from a
safe fallback source. Always check the integrity of the binaries you download!”
said the developers on Reddit.
“If you downloaded binaries in the last 24h, and did not
check the integrity of the files, do it immediately. If the hashes do not
match, do NOT run what you downloaded. If you have already run them, transfer
the funds out of all wallets that you opened with the (probably malicious)
executables immediately, using a safe version of the Monero wallet (the one
online as we speak is safe — but check the hashes).”
The investigation has so far only revealed that the
binary had a simple coin stealer, but the developers are still working on
determining how the breach occurred.