The official website for the Monero cryptocurrency has been hacked to deliver currency-stealing malware to the devices of users who downloaded the wallet software. Monero has been billed as secure, private and untraceable currency system but fell prey to hackers after users pointed out certain inconsistencies in the download files.
How did users find out about the attack?
The attack came to light on Monday after multiple users on GitHub, Reddit and Twitter, found that the hashing data of a wallet downloaded from the site did not correspond with the data listed on the site. Hashing is essentially a method of cryptography that converts any form of information into a unique string of text.
After a few hours, users realized that the discrepancy in the hashing data was not the result of an error but instead an attempt to infiltrate GetMonero users' devices and sneak in malware, which was later confirmed by site officials.
"It's strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries," GetMonero officials wrote. "If they don't match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason."
How did the malware steal money from users?
Further investigation revealed that the malicious coin-stealing malware was in the wallet download file for devices running the operating system (Windows and macOS download files were not compromised) and added additional functions to the original software. One of these features would become active as soon as a user opened or created a new wallet.
It would then send the wallet seed, which is essentially a series of secret words that allow users to access or recover their wallet, to a server and exfiltrates funds from the user's wallets. "Roughly 9 hours after I ran the binary a single transaction drained my wallet of all $7000," wrote a user on Reddit. "I downloaded the build yesterday around 6pm Pacific time." The user added that at the time it was not clear if the malware carried out other nefarious actions on the device itself.