The official Monero cryptocurrency website, GetMonero (.) Com, which provides binaries for Linux and Windows, has been compromised and distributed a malware that steals user funds.
The incident occurred on November 18, 2019. The first to discover something strange was the users, about which they hurried report on github. The fact is that the hash (SHA256) of the 64-bit Linux binary did not match the hash indicated on the official website, which meant that the file was changed. Soon after this post, Monero developers confirmed the fact of compromise on official twitter.
“Everyone who downloaded the CLI wallet from the site on November 18, from 2:30 UTC and 16:30 UTC, is strongly recommended to check the hashes of the binary files. If they do not match the official ones, delete the files and download them again. Never run compromised binaries, ”- warn the developers.
At least one user has already reported to Reddit about the loss of funds as a result of this attack, thereby confirming that the malware was aimed at stealing funds. “About nine hours after I launched the binary, one transaction emptied my wallet and withdrew all 7,000 dollars,” the victim writes.
Analysis Linux Malvari shows that after a user opens or creates a new wallet, his seed is passed to the node.hashmonero (.) Com server. Then the malware sent funds from the wallet to the servers node.xmrsupport (.) Com and 45.9.148 (.) 65. The malicious CLI wallet for Windows acted in much the same way.
Little is known about the attack itself, but Monero developers are already investigating what happened. How exactly the download server was compromised is unclear, but it is reported that now there is nothing to fear, since all the files are now distributed from the backup source.