Cyber Incident Victim: Monero

On November 18, 2019, the official Monero cryptocurrency website was compromised, leading to the distribution of a malware-infected file designed to steal funds from users. The breach was discovered when a user downloading the 64-bit Linux CLI binary from the site noticed a discrepancy between the SHA256 hash of the downloaded file and the legitimate hash provided on the platform. This mismatch indicated unauthorized tampering with the file. The user reported the issue on GitHub, prompting an investigation by the Monero team, who confirmed the compromise via a public tweet on November 19. The malicious binary, available for download during the attack window, replaced the genuine installer and contained code capable of siphoning cryptocurrency from victims’ wallets. The compromise occurred between 2:30 AM and 4:30 PM UTC on November 18, during which the attacker(s) altered the file hosted on the official download server.

The Monero team responded by urging users to verify file hashes before executing downloads and advising against running any suspicious files. Despite these warnings, at least one user reported a financial loss of $7,000 due to executing the compromised binary. The team redirected downloads to a fallback source, confirming that files from this alternate location were secure. An investigation into the breach remained ongoing at the time of reporting, with no additional details disclosed about the intrusion vector or perpetrator. The infected file was made available for analysis at a third-party hosting site, accompanied by a VirusTotal scan link to aid in reverse-engineering efforts. The incident underscored operational risks associated with unverified software downloads, even from trusted official sources.