The website of the Monero open-source cryptocurrency was compromised, and some users downloaded a modified binary that contained malware designed to steal funds from people’s wallets.
When a Linux user downloaded the latest Monero binary from the website, he did something that we should all do whenever we download a file. He compared the SHA256 secure hash algorithm of the downloaded file to the one listed on the website and noticed a difference. It turned out the website was compromised, and a modified binary was offered to users.
One of the MD5 or SHA256 hash roles is to help people compare the download files with those on the server. A different hash could signal a problem with your system’s RAM but also show you’ve downloaded a different file than the original.
In the case of Monero, hackers had compromised the official website and download servers and replaced the file with their own version, laced with malware used to transfer funds from people’s wallets.
“Some users noticed the hash of the binaries they downloaded did not match the expected one: https://github.com/monero-project/monero/issues/6151
It appears the box has been indeed compromised and different CLI binaries served for 35 minutes. Downloads are now served from a safe fallback source. Always check the integrity of the binaries you download!” said the developers on Reddit.
“If you downloaded binaries in the last 24h, and did not check the integrity of the files, do it immediately. If the hashes do not match, do NOT run what you downloaded. If you have already run them, transfer the funds out of all wallets that you opened with the (probably malicious) executables immediately, using a safe version of the Monero wallet (the one online as we speak is safe — but check the hashes).”
The investigation has so far only revealed that the binary had a simple coin stealer, but the developers are still working on determining how the breach occurred.