Tuesday, November 19, 2019

Monero download site and binaries compromised


Earlier this evening I saw a tweet appear which claimed Monero has been hacked and a malicious binary (instead of the real one) has been served:

Post on Reddit:

Github issue:

Linux binary

Thanks to user nikitasius I was able to retrieve the malicious binary:

This binary is an ELF file with the following properties:
When comparing the legitimate file and this ELF file, we notice the file size is different, and a few new functions have been added:


This function is immediately called after either opening or creating a new wallet, as can be seen in Figure 1 and 2 below.

Figure 1 - Create wallet (legitimate)

Figure 2 - Call new seed function

The seed will be sent to: node.hashmonero[.]com.


As you may have guessed, this function will send data off to the CC or C2 (command and control) server - this will be stolen funds.

Figure 3 - Send to cc

Sending funds to the C2 is handled using an HTTP POST request to the following C2 servers:

  • node.xmrsupport[.]co
  • 45.9.148[.]65

As far I can see, it doesn't seem to create any additional files or folders - it simply steals your seed and attempts to exfiltrate funds from your wallet.

Windows binary

The C2 server 45.9.148[.]65 also hosts a Windows binary with the following properties:

The Windows version is essentially doing the same things as the Linux version - stealing your seed and wallet funds - the function names are just different, e.g. _ZN10cryptonote13simple_wallet9send_seedERKN4epee15wipeable_stringE.

Figure 4 - Send to cc

Note: this doesn’t mean the official Windows binary was also compromised - it simply means there’s also a compromised Windows binary out there. Only the Monero team can confirm if other binaries (besides the Linux one mentioned in this blog) have been compromised.


Note: What is a hash? A hash is a unique identifier. This can be for a file, a word, ... It is preferred to use SHA256 hashes for file integration checks, as it is more secure.

You may also use the following Yara rule to detect the malicious or compromised binaries:
Download Yara (and documentation) from:

There's an additional analysis by SerHack here:

Note: Especially go through the steps if at any point you downloaded, used or installed new binaries between these dates: Monday 18th 1:30 AM UTC and 5:30 PM UTC. Download the latest version from: https://web.getmonero.org/downloads/.

Monero team statement

The Monero team has issued a statement as follows:

Warning: The binaries of the CLI wallet were compromised for a short time:

I expect this statement to be updated the following days, so monitor it as well.


Monero is not the first, nor will it likely be the last cryptocurrency (in this case, its website and binaries) that gets compromised.

Follow the steps in this blog post to protect yourself and always watch your online accounts closely, especially those where you have financially invested in. Use strong passwords, use MFA (or 2FA) where possible and always be vigilant. Verify hashes when a new version is available.

Note: this blog post is not intended to be a full analysis, but rather a quick report on the facts, including recommendations. Questions or feedback? Happy to hear it!

Let me know in the comments below or on Twitter.


Indicator typeIndicator

On AlienVault:


MITRE ATT&CK techniques

ID: T1195 - Supply Chain Compromise
ID: T1199 - Trusted Relationship