On November 18, the official download site for the Monero CLI served a malicious binary for less than an hour. The malicious version of the download was designed to steal Monero from unsuspecting victims.

An entity compromised the box responsible for serving official binaries for the Monero CLI. The date of the breach has not been disclosed publicly as of this article. On November 18, an attacker—most likely the same one responsible for the breach—switched the legitimate binary for the infected version. Users quickly caught on and maintainers switched downloads to a fallback source. An investigation into the incident is underway.

Edit for Clarification: Users of /r/monero pointed out that readers might get the impression that the infected binaries were served intentionally by the Monero Project. That is not the case.

Update: GetMonero.org now has a banner and the team issued a brief statement:

Yesterday a GitHub issue about mismatching hashes coming from this website was opened. A quick investigation found that the binaries of the CLI wallet had been compromised and a malicious version was being served. The problem was immediately fixed, which means the compromised files were online for a very short amount of time. The binaries are now served from another, safe, source. See the reddit post by core team member binaryfate.

It’s strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries. If they don’t match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason.

We have two guides available to help users check the authenticity of their binaries: Verify binaries on Windows (beginner) and Verify binaries on Linux, Mac, or Windows command line (advanced). Signed hashes can be found here: https://getmonero.org/downloads/hashes.txt.

The situation is being investigated and updates will be provided soon.

The Discovery

For less than one hour on November 18, the download link for the 64 bit Linux CLI binary (version 0.15.0.0 Carbon Chamaeleon) served a malicious copy of Monero Carbon Chamaeleon. The creator of the malicious version, according to Serhack, a security researcher (and the author of Mastering Monero), forked the binary from commit f07c326f1. Checking the version of the binary of the version with --version shows the commit in question: v0.15.0.0-f07c326f1.

Not long after the attacker had swapped the files, a user of the CLI opened an issue on the Monero Project’s Github repo and pointed out the mismatched hashes. Anyone can check the hashes of any binary; the Monero Project signs the SHA256 hashes of every binary with the GPG key of the lead maintainer, Riccardo Spagni aka Fluffypony. The list of signed hashes is available here: GetMonero.org Hashes. The easy way to access the hashes is via command line: wget -O hashes.txt https://getmonero.org/downloads/hashes.txt and assuming the user has already imported Fluffypony’s key, they can easily verify the list of hashes via gpg --verify hashes.txt . The output should display “Good Signature” as well as the subkey used to sign the file.

The CLI Download on GetMonero.org

Hash Mismatch

Although the hash displayed on GetMonero.org matched the correct hash, the actual hash of the binary did not. Without manually verifying the hash, a user would not have noticed the mismatch until after losing their coins and posting to Reddit about the issue.

According to Serhack’s preliminary report, the hash of the malicious binary is 7ab9afbc5f9a1df687558d570192fbfe9e085712657d2cfa5524f2c8caccca31. The researcher is still conducting an analysis of the file. It is available for download here (anonfile).

Another user who analysed the file concluded that the malicious binary “only” steals coins (as opposed to stealing coins and compromising the machine).

KnifeOfPi2 on Reddit:

From what I’ve seen so far it seems to be a simple coin-stealer. I’m probably wrong though. But it doesn’t seem to alter system files, at least initially, and it doesn’t contact any servers. If it does compromise the machine, it’s very sneaky.

BinaryFate, a member of the core team, posted a warning on Reddit.

If you downloaded binaries in the last 24h, and did not check the integrity of the files, do it immediately. If the hashes do not match, do NOT run what you downloaded. If you have already run them, transfer the funds out of all wallets that you opened with the (probably malicious) executables immediately, using a safe version of the Monero wallet (the one online as we speak is safe – but check the hashes).

Disappointingly, no official warning exists elsewhere. H/t to Dark.fail for pointing this out on Twitter.

Verifying the legitimacy of onion service mirrors is a useful practice for nearly all users of the Tor Browser.