Malicious actors have hacked and infected the official website of Monero, one of the most popular anonymous cryptocurrencies, it announced Tuesday. A Monero user found the coin-stealing malware in a downloadable Linux command line binary.
The user discovered the binary was infected when he attempted to check if the calculated cryptographic hash for the downloaded Monero wallet binary matches the hash that was presented on the site. He learned that the downloaded file showed a different SHA256 hash.
He then alerted the Monero team about it, who later confirmed in an advisory that the Monero server was compromised.
“Yesterday, a GitHub issue about mismatching hashes coming from this website was opened. A quick investigation found that the binaries of the CLI wallet had been compromised and a malicious version was being served. The problem was immediately fixed, which means the compromised files were online for a very short amount of time. The binaries are now served from another, safe, source," it said.
The team recommended everyone to check the CLI wallet binaries downloaded between Monday 18 2:30 AM UTC and 4:30 PM UTC to ensure that they aren’t compromised. If the files don’t match the official hashes, users should delete them and download them again from the Monero website.
The team recommended against running the compromised files. It also said that it will continue to investigate the issue and that more updates will be posted on its website soon.
Few users ever check to see if a downloaded file’s hash matches the one on the website, but it's a good way to quickly identify when a file may have been compromised. The Monero team recommended its beginner and advanced-level guides for how to check if the Monero wallets they download are clean of malware.