Attack depletes Monero community wallet

By: Dickson Arinze

Attack depletes Monero community wallet

November 6, 2023 7:37 AM

The community crowdfunding wallet for Monero has lost 2,675.73 XMR due to a security vulnerability. Nobody knows what caused the breach or where it came from.


A recent cyberattack attacked Monero's community crowdfunding wallet, erasing its entire balance of 2,675.73 Monero (XMR), which was valued at over $460,000.


The incident took place on September 1, but Luigi, a Monero developer, only revealed it on GitHub on November 2. He claims that the source of the intrusion has yet to be discovered.


"On the evening of September 1, 2023, shortly before midnight, the whole sum of 2,675.73 XMR was removed from the CCS wallet. The hot wallet, which is used to make payouts to contributors, is unaffected; its balance is 244 XMR. So far, we have not been able to determine the source of the intrusion."


Members' development ideas are funded using Monero's Community Crowdfunding System (CCS). "This attack is unconscionable, as they've taken funds that a contributor might be relying on to pay their rent or buy food," wrote Monero developer Ricardo "Fluffypony" Spagni in the forum.


Luigi and Spagni were the only ones who knew the wallet seed phrase. According to Luigi's post, the CCS wallet and a Monero node were installed on an Ubuntu system in 2020.


Luigi used a hot wallet that has been on a Windows 10 Pro desktop since 2017 to make payments to community members. The CCS wallet was used to fund the hot wallet when needed. However, on September 1, the CCS wallet was swept in nine transactions. The core team of Monero is requesting that the General Fund cover its current liabilities.


"It may be related to the ongoing attacks that we've seen since April, as they include an array of compromised keys (including Bitcoin wallet.dats, seeds derived with all manner of hardware and software, Ethereum pre-sale wallets, etc.) and include XMR that's been swept," Spagni wrote in the forum post.


Other developers think that the wallet keys being online on the Ubuntu server was what led to the compromise.


"I wouldn't be shocked if Luigi's Windows PC was already part of some undetectable botnet and its controllers launched this attack using SSH session details on that system (by either stealing the SSH key or live exploiting the trojan's remote desktop control feature while the victim was oblivious). "It is not uncommon for compromised developers' Windows machines to result in large corporate breaches," stated pseudonymous developer Marcovelon.