A recent breach targeted the Monero community’s crowdfunding wallet, completely draining its funds totaling 2,675.73 XMR, equivalent to approximately $460,000.
The breach occurred on September 1, but it wasn’t until November 2 that Monero developer Luigi disclosed the incident on GitHub. He reported that the breach’s origin remains unknown.
“On the first of September, 2023, the CCS Wallet was emptied of its total funds, amounting to 2,675.73 XMR, just before the stroke of midnight. The hot wallet, reserved for payments to our contributors, was not affected and currently holds around 244 XMR. We are still investigating and have not yet pinpointed the source of the security breach,” Luigi stated.
The Monero Community Crowdfunding System (CCS) is responsible for financing the community’s development initiatives. Ricardo “Fluffypony” Spagni, another developer for Monero, expressed his dismay in the discussion, pointing out the ethical violation as these stolen funds could have been critical for someone’s basic living expenses.
Luigi and Spagni were the sole individuals with access to the wallet’s seed phrase. Luigi mentioned that the CCS wallet was initially established on an Ubuntu platform in 2020, which also ran a Monero node. To execute payments to community members, Luigi operated a hot wallet on a Windows 10 Pro system since 2017. The hot wallet received funds from the CCS wallet as necessary. However, on September 1, the CCS wallet was emptied through nine separate transactions. In response, the Monero core team has suggested that the General Fund should compensate for the immediate financial obligations.
Spagni suggested that this incident might be connected to a string of attacks witnessed since April, involving various security compromises including stolen wallet data from multiple cryptocurrencies.
Some other developers speculate that the breach could have resulted from the exposure of the wallet keys on the Ubuntu server.
Developer Marcovelon, under a pseudonym, hypothesized that Luigi’s Windows computer might have been compromised and enrolled into a botnet without detection. He theorized that the attackers could have conducted the heist using stolen SSH credentials or by exploiting a trojan to gain remote desktop control while Luigi was unaware. He highlighted that such scenarios of developer machines being compromised and leading to significant corporate security breaches are not unprecedented.