A security breach has resulted in the loss of 2,675.73 XMR from Monero's community crowdfunding wallet. The cause and source of the breach remain unidentified.
A recent attack compromised Monero’s community crowdfunding wallet, wiping out its entire balance of 2,675.73 Monero (XMR), worth nearly $460,000.
The incident took place on Sept. 1 but was only disclosed on GitHub on Nov. 2 by Monero’s developer Luigi. According to him, the source of the breach has not been identified yet.
"The CCS Wallet was drained of 2,675.73 XMR (the entire balance) on September 1, 2023, just before midnight. The hot wallet, used for payments to contributors, is untouched; its balance is ~244 XMR. We have thus far not been able to ascertain the source of the breach."
Monero’s Community Crowdfunding System (CCS) funds development proposals from its members. “This attack is unconscionable, as they’ve taken funds that a contributor might be relying on to pay their rent or buy food,” noted in the thread Monero's developer Ricardo "Fluffypony" Spagni.
Luigi and Spagni were the only two people who had access to the wallet seed phrase. According to Luigi's post, the CCS wallet was set up on an Ubuntu system in 2020, alongside a Monero node.
To make payments to community members, Luigi used a hot wallet that has been on a Windows 10 Pro desktop since 2017. As needed, the hot wallet was funded by the CCS wallet. On Sept. 1, however, the CCS wallet was swept in nine transactions. Monero's core team is calling for the General Fund to cover its current liabilities.
"It's entirely possible that it's related to the ongoing attacks that we've seen since April, as they include a variety of compromised keys (including Bitcoin wallet.dats, seeds generated with all manner of hardware and software, Ethereum pre-sale wallets, etc.) and include XMR that's been swept," Spagni noted in the thread.
According to other developers, the breach could have originated from the wallet keys being available online on the Ubuntu server.
"I wouldn't be surprised if Luigi's Windows machine was already part of some undetected botnet and its operators performed this attack via SSH session details on that machine (by either stealing the SSH key or live using trojan's remote desktop control capability while the victim was unaware). Compromised developers' Windows machines resulting into big corporate breaches is not something uncommon," noted pseudonymous developer Marcovelon.