Monero Project admits thieves stole 6-figure sum from a wallet in mystery breach

The Monero Project is admitting that one of its wallets was drained by an unknown source in September, losing the equivalent of around $437,000 at today's exchange rate.

A Monero Project maintainer who goes by the alias of Luigi announced on November 2 that the project's community crowdfunding system (CCS) wallet was drained of 2,675.73 XMR on September 1.

The team behind Monero is trying to determine how the breach occurred but said it could be related to the ongoing wallet-draining attacks the community has seen since April.

The funds were drained during nine separate transactions that took place in as many minutes.

None of the project's other wallets were affected, including the general fund, which is used to support the project's development and occasionally contributing to key community initiatives like conferences or research.

The project's maintainers have "taken additional precautions" to secure the other wallets associated with Monero, such as enabling multisig so more than one individual is required to sign off on any given transaction.

"It's also possible that the attacker isn't aware of what they've stolen, in which case I'd ask them to consider that they have stolen funds that are donated by individuals against specific things that Monero contributors are working on," said another maintainer.

"This attack is unconscionable, as they've taken funds that a contributor might be relying on to pay their rent or buy food. I'd urge them to take action to make this right if they become aware of this."

Wider wallet-draining attacks

Atomic Wallet was attacked earlier this year in an incident that ultimately led to more than 5,000 cryptocurrency wallets mysteriously drained of their funds.

Those behind the attack have reportedly netted themselves at least $100 million, including ten victims losing $1 million or more. The average loss for each wallet was $2,800, according to Elliptic.

The blockchain analytics provider attributed the attack to the North Korean state-sponsored Lazarus Group, which it says has stolen more than $2 billion across several heists.

How are they getting in?

The question of how Lazarus is breaking into these wallets remains unanswered. In response to the attack, Atomic Wallet contacted victims to gather information about their setups in an attempt to determine the source of the breach, but has not yet publicized its findings.

In October, Atomic Wallet revealed it was able to work with leading cryptocurrency exchanges to freeze $2 million in stolen funds related to the earlier incident. It hasn't published details of the ongoing investigation into the mass draining, which is being supported by blockchain forensic specialists Chainalysis and Crystal.

Tracking the wallet-draining attacks, Taylor Monahan, lead product manager/owner at cryptocurrency wallet software company MetaMask, said the profile of victims "is the most striking thing" and they're all "reasonably secure" and reputable organizations.

There is a wide diversity of cryptocurrencies and blockchains that have been successfully targeted, including Bitcoin, Monero, and Ethereum, and wallets with seed lengths of 12 and 24 words have both been breached.

Monahan noted that most victims are high profile and large sums are being stolen in each wallet sweep, indicating that it may be a targeted operation.

• Cryptojackers steal AWS credentials from GitHub in 5 minutes
• Google puts $1M behind its promise to detect cryptomining malware
• Acer confirms server intrusion after miscreant offers 160GB cache of stolen files
• Monero-mining botnet targets Windows, Linux web servers

Responding to the community's discussions around the possibility that the LastPass breach could have had a role in leaking the seeds to the raided wallets, she said she was "confident" that seeds were stolen from the password manager.

"The number of victims who only had the specific group of seeds/keys that were drained stored in LastPass is simply too much to ignore," Monahan wrote.

"To this day LastPass has not provided useful indicators of compromise or any info that could lead to attribution (e.g. IPs, UAs).

"Additionally, most users who had their wallets drained had extremely secure LastPass passwords. It would be legitimately impossible to brute force them. Which means that either someone has compromised hundreds of users' vaults one by one via a still undetected method, or it means that LastPass has still not shared some critical details about their security posture and the stuff that was compromised by the attackers.

"I want to emphasize strongly that LastPass can and should be doing more here. They are a disgusting failure of a company."

The idea that LastPass's breach played a role in these attacks was supported by an independent blockchain investigator going by the alias ZachXBT.

More than 25 different victims had their wallets drained on October 25 alone, amounting to a total of $4.4 million stolen, according to their account of the incident, which was "a result of the LastPass hack."

LastPass CEO Karim Toubba told The Register that there is no current evidence linking the company's breach to the ongoing wallet-draining attacks.

"The work being done by these researchers in uncovering the theft of cryptocurrency is important," he said. "Since initial assertions surfaced linking the 2022 LastPass security incidents to the theft of cryptocurrency, we have reached out to researchers to investigate these claims. 

"To date we have no evidence that directly connects these events to LastPass. We urge any security researchers with evidence to reach out to the LastPass Threat Intelligence team by contacting securitydisclosure@lastpass.com."

Despite these wallet-draining attacks starting in April, the method used to carry them out is still yet to be established. ®