The Monero community faced a significant setback on September 1, 2023, when its Community Crowdfunding System (CCS) wallet suffered a security breach, resulting in the loss of 2,675.73 XMR, equivalent to approximately $460,000. The incident, disclosed by developer Luigi on November 2, has left the Monero community grappling with the aftermath of the attack.
The breach, which targeted the CCS wallet used to fund development proposals from community members, remains shrouded in mystery. Luigi and Monero’s developer Ricardo “Fluffypony” Spagni were the only individuals with access to the wallet seed phrase. Luigi’s post revealed that the CCS wallet was set up on an Ubuntu system in 2020, alongside a Monero node.
The breach, involving nine transactions that drained the entire balance of the CCS wallet, raised concerns within the Monero community. Spagni highlighted the gravity of the situation, stating, “This attack is unconscionable, as they’ve taken funds that a contributor might be relying on to pay their rent or buy food.”
Spagni suggested a potential link to ongoing attacks since April, involving compromised keys across various cryptocurrencies, including Bitcoin and Ethereum. Developers speculated that the breach might have originated from the wallet keys being available online on the Ubuntu server. Pseudonymous developer Marcovelon raised the possibility of the attacker exploiting a compromised Windows machine, emphasising the commonality of such occurrences in major breaches.
Blockchain analysis firm Moonstone Research conducted an in-depth analysis of the Monero CCS wallet breach, shedding light on the hacker’s activities and potential vulnerabilities.
The breach, executed by skilled hackers on September 1, involved nine transactions that emptied the CCS wallet. Moonstone identified an unusual transaction with 17 input enotes and 11 output enotes, labelling it a “poisoned” operation due to its distinctive structure. The firm believes that only the attackers executed these transactions, leaving behind traces of their activities.
Moonstone traced the attack back to a Monerujo wallet user who activated the PocketChange feature. Monerujo, an Android non-custodial Monero wallet, offers this feature to segment coins into multiple “pockets,” allowing for instant spending without a 20-minute delay. The attacker generated 11 output enotes, an anomaly indicating the use of Monerujo version 3.3.7 or 3.3.8.
The breach and subsequent analysis underscore the challenges even privacy-focused cryptocurrencies like Monero face in terms of security. While Monero’s core privacy mechanism remains robust, the incident sparked discussions within the community regarding the safety of decentralised projects and the potential risks associated with advanced features such as PocketChange.
Moonstone Research traced three of the hacker’s transactions, revealing certain aspects of Monero’s privacy features.
Moonstone’s postmortem disclosed that, under specific circumstances, XMR transactions can be partially traced despite their privacy features. The investigation focused on one transaction that merged funds from the nine initial hack transactions, indicating potential tracing possibilities.
While the report demonstrated partial tracing capabilities, it emphasised the complexity of Monero transactions, designed to impose complexity on transaction graphs, leading to false positives and ambiguity. This development sparked discussions within the crypto community, with some expressing surprise and concern about the perceived privacy limitations.
Security expert Seth Simmons highlighted the atypical nature of the tracing scenario, emphasising that it doesn’t apply to the typical Monero user. Simmons stressed that XMR remains inherently private and resistant to most tracking attempts. He attributed the tracing ability to unusual circumstances, including sharing private keys with a chain surveillance company and providing significant off-chain metadata voluntarily.
The Monero community faces ongoing challenges in addressing the breach, highlighting the importance of continuous efforts to enhance security measures within digital currency systems.