Developers of Monero, the privacy-enhancing blockchain, reported a breach on its community crowdfunding system (CCS) wallet, which resulted in its entire balance being drained.
In a Github disclosure on Thursday, pseudonymous Monero developer Luigi notified the community that 2675.73 XMR, worth around $460,000 at the time of writing, had been drained just before midnight on Sept. 1.
The CCS wallet funds proposals and development of the Monero protocol, and all funds are donated by individuals and entities to further that cause. According to a timeline shared by Luigi, the wallet was set up in April 2020 by Luigi and another Monero maintainer Riccardo Spagni, better known by his pseudonym “Fluffypony.”
In August 2021, Fluffypony was arrested on non-crypto-related charges in Tennessee and was accused of stealing around $100,000 from his former employee. After his arrest, Luigi took over the maintenance of the CCS wallet, and as of late September, kept a majority of funds in the CCS wallet and a small portion in the hot wallet (the balance of which remains intact.)
“I no longer have access to any of these wallets (although I do have large corp / treasury wallets on that laptop that pre-date Monero hardware wallet support and remain untouched), but I’ve taken similar precautions,” commented Fluffypony on the incident report.
“This attack is unconscionable, as they’ve taken funds that a contributor might be relying on to pay their rent or buy food. I’d urge them to take action to make this right if they become aware of this,” he added.
A postmortem of the incident by Moonstone Research revealed that the attacker swept the wallet in nine transactions and suggests that the attacker is likely a Monerujo wallet user who had the PocketChange feature enabled.