Chainalysis Hijacked DNS to compromise Monero nodes!
Ok here's the situation,
First, a video from Chainalysis leaked of them running malicious nodes to try to identify users/transactions
Then, the community noticed a particular domain in the video, and when asking the owner, he said he stopped paying the VPS used in the video long ago. MoneroBull explained to me, that they are using a DNS hijacking technique where:
a) The domain owner points their domain to a VPS
b) The domain owner stops paying the VPS and leaves.
c) Chainanalysis rents that VPS and controls the domain, because the zone record isn't reflecting the change.
d) Then popular wallets have these nodes in their lists, and that's how Chainalysis gets "trusted" nodes.
So what are the lessons learned? Well, for one you can run your own node. And second, upgrades to Monero are coming, probably now sooner than later. Including full membership proofs, where it includes the entire chain as possible decoys. This will hopefully be a huge step for everyone.
But in my subjective view, until both Nostr and Monero stop the reliance on government domains, we're gonna have issues.
Sources:
https://www.digilol.net/blog/chainanalysis-malicious-xmr.html
https://nitter.aosus.link/monerobull/status/1832807857332330843#m
https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/
SimplifiedPrivacy.com
npub14s…jt5d6
2024-09-12 00:23:06
Author Public Key
npub14slk4lshtylkrqg9z0dvng09gn58h88frvnax7uga3v0h25szj4qzjt5d6Published at
2024-09-12 00:23:06Event JSON
{
"id": "a25e2bf09a4697d5ae54e21a2037372b0d9ac246e54b10aa207e83edb262a13f",
"pubkey": "ac3f6afe17593f61810513dac9a1e544e87b9ce91b27d37b88ec58fbaa9014aa",
"created_at": 1726100586,
"kind": 1,
"tags": [],
"content": "Chainalysis Hijacked DNS to compromise Monero nodes!\n \nOk here's the situation,\n\nFirst, a video from Chainalysis leaked of them running malicious nodes to try to identify users/transactions\n\nThen, the community noticed a particular domain in the video, and when asking the owner, he said he stopped paying the VPS used in the video long ago. MoneroBull explained to me, that they are using a DNS hijacking technique where:\n\na) The domain owner points their domain to a VPS\nb) The domain owner stops paying the VPS and leaves.\nc) Chainanalysis rents that VPS and controls the domain, because the zone record isn't reflecting the change.\nd) Then popular wallets have these nodes in their lists, and that's how Chainalysis gets \"trusted\" nodes.\n\nSo what are the lessons learned? Well, for one you can run your own node. And second, upgrades to Monero are coming, probably now sooner than later. Including full membership proofs, where it includes the entire chain as possible decoys. This will hopefully be a huge step for everyone. \n\nBut in my subjective view, until both Nostr and Monero stop the reliance on government domains, we're gonna have issues.\n\nSources:\nhttps://www.digilol.net/blog/chainanalysis-malicious-xmr.html\nhttps://nitter.aosus.link/monerobull/status/1832807857332330843#m\nhttps://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/",
"sig": "2ae5fe37b6fd4cf59c5a5dfbc140ff8867514fa80ca5f6c02bb9db6164f78c6a9f2472868797029598dcd0413c19f4e00443e72fb8b8cc44cbcecdd6c42bf5b2"
}