xmr.club
EN 中文 ES RU
← volver al inicio
mesa de incidentes · 16 activos

Incidentes activos

Hacks, exploits, pausas regulatorias y eventos marcados por el operador en los servicios listados. El estado del incidente es puntual; el grado refleja postura a largo plazo. Coexisten — un proveedor grado A puede estar en modo incidente.

16 activos
6 crítico / alto
8 medio
1 bajo
  1. ⚠ Crítico C xmr.gg /wagering 2026-07-04 hace 2d

    Operator announced full shutdown on 2026-07-06. Betting already disabled. Withdraw any remaining XMR balance immediately — after the shutdown date the site will be gone and funds will not be recoverable.

    registrado por curador · sin fuente pública aún ficha completa →
  2. ⚠ Crítico D OpenMonero /exchanges 2026-06-08 hace 28d

    Server compromise on 2026-06-08: an attacker gained root access (local privilege escalation) to OpenMonero's main server and stole ~200 XMR. The operator stated all funds are gone. This is a repeat event — "hacked again" — not a first-time breach.

    Consejo del curador

    Do not deposit or hold funds on OpenMonero. Withdraw anything still accessible and avoid the platform until a full public post-mortem, infrastructure rebuild, and independent audit. A recurring server compromise with total fund loss is a critical custody failure. Update (2026-06-11): the operator has not publicly confirmed the 06-08 incident; some community members claim it may be a negative-trade-amount input-handling bug rather than a breach, others call it a rug — unverified either way. Given the repeat pattern and operator silence, treat funds as at-risk until OpenMonero publishes a verifiable post-mortem.

  3. ⚠ Alto C AzireVPN /vpns 2026-07-02 hace 4d

    Operator change verified — AzireVPN's `/about` page now reads: "AzireVPN is owned by Malwarebytes, a global leader in real-time cyber protection, based in Santa Clara, CA, US." That is a material trust-story shift for a service originally listed as a Sweden-based independent no-logs VPN. Simultaneously, the `/pricing` page no longer lists Monero (or Bitcoin) as a payment method — XMR has been dropped. The no-logs claim was substantively part of the original Grade-A rationale; under Malwarebytes ownership it requires re-verification via an audit specifically conducted after the ownership change.

    Consejo del curador

    Grade downgraded A → C on 2026-07-02. Existing customers should treat the no-logs claim as under-review, not confirmed. Users specifically avoiding US-jurisdiction VPN providers (CLOUD Act, subpoena, national-security-letter regime) should rotate to a peer VPN with disclosed ownership outside the US. Path back to B requires XMR reinstated + published post-acquisition no-logs audit. Path back to A additionally requires verifiable operational independence from Malwarebytes's US legal exposure.

  4. ⚠ Alto B EigenWallet /wallets 2026-05-25 hace 1mes

    Maintainers advised market-makers (eigenwallet-makers Matrix) to shut down their ASB (Atomic Swap Backend) on 2026-05-25 due to an actively-exploitable vulnerability. A 2026-05-29 developer correction states the impact is worse than first reported: a malicious swap can net the attacker the full XMR while the maker recovers only ~10% of their BTC. Mitigation has since shipped — v4.7.9 (2026-05-29) makes the ASB refuse cooperative XMR-redeem requests when the BTC received is <75% of the BTC sent into the swap; the latest release is 4.7.10 (2026-06-02). Still no public CVE or formal post-mortem.

    Consejo del curador

    Don't run an ASB / market-maker right now. Taker-side swaps may still be possible against makers who are online, but trade volume has dried up while operators wait for the patch. We'll update this entry the moment a fixed release ships or the maintainers publish a post-mortem. Track github.com/eigenwallet/core/releases and the Matrix room linked from eigenwallet.org.

  5. ⚠ Alto A THORChain /exchanges 2026-05-11 hace 2mes

    GG20/TSS-key cryptography flaw exploited 2026-05-11 — ~$10.7M drained from a POL vault. Trading RESUMED 2026-06-23 on non-XMR chains (BTC/ETH/SOL/TRON/XRP/etc.) after ~6 weeks offline; the Monero leg is still pending — XMR.XMR is not yet on mainnet pools (operator: "XMR soon"). ADR-028 was approved and implemented: the loss is absorbed by protocol-owned liquidity via a store migration — there is NO user refund, airdrop, or compensation program (the operator states this explicitly; the earlier 2026-06-04 'refund portal' deadline lapsed and was superseded by POL absorption). v3.18.1 patched the flaw; the v3.19 restart release entered stagenet in early June, with a full churn to fresh vaults and Monero prioritized in the DEX queue, and full trading/LP targeted ~1 week after mainnet adoption. The TSS library was temporarily closed-sourced for a Soda Labs cryptographic audit (~2-4 weeks). Restart in progress, not yet complete (as of 2026-06-04).

    Consejo del curador

    Don't open new trades until THORChain unpauses (still paused as of 2026-05-27). If you held funds at the time of the exploit, file via the refund portal before 2026-06-04 — protocol absorbs losses via Protocol-Owned Liquidity first. Beware of phishing impersonator refund portals — only use the link from thorchain.org. XMR pool may resume earlier than EVM legs; confirm pool status on /thorchain or the protocol dashboard. Update (2026-06-11): Incident Update #6 — v3.19.0 deployed (TSS patches + ADR-028 loss-recovery + compromised-vault quarantine), 11-step restart underway; trading still paused as of 06-10. No refund/compensation program (ADR-028 POL absorption only). Recovery progressing, not worsening.

  6. ⚠ Alto A Bisq (classic) /exchanges 2026-05-01 hace 2mes

    v1 trade protocol exploit — missing validation on negative network-fee values let an attacker drain ~11.59 BTC from active/open offers. Bisq halted trading via emergency version flag until patched in v1.9.x+. As of 2026-05-25: DAO compensation vote scheduled (reimbursement in BTC or BSQ from DAO reserves under discussion).

    Consejo del curador

    Update to the patched Bisq v1.9.x+ before trading. Bisq Easy (Bisq 2) is the safer current path. Verify signed releases before running. Affected users: a Bisq DAO compensation vote is in progress as of 2026-05-25 — monitor official Bisq channels for the vote outcome.

  7. ⚠ Medio A- Njalla Domains /email 2026-06-14 hace 22d

    In Q4 2024 Njalla silently relocated from Nevis (1337 Services LLC) to Costa Rica (njalla.srl) with no customer announcement. Costa Rica's RTBF registry makes UBO information shareable to government entities and foreign court orders are more enforceable than in Nevis — a weakening of the offshore offsets that defined Njalla's privacy posture. Founder brokep's public profiles (Mastodon, Bluesky, X) went dormant in the same window. Njalla support's response to user inquiries has been take-it-or-leave-it. No malicious behaviour or domain seizure is documented in the cited source; the issue is opacity + a quietly weaker threat-model offset.

    Consejo del curador

    Existing pseudonymous domains paid via untraceable methods appear unaffected at the time of writing. Reconsider Njalla for new high-risk registrations (politically sensitive, pirate-adjacent, abuse-attractor content); the jurisdictional offset is now thinner than the marketing implies.

  8. ⚠ Medio A- Njalla VPS /hosting 2026-06-14 hace 22d

    In Q4 2024 Njalla silently relocated from Nevis (1337 Services LLC) to Costa Rica (njalla.srl) with no customer announcement. Costa Rica's RTBF registry makes UBO information shareable to government entities and foreign court orders are more enforceable than in Nevis — a weakening of the offshore offsets that defined Njalla's privacy posture. Founder brokep's public profiles (Mastodon, Bluesky, X) went dormant in the same window. Njalla support's response to user inquiries has been take-it-or-leave-it. No malicious behaviour or domain seizure is documented in the cited source; the issue is opacity + a quietly weaker threat-model offset.

    Consejo del curador

    Existing pseudonymous domains paid via untraceable methods appear unaffected at the time of writing. Reconsider Njalla for new high-risk registrations (politically sensitive, pirate-adjacent, abuse-attractor content); the jurisdictional offset is now thinner than the marketing implies.

  9. ⚠ Medio B- Njalla VPN /vpns 2026-06-14 hace 22d

    In Q4 2024 Njalla silently relocated from Nevis (1337 Services LLC) to Costa Rica (njalla.srl) with no customer announcement. Costa Rica's RTBF registry makes UBO information shareable to government entities and foreign court orders are more enforceable than in Nevis — a weakening of the offshore offsets that defined Njalla's privacy posture. Founder brokep's public profiles (Mastodon, Bluesky, X) went dormant in the same window. Njalla support's response to user inquiries has been take-it-or-leave-it. No malicious behaviour or domain seizure is documented in the cited source; the issue is opacity + a quietly weaker threat-model offset.

    Consejo del curador

    Existing pseudonymous domains paid via untraceable methods appear unaffected at the time of writing. Reconsider Njalla for new high-risk registrations (politically sensitive, pirate-adjacent, abuse-attractor content); the jurisdictional offset is now thinner than the marketing implies.

  10. ⚠ Medio B- FixedFloat /exchanges 2026-06-08 hace 28d

    Freeze AML en una orden routeada de 3000 TRX → BTC (2026-05-16). Análisis post-incidente de chain-analysis confirmó que el depósito tuvo exposición directa a canales de blanqueo conocidos y hops indirectos a entidades sancionadas — el freeze fue AML-justificado, no un patrón aleatorio de shotgun-KYC. FixedFloat no ofrece reembolso al origen en inputs flagueados; la recuperación requiere disputa con KYC. Conclusión editorial: el caso ilustra el outcome grado-B — los proveedores grado-A de nuestro catálogo ofrecen reembolso al origen ante el mismo flag AML sin requerir KYC.

    Consejo del curador

    Inputs con cualquier red flag de chain-analysis probablemente se congelarán en FixedFloat. Si puedes verificar que tus inputs están limpios, FF funciona bien. Si tus inputs tocaron mixers, direcciones DNM-adyacentes o hops a entidades sancionadas (incluso indirectamente), enruta por proveedores grado-A (SageSwap, StealthEX, Exolix) que ofrecen reembolso al origen sin requerir KYC.

  11. ⚠ Medio B- Wagyu /exchanges 2026-05-30 hace 1mes

    Vigilancia de alineamiento del operador — El fundador de Wagyu (@PerpetualCow) se identifica públicamente como un operador hype-aligned que usa XMR como instrumento, no como un operador privacy-aligned con misión Monero. Su bio en X dice: "$HYPE maximalist. not loud about it, just patient. Contributing to @HyperliquidX and XMR through Wagyu.xyz." En un post del 2026-05-29 afirmó: "Aside from $HYPE there's nothing worth owning in crypto anymore. As sad as it is." Eso incluye Monero — dicho por el fundador de un swap de Monero. Proyecto adyacente ($COW en Fwog.fun) abandonado vía plazos incumplidos, negación post-hoc del liderazgo, y eliminación del Telegram el 2026-05-18. Wagyu el swap sigue operando (~$320M acumulados / ~$30M mensuales); el incidente DPRK de abril está listado por separado.

    Consejo del curador

    Usa el swap si lo necesitas (el volumen confirma que funciona), pero no aparques saldo y no operes mayor de lo que absorberías si el operador se marcha. Grado ajustado B → B- (2026-05-30) por desajuste estructural. Movimiento adicional depende de eventos del lado Wagyu.

  12. ⚠ Medio A- Exolix /exchanges 2026-05-28 hace 1mes

    Partner-API broken-access-control disclosed by RasterSec on 2026-05-28. JWT keys embedded in public partner repos + Android APKs allowed anyone to dump all partner swap records — ~355,944 swaps / $39.5M of metadata (addresses, tx hashes, timestamps, user IDs) from Jan 2025 → May 2026. Affected partners: Edge, Exodus, Monerujo, BTCPay Server, Temple Wallet, EGToken.io. Exolix patched via WAF rules (not by fixing the underlying access control) and initially characterized the issue as "a feature." Past user swap trails are permanently exposed; new swaps unaffected.

    Consejo del curador

    If you swapped via Exolix or any of the affected partner integrations between Jan 2025 and May 2026, assume your deposit + withdrawal addresses are now in third-party datasets (searchable, downloadable, immutable). For NEW swaps, Exolix still works as advertised — the WAF fix prevents further dumps. But weigh the operator's initial "feature" framing before routing sensitive flows; A-grade peers (SageSwap, StealthEX) had no such disclosure.

  13. ⚠ Medio B- Wagyu /exchanges 2026-04-22 hace 3mes

    Vigilancia de alineamiento del operador — El fundador de Wagyu (@PerpetualCow) se identifica públicamente como un operador hype-aligned que usa XMR como instrumento, no como un operador privacy-aligned con misión Monero. Su bio en X dice: "$HYPE maximalist. not loud about it, just patient. Contributing to @HyperliquidX and XMR through Wagyu.xyz." En un post del 2026-05-29 afirmó: "Aside from $HYPE there's nothing worth owning in crypto anymore. As sad as it is." Eso incluye Monero — dicho por el fundador de un swap de Monero. Proyecto adyacente ($COW en Fwog.fun) abandonado vía plazos incumplidos, negación post-hoc del liderazgo, y eliminación del Telegram el 2026-05-18. Wagyu el swap sigue operando (~$320M acumulados / ~$30M mensuales); el incidente DPRK de abril está listado por separado.

    Consejo del curador

    Usa el swap si lo necesitas (el volumen confirma que funciona), pero no aparques saldo y no operes mayor de lo que absorberías si el operador se marcha. Grado ajustado B → B- (2026-05-30) por desajuste estructural. Movimiento adicional depende de eventos del lado Wagyu.

  14. ⚠ Medio B BuyVM /hosting 2025-01-08 hace 1.5a

    Two verified changes on the trust-story axis since the initial B-listing: (1) BuyVM was acquired by Cloudzy in January 2025 — founder Francisco stayed on and told the community at the time there would be "no change in pricing… no reduction in resources… no downgrades in hardware." (2) In May 2026, BuyVM announced its first-ever price adjustment, effective 2026-07-01, of roughly 15-25% across all KVM Slice plans (e.g. 4 GB slice $15→$17 for existing customers, $20 for new). The operator's stated reason is >15% upstream DC and bandwidth increases over the preceding six months. The pricing move breaks the letter of the acquisition-time promise, though the reasoning is disclosed publicly.

    Consejo del curador

    Grade held at B — the operator's transparency in explaining the price adjustment plus the fact that post-hike pricing stays competitive with the peer set keeps this above C. The "independent VPS" framing has been dropped from the tagline. Existing customers on affected plans should expect the new pricing on their next renewal on/after 2026-07-01. Path to A now requires: three years of clean operation under Cloudzy ownership without a second broken commitment, plus a peer-directory listing corroborating the current trust story.

  15. ⚠ Bajo C SplitNOW /exchanges 2026-05-23 hace 1mes

    Hidden 3.06% swap spread + 141% withdrawal-fee markup above network cost found in live audit (0.2 XMR test). Support admitted partner-side slippage on small orders and offered manual refund.

    Consejo del curador

    Use only if you tolerate ~3–6% effective fee for the multi-wallet split convenience. Quote-vs-fill gap is not surfaced before deposit.

    registrado por curador · sin fuente pública aún ficha completa →
  16. ⚠ warning B xmr.bar /wagering 2026-07-04 hace 2d

    The public 'Recent Bets' feed on xmr.bar shows entries dated 10-11 weeks ago as of 2026-07-04 (external observation by @exitnode_). Site is online, betting endpoints reachable, but the on-page activity metric appears frozen since ~April 2026. Could be a backend/data event (widget wiped or disconnected from live data), or a genuine decline in traffic. Neither the operator nor the site has publicly explained. Interpret as an information-worthy signal, not a shutdown.

    registrado por curador · sin fuente pública aún ficha completa →
Historial resuelto · 3 incidentes pasados, conservados en el registro
  1. ✓ Resuelto A- Haveno /exchanges 2026-06-17 → 2026-06-24 resuelto hace 12d

    Second distinct trade-protocol exploit in under 30 days, hitting Haveno operators including RetoSwap. Per the official RetoSwap PSA (2026-06-17), an exploit report was received at 18:02 UTC; the RetoSwap team responded by setting the minimum client version to 2.0.0 via the filter feature and banning the attacker's onion. **The May 2026 attack** worked by substituting the legitimate arbitrator's onion with the attacker's own (fake-arbitrator-ACK vector against the arbitrator-selection step). **The June 2026 attack is mechanistically distinct**: the arbitrator stays legitimate, but the attacker abuses the forced-arbitration flow itself — taking buy offers, forcing arbitration through a real arbitrator, and getting XMR released after 30 confirmations without ever sending BTC. Two legitimate Reto arbitrators are on record (`…6wi2znkfhbowtv2xxkbx63simfj3bqd.onion`, `…sriix3v2akgrzd4k5tvoqqvsfzxb6yd.onion`) — both involved in the current attack as honest counterparties, not as compromised infrastructure. Attacker buyer onion (banned, with port): `…e6wyrtdczsrhtves2jofi2qpad.onion:9999`. Scope per RetoSwap: damage appears contained to large-scale crypto offers; fiat traders unaffected. Trading halted network-wide while the protocol gap is addressed.

  2. ✓ Resuelto A RetoSwap /exchanges 2026-06-17 → 2026-06-24 resuelto hace 12d

    ACTIVE — second Haveno-protocol exploit hitting RetoSwap inside 30 days, **mechanistically distinct from the May 2026 attack**. Per RetoSwap's official PSA (2026-06-17): the team received the exploit report at 18:02 UTC, halted trading by setting the minimum client version to 2.0.0 via the filter feature, and banned the attacker's onion. **May attack:** arbitrator-substitution / fake-arbitrator-ACK against the selection step. **June attack:** the arbitrator stays legitimate, but the attacker abuses the forced-arbitration flow itself — take buy offers → force arbitration through a real arbitrator → XMR releases after 30 confirmations even though no BTC was ever sent. Two legitimate Reto arbitrators on record (`…6wi2znkfhbowtv2xxkbx63simfj3bqd.onion`, `…sriix3v2akgrzd4k5tvoqqvsfzxb6yd.onion`) — both honest counterparties, not compromised infrastructure. Attacker buyer onion (banned, with port): `…e6wyrtdczsrhtves2jofi2qpad.onion:9999`. Scope per RetoSwap: damage appears contained to large-scale crypto offers; **fiat-flow traders unaffected**. The RetoSwap team is **not compromised** — the protocol flaw is at the Haveno layer.

  3. ✓ Resuelto A- 1984.is /hosting 2026-06-07 → 2026-06-08 resuelto hace 28d

    1984.is auto-suspended XmrBazaar (a legal Monero marketplace it hosted) without notice after weaponized DMCA/abuse complaints — part of a pattern that also took down Hack Liberty, a 4+ year customer, in March 2026. XmrBazaar was restored after public pushback.

Cómo leer estoniveles de severidad

Incidente ≠ grado. Un proveedor puede mantener su A en modo incidente. Ver la metodología.