xmr.club
EN 中文 ES RU
← 返回首頁
事件台 · 16 個進行中

活躍事件

我們列出的服務上的即時駭客、漏洞、監管暫停與營運方標記事件。事件狀態是即時的;等級反映長期立場。兩者共存 — A 級服務商也可能處於事件模式。行動前請先讀每條的策展人建議。

16 進行中
6 嚴重 / 高
8
1
  1. ⚠ 嚴重 C xmr.gg /wagering 2026-07-04 2 天前

    Operator announced full shutdown on 2026-07-06. Betting already disabled. Withdraw any remaining XMR balance immediately — after the shutdown date the site will be gone and funds will not be recoverable.

    策展人記錄 · 尚無公開來源 完整條目 →
  2. ⚠ 嚴重 D OpenMonero /exchanges 2026-06-08 28 天前

    Server compromise on 2026-06-08: an attacker gained root access (local privilege escalation) to OpenMonero's main server and stole ~200 XMR. The operator stated all funds are gone. This is a repeat event — "hacked again" — not a first-time breach.

    策展人建議

    Do not deposit or hold funds on OpenMonero. Withdraw anything still accessible and avoid the platform until a full public post-mortem, infrastructure rebuild, and independent audit. A recurring server compromise with total fund loss is a critical custody failure. Update (2026-06-11): the operator has not publicly confirmed the 06-08 incident; some community members claim it may be a negative-trade-amount input-handling bug rather than a breach, others call it a rug — unverified either way. Given the repeat pattern and operator silence, treat funds as at-risk until OpenMonero publishes a verifiable post-mortem.

  3. ⚠ 高 C AzireVPN /vpns 2026-07-02 4 天前

    Operator change verified — AzireVPN's `/about` page now reads: "AzireVPN is owned by Malwarebytes, a global leader in real-time cyber protection, based in Santa Clara, CA, US." That is a material trust-story shift for a service originally listed as a Sweden-based independent no-logs VPN. Simultaneously, the `/pricing` page no longer lists Monero (or Bitcoin) as a payment method — XMR has been dropped. The no-logs claim was substantively part of the original Grade-A rationale; under Malwarebytes ownership it requires re-verification via an audit specifically conducted after the ownership change.

    策展人建議

    Grade downgraded A → C on 2026-07-02. Existing customers should treat the no-logs claim as under-review, not confirmed. Users specifically avoiding US-jurisdiction VPN providers (CLOUD Act, subpoena, national-security-letter regime) should rotate to a peer VPN with disclosed ownership outside the US. Path back to B requires XMR reinstated + published post-acquisition no-logs audit. Path back to A additionally requires verifiable operational independence from Malwarebytes's US legal exposure.

  4. ⚠ 高 B EigenWallet /wallets 2026-05-25 1 個月前

    Maintainers advised market-makers (eigenwallet-makers Matrix) to shut down their ASB (Atomic Swap Backend) on 2026-05-25 due to an actively-exploitable vulnerability. A 2026-05-29 developer correction states the impact is worse than first reported: a malicious swap can net the attacker the full XMR while the maker recovers only ~10% of their BTC. Mitigation has since shipped — v4.7.9 (2026-05-29) makes the ASB refuse cooperative XMR-redeem requests when the BTC received is <75% of the BTC sent into the swap; the latest release is 4.7.10 (2026-06-02). Still no public CVE or formal post-mortem.

    策展人建議

    Don't run an ASB / market-maker right now. Taker-side swaps may still be possible against makers who are online, but trade volume has dried up while operators wait for the patch. We'll update this entry the moment a fixed release ships or the maintainers publish a post-mortem. Track github.com/eigenwallet/core/releases and the Matrix room linked from eigenwallet.org.

  5. ⚠ 高 A THORChain /exchanges 2026-05-11 2 個月前

    TSS 金鑰密碼學漏洞遭利用 — POL vault 跨 BTC/ETH/BNB/Base 共流失約 $10.8M。協議已暫停交易與簽名。

    策展人建議

    THORChain 解除暫停前不要開新單。XMR 池可能比 EVM legs 更早恢復 — swap 前請至 /thorchain 或協議自家儀表板確認池狀態。

  6. ⚠ 高 A Bisq (classic) /exchanges 2026-05-01 2 個月前

    v1 交易協議漏洞 — 對負值 network-fee 缺少驗證,攻擊者從活躍/開放 offer 中抽走約 11.59 BTC。Bisq 透過緊急 version flag 暫停交易,直到修補。

    策展人建議

    交易前請升級到修補後的 Bisq v1.9.x+。Bisq Easy(Bisq 2)是目前更安全的路徑。執行前請驗證已簽名的釋出檔。

  7. ⚠ 中 A- Njalla Domains /email 2026-06-14 22 天前

    In Q4 2024 Njalla silently relocated from Nevis (1337 Services LLC) to Costa Rica (njalla.srl) with no customer announcement. Costa Rica's RTBF registry makes UBO information shareable to government entities and foreign court orders are more enforceable than in Nevis — a weakening of the offshore offsets that defined Njalla's privacy posture. Founder brokep's public profiles (Mastodon, Bluesky, X) went dormant in the same window. Njalla support's response to user inquiries has been take-it-or-leave-it. No malicious behaviour or domain seizure is documented in the cited source; the issue is opacity + a quietly weaker threat-model offset.

    策展人建議

    Existing pseudonymous domains paid via untraceable methods appear unaffected at the time of writing. Reconsider Njalla for new high-risk registrations (politically sensitive, pirate-adjacent, abuse-attractor content); the jurisdictional offset is now thinner than the marketing implies.

  8. ⚠ 中 A- Njalla VPS /hosting 2026-06-14 22 天前

    In Q4 2024 Njalla silently relocated from Nevis (1337 Services LLC) to Costa Rica (njalla.srl) with no customer announcement. Costa Rica's RTBF registry makes UBO information shareable to government entities and foreign court orders are more enforceable than in Nevis — a weakening of the offshore offsets that defined Njalla's privacy posture. Founder brokep's public profiles (Mastodon, Bluesky, X) went dormant in the same window. Njalla support's response to user inquiries has been take-it-or-leave-it. No malicious behaviour or domain seizure is documented in the cited source; the issue is opacity + a quietly weaker threat-model offset.

    策展人建議

    Existing pseudonymous domains paid via untraceable methods appear unaffected at the time of writing. Reconsider Njalla for new high-risk registrations (politically sensitive, pirate-adjacent, abuse-attractor content); the jurisdictional offset is now thinner than the marketing implies.

  9. ⚠ 中 B- Njalla VPN /vpns 2026-06-14 22 天前

    In Q4 2024 Njalla silently relocated from Nevis (1337 Services LLC) to Costa Rica (njalla.srl) with no customer announcement. Costa Rica's RTBF registry makes UBO information shareable to government entities and foreign court orders are more enforceable than in Nevis — a weakening of the offshore offsets that defined Njalla's privacy posture. Founder brokep's public profiles (Mastodon, Bluesky, X) went dormant in the same window. Njalla support's response to user inquiries has been take-it-or-leave-it. No malicious behaviour or domain seizure is documented in the cited source; the issue is opacity + a quietly weaker threat-model offset.

    策展人建議

    Existing pseudonymous domains paid via untraceable methods appear unaffected at the time of writing. Reconsider Njalla for new high-risk registrations (politically sensitive, pirate-adjacent, abuse-attractor content); the jurisdictional offset is now thinner than the marketing implies.

  10. ⚠ 中 B- FixedFloat /exchanges 2026-06-08 28 天前

    針對一筆路由的 3000 TRX → BTC 訂單的 AML 凍結(2026-05-16)。事後鏈分析確認該入金有直接接觸已知洗錢通道與多跳間接接觸被制裁實體 — 凍結屬 AML 合理判斷,非隨機的 shotgun-KYC 模式。FixedFloat 對被旗標的輸入不提供退回來源地址;恢復需 KYC 申訴。編輯結論:本案說明 B 級恢復路徑 — 我們目錄中的 A 級服務商對相同的 AML 旗標提供無需 KYC 的退回來源地址。

    策展人建議

    任何鏈分析紅旗的輸入很可能在 FixedFloat 被凍結。若你能驗證輸入是乾淨的,FF 可正常運作。若你的輸入接觸過混幣器、DNM 相鄰地址或被制裁實體跳轉(即使是間接的),請走 A 級服務商(SageSwap、StealthEX、Exolix),它們提供無需 KYC 的退回來源地址。

  11. ⚠ 中 B- Wagyu /exchanges 2026-05-30 1 個月前

    營運方立場警示 — Wagyu 創辦人(@PerpetualCow)公開自我認同為以 XMR 作為工具的 hype-aligned 營運方,不是以 Monero 為使命的 privacy-aligned 營運方。他 X 個人介紹原文寫:「$HYPE maximalist. not loud about it, just patient. Contributing to @HyperliquidX and XMR through Wagyu.xyz.」在 2026-05-29 的貼文中他說:「Aside from $HYPE there's nothing worth owning in crypto anymore. As sad as it is.」那包括 Monero — 由 Monero 兌換的創辦人公開說的。相鄰專案(Fwog.fun 上的 $COW 社群)透過跳票、事後否認領導角色、2026-05-18 刪除 Telegram 社群被放棄。Wagyu 兌換仍正常運作(~$320M 累積/~$30M 月交易量);2026-04-22 的 DPRK 暫停事件已單獨列出。

    策展人建議

    如有需要可使用兌換功能(交易量證明能用),但不要存放餘額、規模不要超過你願意吸收的金額(萬一營運方走人)。2026-05-30 評級由 B → B- 以反映結構性立場錯位。後續變動取決於 Wagyu 本身的壓力事件。

  12. ⚠ 中 A- Exolix /exchanges 2026-05-28 1 個月前

    Partner-API broken-access-control disclosed by RasterSec on 2026-05-28. JWT keys embedded in public partner repos + Android APKs allowed anyone to dump all partner swap records — ~355,944 swaps / $39.5M of metadata (addresses, tx hashes, timestamps, user IDs) from Jan 2025 → May 2026. Affected partners: Edge, Exodus, Monerujo, BTCPay Server, Temple Wallet, EGToken.io. Exolix patched via WAF rules (not by fixing the underlying access control) and initially characterized the issue as "a feature." Past user swap trails are permanently exposed; new swaps unaffected.

    策展人建議

    If you swapped via Exolix or any of the affected partner integrations between Jan 2025 and May 2026, assume your deposit + withdrawal addresses are now in third-party datasets (searchable, downloadable, immutable). For NEW swaps, Exolix still works as advertised — the WAF fix prevents further dumps. But weigh the operator's initial "feature" framing before routing sensitive flows; A-grade peers (SageSwap, StealthEX) had no such disclosure.

  13. ⚠ 中 B- Wagyu /exchanges 2026-04-22 3 個月前

    營運方立場警示 — Wagyu 創辦人(@PerpetualCow)公開自我認同為以 XMR 作為工具的 hype-aligned 營運方,不是以 Monero 為使命的 privacy-aligned 營運方。他 X 個人介紹原文寫:「$HYPE maximalist. not loud about it, just patient. Contributing to @HyperliquidX and XMR through Wagyu.xyz.」在 2026-05-29 的貼文中他說:「Aside from $HYPE there's nothing worth owning in crypto anymore. As sad as it is.」那包括 Monero — 由 Monero 兌換的創辦人公開說的。相鄰專案(Fwog.fun 上的 $COW 社群)透過跳票、事後否認領導角色、2026-05-18 刪除 Telegram 社群被放棄。Wagyu 兌換仍正常運作(~$320M 累積/~$30M 月交易量);2026-04-22 的 DPRK 暫停事件已單獨列出。

    策展人建議

    如有需要可使用兌換功能(交易量證明能用),但不要存放餘額、規模不要超過你願意吸收的金額(萬一營運方走人)。2026-05-30 評級由 B → B- 以反映結構性立場錯位。後續變動取決於 Wagyu 本身的壓力事件。

  14. ⚠ 中 B BuyVM /hosting 2025-01-08 1.5 年前

    Two verified changes on the trust-story axis since the initial B-listing: (1) BuyVM was acquired by Cloudzy in January 2025 — founder Francisco stayed on and told the community at the time there would be "no change in pricing… no reduction in resources… no downgrades in hardware." (2) In May 2026, BuyVM announced its first-ever price adjustment, effective 2026-07-01, of roughly 15-25% across all KVM Slice plans (e.g. 4 GB slice $15→$17 for existing customers, $20 for new). The operator's stated reason is >15% upstream DC and bandwidth increases over the preceding six months. The pricing move breaks the letter of the acquisition-time promise, though the reasoning is disclosed publicly.

    策展人建議

    Grade held at B — the operator's transparency in explaining the price adjustment plus the fact that post-hike pricing stays competitive with the peer set keeps this above C. The "independent VPS" framing has been dropped from the tagline. Existing customers on affected plans should expect the new pricing on their next renewal on/after 2026-07-01. Path to A now requires: three years of clean operation under Cloudzy ownership without a second broken commitment, plus a peer-directory listing corroborating the current trust story.

  15. ⚠ 低 C SplitNOW /exchanges 2026-05-23 1 個月前

    Hidden 3.06% swap spread + 141% withdrawal-fee markup above network cost found in live audit (0.2 XMR test). Support admitted partner-side slippage on small orders and offered manual refund.

    策展人建議

    Use only if you tolerate ~3–6% effective fee for the multi-wallet split convenience. Quote-vs-fill gap is not surfaced before deposit.

    策展人記錄 · 尚無公開來源 完整條目 →
  16. ⚠ warning B xmr.bar /wagering 2026-07-04 2 天前

    The public 'Recent Bets' feed on xmr.bar shows entries dated 10-11 weeks ago as of 2026-07-04 (external observation by @exitnode_). Site is online, betting endpoints reachable, but the on-page activity metric appears frozen since ~April 2026. Could be a backend/data event (widget wiped or disconnected from live data), or a genuine decline in traffic. Neither the operator nor the site has publicly explained. Interpret as an information-worthy signal, not a shutdown.

    策展人記錄 · 尚無公開來源 完整條目 →
已解決歷史 · 3 過往事件,留存記錄
  1. ✓ 已解決 A- Haveno /exchanges 2026-06-17 → 2026-06-24 已解決 12 天前

    協議層攻擊利用偽造的 arbitrator-ACK 訊息 — 各 Haveno 運營方共約 7,000 XMR(約 $2.7M)從活躍 offer 中流失。主開發者 woodser 建議全網暫停所有交易,等待協議補丁。

  2. ✓ 已解決 A RetoSwap /exchanges 2026-06-17 → 2026-06-24 已解決 12 天前

    受 Haveno 協議層的 fake-arbitrator-ACK 漏洞牽連。RetoSwap 自身基礎設施並未被入侵;他們封禁了攻擊者 onion 地址,並強制最低客戶端版本以暫停交易。

  3. ✓ 已解決 A- 1984.is /hosting 2026-06-07 → 2026-06-08 已解決 28 天前

    1984.is auto-suspended XmrBazaar (a legal Monero marketplace it hosted) without notice after weaponized DMCA/abuse complaints — part of a pattern that also took down Hack Liberty, a 4+ year customer, in March 2026. XmrBazaar was restored after public pushback.

如何解讀嚴重度分級

事件 ≠ 等級。服務商可在事件模式下保有 A 級,因為等級追蹤長期 KYC 立場,事件追蹤即時事件。見方法論