Hola Browser Hit by Supply Chain Attack Delivering Monero Miner

The Windows version of Hola Browser was compromised in a supply chain attack that pushed an undeclared Monero cryptocurrency miner to a small fraction of users, according to BleepingComputer. Israeli firm Hola, best known for its peer-to-peer Hola VPN service, confirmed the breach after AppEsteem's routine certification checks flagged suspicious behavior in the browser's installer pipeline. The same intrusion was independently detected by cybersecurity firm Sygnia.

Researchers at Sophos identified the rogue binary as 'me.exe,' which was being silently installed under C:\Program Files\Hola\ on affected systems. The file lacked a digital signature, had no timestamp, contained obfuscated code, and wrote directly to memory. Further analysis revealed the payload was a Monero miner that added a Windows Defender exclusion rule, copied itself to Program Files as 'HolaMonitorService.exe,' and registered a persistent auto-starting Windows service called 'hola_monitor_svc' that ran only when the system was idle to evade suspicion.

Hola CEO Avi Raz Cohen acknowledged the compromise in a public statement, noting that the company has "completely rebuilt our distribution pipeline, implemented advanced code-signing verification, and introduced tighter access controls and continuous monitoring across our infrastructure." The firm estimates that roughly 0.1% of its user base was affected and claims there is no evidence of data theft or unauthorized access. However, the attacker's identity, the full duration of exposure, and whether clients on other platforms were impacted remain under investigation as BleepingComputer awaits further comment from the vendor.

The incident highlights the persistent risk of supply chain compromises in widely distributed software, particularly for products that already operate in a trust-sensitive space like VPNs and privacy browsers. Users who installed or updated Hola Browser for Windows during the affected window are advised to audit their systems for unknown services and suspicious processes. Given Hola's history of routing user traffic through other participants' devices, affected users may also want to verify their network anonymity with a VPN/proxy detector, run a privacy checkup to identify lingering risks, and confirm that no credentials have been exposed using an email breach checker.