A Monero miner hiding inside a trusted browser installer is the kind of threat most users never see coming. That is exactly what happened to Hola Browser, whose Windows version fell victim to a supply chain attack that quietly bundled cryptocurrency-mining software alongside legitimate installations.
How the Compromise Came to Light
The discovery did not come through user complaints or a dramatic breach disclosure. It emerged from a routine certification audit. AppEsteem, an industry body that tests software for deceptive or unwanted behavior, runs periodic checks on products it has previously approved. Hola Browser was one of those products. During a fresh validation round, something unexpected turned up.
Sophos X-Ops, one of several cybersecurity vendors participating in the evaluation, flagged a file that had no business being there: an executable named me.exe, dropped into C:\Program Files\Hola\. The file was not part of Hola’s certified software package and had not been declared to AppEsteem. That alone was a red flag. But the deeper the researchers looked, the worse it got.
The binary had no digital signature, no timestamp, and contained obfuscated code. It also had memory-write capability. None of these traits is damning on its own. Together, they described exactly the kind of artifact that should never appear inside a certified application’s directory.
What the Malware Actually Did
The file was not just suspicious — it was functional. Sophos identified it as a Monero cryptocurrency miner, tracked as Troj/GoMiner-B. Its internal strings pointed clearly to its purpose. Including references to an XMRig-based mining module and logic for stopping the miner when the user was active.
When run with administrator privileges, the miner copied itself to a more convincing location: C:\Program Files\Hola\HolaMonitorService.exe. It then created a Windows service called hola_monitor_svc, configured to launch automatically and run whenever the host machine sat idle. To avoid detection, it also added a Windows Defender exclusion rule for itself.
The design was deliberate. The miner was built to stay quiet, avoid interrupting the user, and use idle compute time to generate Monero for whoever planted it there.
A Supply Chain Problem, Not a Simple Bug
What makes this incident significant is where the malware entered. The Hola Browser installer itself was certified and clean. The compromise happened somewhere further upstream — in the build or distribution pipeline. AppEsteem’s testing found that me.exe did not appear in every installation, only in some. That inconsistency ruled out a straightforward case of a poisoned installer and pointed to something more conditional: a delivery path that varied depending on build channel, packaging configuration, or how the update was fetched.
In other words, this was a Hola Browser supply chain attack in the truest sense. Attackers — or a compromised internal process — found a way to inject an undeclared payload into part of the distribution flow, without touching the version of the software that had been certified.
The findings were escalated through AppEsteem to Hola, and cybersecurity firm Sygnia conducted an independent forensic investigation that reached the same conclusion: the pipeline had been compromised. No user data was accessed or stolen. Hola says roughly 0.1% of its users were affected.
Hola’s Response and Its Complicated History
Hola CEO Avi Raz Cohen confirmed the supply chain compromise publicly and described a rapid response. The affected delivery pipeline was shut down, the miner was removed from infrastructure and impacted devices, and the company says it has fully rebuilt its distribution system. New code-signing verification, tighter access controls, and continuous monitoring are now in place, according to Cohen.
What remains unanswered is how exactly the breach happened and who was responsible.
For long-time observers, this incident lands differently given Hola’s history. The company’s free VPN service, Hola VPN, drew significant criticism years ago for routing user traffic through other subscribers’ connections without making this clear — effectively turning free users into exit nodes for a commercial proxy network called Luminati Networks. That controversy raised questions about transparency that never fully went away. A Hola Browser supply chain attack, even one affecting a small percentage of users, adds another chapter to that record.
Final Thoughts
Supply chain attacks are among the hardest threats to catch because they exploit the trust users place in software they have already installed and verified. The Hola Browser case is a reminder that even certified products can carry risk if their build or update pipelines are not continuously defended. Routine certification audits caught this one before it could spread further — but most users would never have known to look. For anyone running Hola Browser on Windows, checking for the hola_monitor_svc service and removing it if present is a sensible precaution while the company’s infrastructure changes take full effect.
