The Hola browser might have been mining crypto behind your back
Security researchers have uncovered a supply chain compromise — an attack that tampers with software during its distribution process — in the Hola browser for Windows. The browser quietly installed a cryptocurrency miner on some users’ systems without their knowledge.
How It Was Discovered
Sophos X-Ops spotted the issue during routine certification testing. Testers were examining version 1.251.91.0 of the Hola browser, which had previously passed AppEsteem Windows Certified Application testing. They detected an undeclared file called “me.exe” written to the C:\Program Files\Hola\ directory.
That file was flagged as a potentially unwanted application. It turned out to be an XMRig-based crypto miner — software that uses a device’s processing power to generate cryptocurrency — and it also contained obfuscated, or deliberately hidden, code.
What the Miner Did
The file didn’t appear in every installation. Its presence varied depending on the build channel used, meaning not all versions of the browser were affected. When run with administrator privileges, the miner added a Windows Defender exclusion, effectively hiding itself from the device’s built-in security tool.
On affected systems, the unauthorized miner ran automatically through an autostart service until it was removed.
Hola’s Response
Hola CEO Avi Raz Cohen acknowledged the incident as a supply chain attack. The company said its internal monitoring had already flagged unusual activity before researchers went public. Hola confirmed that “me.exe” was never an intended component of the browser.
Independent cybersecurity firm Sygnia corroborated those findings. Researchers found no evidence of leaked user data or broader system compromise. The incident affected roughly 0.1% of users.
Hola moved quickly to contain the damage. The company halted the affected delivery pipeline, removed “me.exe,” and rebuilt its infrastructure. Developers also integrated stronger security measures and improved monitoring to ensure only verified components reach users. AppEsteem later confirmed that Hola had resolved the pipeline vulnerabilities.
What Users Should Do
Anyone running the Hola browser on Windows should update to the latest version immediately. Users who installed or updated the Browser During the vulnerable period are most at risk.
This is not Hola’s first brush with security concerns. The company has faced previous scrutiny over opaque traffic-handling practices tied to its Luminati Networks service. Given that history, users may want to consider switching to a browser with a stronger and more consistent security record.
