An analysis of the
WazirX hack

Overview

On July 18, 2024, Indian cryptocurrency exchange WazirX suffered a security breach, losing $235 million to a cyber hack. The attack was reported on X (formerly Twitter) by Web3  security firm Cyvers who identified “multiple suspicious transactions” concerning WazirX’s Safe Multisignature wallet on Ethereum. WazirX confirmed that the breach targeted one of its multi-signature wallets, which had been using Liminal Custody’s digital asset and wallet infrastructure since February 2023. On July 22, 2024, WazirX suspended trading and withdrawals across its platform for all users and announced a $23 million bounty program to recover the stolen assets. The WazirX hack has led to widespread speculation on social media platforms like X and Reddit, where users alleged the hack might have been planned by an insider or a step to protect the company from potential government actions. Cryptocurrency investigators and blockchain forensic firms linked the hack to the Lazarus Group, a hacker group allegedly connected to North Korea. Formerly, the FBI implicated the group in a $600 million hack of the Ronin network in March 2022.

What happened?

The cryptocurrency industry grew in India, especially after the demonetization experiment. An increase in preference for digital payments gave an unintended boost to cryptocurrency investments, driving the founding of crypto startups. Founded in March 2018 by Nischal Shetty, Siddharth Menon, and Sameer Mhatre, WazirX aimed to redefine India’s engagement with digital assets. The company is co-operated by Zanmai Labs Private Limited, a non-government company registered at the Registrar of Companies, Mumbai, and incorporated in December 2017. However, The Enforcement Directorate (ED) in August 2022, froze the account of one of the directors of Zanmai Lab Private Ltd, for suspected transactions and connections with Chinese companies. In November 2018, WazirX and its co-founder Nischal played a pivotal role to push for positive regulation of cryptocurrency in India through a hashtag campaign called #IndiaWantsCrypto, supported by sitting members of parliaments, celebrities, and startup founders.

In the recent hack, $235 million of funds in the Safe Multisig wallet of WazirX was moved to a new address, with each transaction’s caller funded by Tornado Cash, a decentralized protocol for private transactions. The wallet breach potentially occurred due to discrepancies between the data displayed on Liminal’s interface and the actual transaction contents. According to news reports, a payload was replaced during the attack, allowing the hacker to gain control of the multi-sig wallet and steal funds held within it. The breached wallet had six signatories: one from Liminal and five from WazirX, ensuring secure transactions through the required multiple approvals. The telegram channel by ZachXBT, a crypto investigator,  reported that the hacker converted $200 million worth of stolen altcoins to Ether to help secure the funds before any preventative measures were taken by authorities. The swapping also led to ​​Shiba Inu, the second-largest meme-coin by market capitalization, a significant dip where its price fell by roughly 10%.

In a July 19, 2024 report released by Liminal, the company claimed that its user interface was not responsible for the attack. According to the report, the hack occurred because three of WazirX’s devices were compromised. Whereas a July 25, 2024, preliminary investigation report by WazirX on the hack did not find “any evidence that WazirX signers’ machines were compromised”. The report suggested that a breach in Liminal’s system may have been the cause of the hack.

In response to the hack, WazirX halted trading and announced a bounty program to freeze and recover stolen assets. The exchange also filed a police complaint and reported the incident to the Financial Intelligence Unit (FIU), CERT-In, and the FBI. Furthermore, WazirX and its co-founder stated that the exchange reached out to over 500 exchanges to block the identified addresses associated with the stolen funds.

●      Affected Ethereum Wallet Address: 0x27fD43BABfbe83a81d14665b1a6fB8030A60C9b4

The attacker used two different addresses, the one that initiated the transaction (when the funds were moved) and the second that received the funds. The one that initiated the transaction needed to pay gas fees so they funded their wallet via Tornado Cash. A few minutes before the first exploit transaction, the attacker managed to change the implementation of WazirX’s multi-signature wallet to a malicious contract by using the signatures of WazirX and Liminal custody. From that moment, the hacker could execute any transaction without needing WazirX or Liminal to sign on the transaction. Data analysis by cybersecurity firm Cyfirma and ZachXBT stated the hack had “potential markings of a Lazarus Group attack.”

Social media analytics:

Between July 18-29, 2024, the keyword WazirX was mentioned 30K times by 27K unique authors on social media platforms and online news portals. The three most used hashtags on X were #WazirX (3.2K mentions), #WazirXhacked (155 mentions) and #WazirXscam (100 mentions).

On X, Commcorde observed two major themes. Accounts impersonated WazirX and users shared speculations of the hack being an inside job.
 Accounts complained of scammers trying to exploit users by sharing suspicious emails and accounts impersonating WazirX shared/posted links for alleged compensation and refund registration. Following are three identified imposter accounts on X:

All three accounts were active till July 20, 2024, and had minor alterations in their username/account picture, making it difficult for users to recognize them as impersonators. The official WazirX account and website had to issue an advisory to their customers about the imposter accounts and possibly report them for account suspension.

Accounts on X  also alleged that WazirX’s hack was orchestrated by the company itself. According to crypto influencer accounts, multi-signature wallets are allegedly impossible to hack. In WazirX’s case, the majority of multiple signatures for transaction approval were from within the company.

Similar to X, posts on Reddit alleged an insider conspiracy behind the WazirX hack. Users cited reasons like a previous case filed by the enforcement directorate against WazirX in 2022 and the robust structure of multi-signature wallets as possible evidence of wrongdoing. The ED case was allegedly filed for non-compliance and users allege the hack was an internal activity to secure the company from ED’s legal implications.