The massive $235 million hack on the Indian cryptocurrency exchange WazirX on July 18 has raised serious questions about exchange security and the future of cryptocurrency in India.
The attack unfolded with alarming speed and precision, with Web3 security firm Cyvers being among the first firms to detect “multiple suspicious transactions” involving WazirX’s “Safe Multisig” wallet on Ethereum.
The attacker was able to move a staggering $234.9 million worth of funds to a new address, with each transaction’s caller being funded with assets from cryptocurrency mixer Tornado Cash.
The stolen funds consisted of a diverse selection of cryptocurrencies, including Tether (USDT), Pepe (PEPE) and Gala (GALA), with the attacker swiftly converting these assets into Ether (ETH) in an attempt to obfuscate the trail of stolen funds.
The exchange’s wallet also contained approximately $100 million in Shiba Inu (SHIB), $52 million in ETH, $11 million in Polygon’s (MATIC) and smaller amounts of other tokens.
In response to the security breach, WazirX immediately suspended withdrawals of both cryptocurrencies and Indian rupees on the platform. The exchange further announced that it was “actively investigating the incident.”
When asked to comment on the situation, Rajagopal Menon, a spokesperson for WazirX, told Cointelegraph: “We can’t speak to the press right now. You can get updates from our Twitter handle.”
The future of India’s crypto sector
The hack could have major implications for India’s cryptocurrency sector, which has flourished despite government pressure.
Utkarsh Tiwari, the chief strategy officer for Indian cryptocurrency exchange KoinBX, told Cointelegraph that a security breach of this magnitude is bound to cause concern as it affects multiple stakeholders in the crypto ecosystem, including retail investors and other exchanges. He added:
“Under India’s G20 presidency, we have seen our government push for comprehensive and standardized regulations for all global Virtual Assets Service Providers. Furthermore, historically, we have seen the Indian government always prioritize investor protection above all else.”
As a result, Tiwari predicts that Indian digital asset exchanges are likely to invest more heavily in advanced security infrastructure, something he believes can help showcase the resilience and innovation of the Indian digital asset market and community.
India’s crypto industry is anticipating potential relief from the country’s stringent crypto tax regulations.
India Finance Minister Nirmala Sitharaman will present the Union Budget for the next fiscal year on July 23, and the crypto sector hopes for favorable changes.
Since 2022, India has imposed one of the world’s most severe tax regimes on cryptocurrency, with a flat 30% capital gains tax on profits from digital assets, including non-fungible tokens. Additionally, a 1% tax deducted at source (TDS) is also levied on crypto transactions.
Sumit Gupta, CEO of Indian exchange CoinDCX, has been advocating for a reduction in the TDS rate to 0.01% in the forthcoming budget since these tax measures have significantly impacted Indian crypto exchanges.
How did the attackers gain access to WazirX?
Meir Dolev, co-founder and chief technology officer of Web3 security firm Cyvers, told Cointelegraph that while the exploited vulnerability remains unknown, several key facts have emerged since the event.
First, he noted that WazirX uses a multisig wallet that requires four signatures to execute a transaction. The exchange also uses Liminal as a custody provider, which provides the last signature on every transaction. Lastly, WazirX’s wallet has a whitelist policy, with only a few wallets it can send funds to.
Dolev outlined the attack vector: “The attacker used two different addresses, the one that initiated the transaction and the second that received the funds. The one that initiated the transaction needed to pay gas fees so he funded his wallet via Tornado Cash.”
“Eight days before the attack, the hacker also deployed a malicious contract that was later used to change the implementation of the WazirX wallet.”
He further explained that just a few minutes before the first exploit transaction, the attacker managed to change the implementation of their multisig wallet to his malicious contract by using the signatures of WazirX and Liminal custody. “From that moment, he could execute any transaction without needing WazirX or Liminal to sign on the transaction,” he highlighted.
Dolev speculated that the attacker likely compromised WazirX endpoints or laptops to gain the necessary signatures, possibly employing a user interface (UI) hijack on Liminal’s side.
He stated that WazirX might have thought they were going to sign on a legitimate transaction, and this is what it saw in the UI, which was possibly controlled by the hacker.
Liminal Custody has insisted that its platform remains secure, with its preliminary investigations showing that one of the self-custody multisig smart contract wallets created outside of the Liminal ecosystem was compromised: “We can confirm that Liminal’s platform is not breached, and Liminal’s infrastructure, wallets, and assets continue to remain safe.”
North Korean involvement suspected
A number of analysts believe that North Korean hackers may be responsible for the incident, adding a layer of geopolitical intrigue to an already complex situation.
Blockchain forensics firm Elliptic previously told Cointelegraph that data pointed toward North Korean involvement, explaining, “The North Korea attribution is based on analysis of the onchain transactional behavior and other information. There are certain patterns and techniques that are characteristic of this type of actor.”
This sentiment was echoed by ZachXBT, who said the hack has the potential markings of a Lazarus Group attack — an infamous North Korean criminal organization with a long history of cybercrime.
Since 2017, Lazarus has terrorized the crypto space and is believed to be behind some of the industry’s biggest exploits, including the $600 million Ronin Bridge incident.
Moreover, in the wake of the hack, the cryptocurrency market experienced significant turbulence. Over $100 million worth of SHIB tokens were taken during the hack, causing the price of the popular memecoin to plummet by 10%.
Blockchain analysis platform Lookonchain reported on July 19, one day after the hack, that the attackers had already begun swapping SHIB assets for ETH, selling 35 billion SHIB tokens worth $618,000. At the time, the exploiter had exchanged most of the assets for 43,800 ETH ($149.46 million) and held a total of 59,097 ETH ($201.67 million).
WazirX has taken swift action to mitigate the damage and recover stolen funds. The exchange has filed an official police complaint and is pursuing additional legal actions.
It has reported the incident to the Financial Intelligence Unit and the Indian Computer Emergency Response Team and is contacting over 500 exchanges to block the identified addresses.
The exchange stated, “Many exchanges are cooperating with us, and we are actively working with them on additional resources to aid our recovery efforts.”