Table of Contents
India's largest cryptocurrency exchange, WazirX, suffered a breach that allowed hackers to extract users' funds. Currently, all withdrawals are halted as the team investigates.
🚨ALERT🚨Hey @WazirXIndia, Our system has detected multiple suspicious transactions involving your Safe Multisig wallet on the #ETH network.
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) July 18, 2024
A total of $234.9M of your funds have been moved to a new address. Each transaction's caller is funded by @TornadoCash.
The suspicious… pic.twitter.com/4sajAwd4Hb
According to the team, the digital wallet used by the WazirX team had six signatories—five from WazirX and one from Liminal, with transactions requiring three WazirX signatories (using Ledger Hardware Wallets) and one Liminal signatory for approval.
"During a cyber attack, there was a discrepancy between the information shown on Liminal's interface and the actual signed transaction, leading to suspicions that the transaction payload was altered to transfer wallet control to an attacker."
At WazirX, our commitment to transparency and community welfare is paramount. There was a cyber attack on one of our multisig wallets. Below are the preliminary findings to clarify the situation:
— WazirX: India Ka Bitcoin Exchange (@WazirXIndia) July 18, 2024
» Incident Overview: A cyber attack occurred in one of our multisig wallets…
It seems that the team clicked on a phishing link that allowed users' funds to be drained.
According to WazirX, which was acquired by Binance in 2019, the exchange's total holdings stood at $503.64 million in June; a $235 million hack represents around 46% of their total holdings.
Who's behind it?
6/ This is where my tracing ends as the BTC appears to come from an unknown service making it difficult to trace.
— ZachXBT (@zachxbt) July 18, 2024
All I can say is the WazirX hack has the potential markings of a Lazarus Group attack (yet again)
Hopefully the WazirX team will be transparent with their… https://t.co/IjzlI76TRQ
ZachXBT’s tracing work reveals a highly methodical and organized attack on WazirX, marked by meticulous preparation, strategic use of privacy tools like TornadoCash, and layered transactions.
The sophisticated nature of the hack, combined with patterns observed in previous attacks, suggests potential involvement by Lazarus Group. These elements point towards a well-coordinated effort by an experienced group, aligning with known behaviours of state-sponsored cybercrime units.
Where are the funds now?
Using the list of addresses affected reported by @cyvers_, We created a profile on Arkam to track the funds. As of now, the majority of the funds associated with these addresses have not been transferred out. This indicates that while the addresses have been compromised or flagged, the assets remain in place.
Market Reaction
Following the news, WRX experienced a significant drop in value, decreasing by approximately 14%. This hack could set back India's crypto ambitions, especially considering that Binance had just received approval to operate in India. The incident introduces additional scrutiny and potential regulatory challenges that could affect the broader crypto landscape in the country.
Blockhead
