WazirX Security Breach: A Detailed Analysis of the $230 Million Crypto Heist

×

Text to Speech in Multiple Languages

On July 18, 2024, WazirX, a prominent cryptocurrency exchange, fell victim to a significant cyberattack targeting one of their multisig wallets. This breach resulted in the theft of digital assets valued at over $230 million. The compromised wallet was managed using Liminal’s digital asset custody and wallet infrastructure. This blog provides a comprehensive timeline of the events, the mechanics of the breach, and the measures taken by WazirX in response to the attack.

Events Timeline

Day 1 - July 18, 2024

WazirX swiftly educated its users about the cyberattack and its potential impact. They promptly filed an online complaint with the National Cyber Crime Reporting Portal and initiated a physical complaint process. Authorities, including the Financial Intelligence Unit (FIU) and the Computer Emergency Response Team (CERT-In), were quickly informed. WazirX began tracking the chain of transfers and initiated further investigations, coordinating with multiple exchanges to block and recover stolen assets based on available intelligence. Additionally, preliminary findings and updates were shared with the community to keep them informed.

Day 2 - July 19, 2024

WazirX conducted a global outreach, contacting over 500 exchanges to block identified wallet addresses. They engaged with Law Enforcement Agencies (LEAs) and forensic experts for further investigation. To prevent additional losses, deposits and withdrawals were temporarily paused. The community was updated on the progress with LEAs, and warnings were issued about potential scams impersonating WazirX.

Day 3 - July 20, 2024

Efforts to reach out to exchanges and collaborate with Law Enforcement Agencies (LEAs) continued, and users were advised to refrain from trading on WazirX during this critical period.

Day 4 - July 21, 2024

WazirX continued its efforts to reach out to and follow up with exchanges while collaborating with Law Enforcement Agencies (LEAs). They launched a bounty program, offering up to $10,000 worth of USDT for actionable intelligence leading to the recovery of stolen funds, with a total of $23 million available as a White Hat Bounty. Trading was temporarily halted and a comprehensive update was shared with users, detailing the current status and actions being taken.

Day 5 - 22 July, 2024

WazirX continued its efforts to reach out to and follow up with exchanges, collaborating with Law Enforcement Agencies (LEAs), and they received more than 80 inquiries in 24 hours, for their bounty program. Deposits, withdrawals, and trading remain paused for all users as they actively work on enabling withdrawals.

Day 6 - 23 July 2024

WazirX is continuing its efforts to reach out to and follow up with exchanges while collaborating with Law Enforcement Agencies (LEAs). Over the last 48 hours, they have received more than 133 inquiries regarding their bounty program. They are actively working on enabling withdrawals for users and exploring various strategies to resume deposits, withdrawals, and trading on the platform.

Additionally, WazirX has engaged with potential partners to find solutions that will benefit their customers and is reaching out to projects associated with the stolen tokens to seek their support in the recovery process.

Wallet Configuration and Breach Mechanics

The compromised wallet had six signatories: five from WazirX and one from Liminal. Transactions typically required approval from three WazirX signatories who would use Ledger hardware wallets, Finally, approval would come from Liminal. A whitelisting policy was also in place, allowing transactions only to pre-approved addresses.

Initial investigations revealed that the attacker exploited vulnerabilities in Liminal's interface to manipulate the displayed data, which facilitated unauthorized control and transfer of funds. The attacker exploited a discrepancy between the data shown on Liminal’s interface and the actual transaction contents, compromising the private keys and replacing the payload to transfer control of the wallet and initiate unauthorized withdrawals.

Liminal Custody mentioned that only one of the multisig smart contract wallets was compromised that was created beyond the Liminal ecosystem. It went on to confirm that Liminal’s infrastructure, wallets, and assets continue to remain safe as the platform wasn’t breached.

Nature of the Cyber Attack

The attacker exploited a discrepancy between the data shown on Liminal’s interface and the actual transaction contents. By compromising the private keys, they replaced the payload to gain control of the wallet and initiate unauthorized withdrawals. According to the blockchain analytics firm Lookonchain, more than $100 million worth of Shiba Inu (SHIB) tokens, $52 million in Ethereum tokens, $11 million in Matic tokens, $6 million in Pepe tokens were stolen.

Web3 security firm Cyvers detected multiple suspicious transactions involving WazirX’s multisig wallet, noting that $230 million worth of crypto was moved to a new address, with the use of Tornado Cash, a decentralized protocol for private transactions on Ethereum. A suspicious address swapped PEPE, Gala, and Tether tokens to Ether, and continued swapping other digital assets.

Measures Taken by WazirX

Following the cyberattack, WazirX implemented several immediate actions:

Filing a Complaint

WazirX filed a complaint with the police through the National Cyber Crime Reporting Portal and initiated a physical complaint. The incident was also reported to the Financial Intelligence Unit, India, and CERT-In. They proactively contacted over 500 exchanges to block the identified addresses, with many exchanges cooperating and assisting in recovery efforts. Coordinating with cybersecurity experts, they conducted a detailed review of the incident and restoration operations, with preliminary findings available for review.

Bounty Program

A bounty program was implemented to expedite asset recovery, offering up to $10,000 in USDT for actionable intelligence leading to the freezing and recovery of funds. A total of $23 million has been allocated for the White Hat Bounty. Temporary measures included disallowing INR and cryptocurrency deposits/withdrawals and halting trading activities to ensure asset safety.

Updates and Withdrawals

WazirX engaged in assessing the incident's impact and strategizing recovery efforts. Efforts were made to enable fund withdrawals, involving detailed forensic analysis and security audits. Committed to providing regular updates to maintain transparency and address concerns, WazirX emphasized the security and well-being of its users. Despite the event being beyond their control, they are dedicated to recovering the stolen funds and are actively working with top-tier resources and experts to pursue these recovery efforts. convert this para into detailed pointers and captions.

Conclusion

The WazirX cyberattack highlights the vulnerabilities and complexities involved in managing digital assets. The incident highlights the critical need for robust security measures, swift responses, and transparent communication when dealing with cyber threats. WazirX's efforts to recover the stolen funds and enhance security protocols demonstrate their commitment to safeguarding user assets and maintaining trust in the cryptocurrency ecosystem.

Leveraging new-gen cybersecurity solutions can significantly enhance an organization’s readiness and response capabilities during cyber incidents. We, at Rapifuzz, provide a comprehensive suite of cybersecurity services, encompassing API security, threat detection, incident response, and proactive defense measures. By integrating such technologies, governments and organizations can significantly strengthen their cybersecurity posture, effectively mitigate risks, and ensure the continuity of essential services in an increasingly digital landscape.

Share: