$235 Million Crypto Theft from WazirX Was ‘Perpetrated’ By North Korean Hackers, Report Reveals

As a seasoned cybersecurity analyst with over a decade of experience in investigating and analyzing digital breaches, I find the WazirX hack to be a significant event that highlights the evolving tactics employed by cybercriminals, particularly those linked to North Korea.


Approximately $235 million worth of digital assets are believed to have been stolen from Indian cryptocurrency platform WazirX following a major cyberattack that took place around Thursday morning.

Based on the company’s recent post on X, it seems that their multi-signature wallets were the focus of a security intrusion, leading to a significant loss of funds.

According to Elliptic’s latest analysis, the Blockchain theft can be traced back to hackers with suspected ties to North Korea. This connection was further supported by ZachXBT in his recent post on X, suggesting that the “WazirX hack” bears similarities to past attacks carried out by the Lazarus Group.

According to Elliptic’s findings, this incident ranks among the most significant cryptocurrency heists linked to the country. The report underscores that this is not an isolated occurrence; instead, it represents a continuation of North Korean cybergroups’ targeting of major players in the cryptocurrency sector.

Significantly, the largest portion of the stolen funds consisted of diverse crypto assets, encompassing popular tokens like Ethereum, as well as lesser-known ones such as Shiba Inu, PEPE, MATIC, and Floki. This indicates the hackers’ extensive reach in their targets.

$235 Million Crypto Theft from WazirX Was ‘Perpetrated’ By North Korean Hackers, Report Reveals

Tracking the Digital Trail

After the hack on X, as reported by ZachXBT during their joint probe, the pilfered digital assets were forwarded to a new wallet that had previously been funded through the privacy-focused crypto tumbler, Tornado Cash. This service is commonly utilized to conceal the origin of cryptocurrency transactions.

Starting from the Ethereum address 0x6ee, which conducted test transactions on July 10th using the multisig wallet 0x09b, and received a total of 6 transactions, each worth 0.1 ETH, funded by Tornado with SHIB as well.
0x6eedf92fb92dd68a270c3205e96dccc527728066
A technical breakdown of the attack by Mudit can be found below
— ZachXBT (@zachxbt) July 18, 2024

The way cybercriminals, including those from North Korea, conceal their stolen assets’ trails is a distinctive feature of their money-laundering techniques. According to Ellptic, this pattern has been observed in past attacks attributed to these hackers and suggests a consistent strategy for covering their digital footprints.

DEXs played a role in converting pilfered cryptocurrencies into Ethereum, making it harder for authorities to trace the ill-gotten gains. This stage in the money laundering scheme aids the culprits in evading detection and increasing the complexity of fund tracking.

Elliptic has recently improved its systems to identify and alert users about any transactions linked to compromised cryptocurrency addresses. This feature helps protect their clients from unintentionally dealing with ill-gotten funds.

Further Details Unveiled

In response to the recent incident, ZachXBT has discovered a deposit address linked to Know Your Customer (KYC) procedures that was used by the perpetrator to acquire funds from the WazirX exploit. This revelation could potentially aid in the investigation to identify and apprehend the exploiter.

ZachXBT@ZachXBT has provided conclusive proof that the perpetrator of the WazirX exploit utilized a deposit address associated with KYC verification for withdrawing funds, meeting one requirement of the bounty: identifying a centralized exchange’s KYC-linked deposit address.

This…

— Arkham (@ArkhamIntel) July 18, 2024

As a researcher, I’ve come across an intriguing perspective from ZachXBT regarding Know Your Customer (KYC) verification in certain scenarios. He states that despite the KYC process, it’s still feasible to obtain verified accounts for less than $100 online.

In simpler terms, if the hacker didn’t use their true identity while transferring the stolen money into the deposit address identified by ZachXBT through Know Your Customer (KYC) procedures, then this information might not help in tracing them.

$235 Million Crypto Theft from WazirX Was ‘Perpetrated’ By North Korean Hackers, Report Reveals

Featured image created with DALL-E, Chart from TradingView

Read More

2024-07-19 11:12