WazirX Hack Update: Will Investors Get Their Money Back?

As a seasoned cybersecurity analyst with extensive experience in investigating high-profile crypto hacks, I have closely followed the WazirX hack incident that occurred on July 18, 2024. With over a decade of experience under my belt, I’ve seen my fair share of sophisticated attacks, and this one seems particularly complex due to its exploitation of a discrepancy between data displayed on Liminal’s interface and the actual transaction contents.


On Thursday, July 18, 2024, the Indian cryptocurrency exchange WazirX suffered a major security incident, leading to the theft of approximately $230 million in digital assets. This unfortunate event has left users worried about their investments and uncertain if the platform will be able to retrieve the stolen funds.

WazirX Hack: What Exactly Happened?

WazirX made an announcement via their social media platform “X” that one of their multisig wallets, which had been in use since February 2023, was breached. This wallet, secured through Liminal’s digital asset custody and wallet system, necessitated approval from three representatives of WazirX and one from Liminal for any transactions.

Despite the implemented security precautions, the attackers discovered a mismatch between the transaction details shown on Liminal’s user interface and the actual transaction data. By taking advantage of this disparity, the attackers successfully manipulated the transaction content, resulting in their control over the associated wallet.

As an analyst, I’ve discovered that the security incident directly affected WazirX’s Ethereum multisig wallet, resulting in the theft of approximately 15,298 Ether (ETH) and various ERC-20 tokens. The attackers then converted other assets, including Shiba Inu (SHIB), Polygon (MATIC), and Pepe Coin (PEPE), into Ethereum, accumulating a grand total of around 59,097 ETH, valued at a staggering $218 million at the current market price.

WazirX Provides Update On Hack & Takes Immediate Action

In reaction to the security incident, WazirX promptly halted INR and cryptocurrency withdrawals to safeguard the remaining funds. They also filed a report with the police and notified the Financial Intelligence Unit (FIU) and CERT-In, India’s primary agencies for handling cyber incidents. Additionally, WazirX contacted more than 500 exchanges to block the identified suspect accounts.

Additionally, several trading platforms are believed to be collaborating with the ongoing probe. Preliminarily, WazirX’s discoveries suggest a complex hack that targeted the exchange’s interface and the verification process handled by Liminal.

WazirX and Liminal have traded accusations, with each party blaming the other for security weaknesses. Liminal insists that their system remained unbreached, while alleging that the breach originated from vulnerabilities in WazirX’s exchange infrastructure.

The Recovery Efforts By WazirX

As a researcher delving into the intricacies of this cybercrime case, I can’t help but acknowledge the complexities involved in retrieving the pilfered Ethereum funds. Spot on Chain, an esteemed on-chain data provider, has shed light on a troubling development: the hacker’s Ethereum holdings have grown substantially since the liquidation of the stolen assets. This is concerning because the malefactor has employed Tornado Cash, a sophisticated mixing service, to veil the trail of the funds’ origin and destination. Consequently, our quest to trace and recoup these assets becomes an intricate and challenging endeavor.

As a researcher following the recent hack on WazirX, I can report that the exchange is taking proactive measures to address the situation. They are collaborating with forensic experts and law enforcement agencies to trace the stolen funds and apprehend the culprits. Furthermore, the crypto community has rallied behind WazirX, offering assistance in various forms to aid in the fund recovery process.

In spite of the attempts made, the complexities of the cyber attack and the involvement of mixers such as Tornado Cash create significant challenges for recovering the pilfered assets. Nevertheless, most of the ill-gotten gains, transformed into Ethereum, remain in the hacker’s wallet.

The ban on these cryptocurrency wallets by various exchanges might have kept the funds stationary. This situation, however, provides some optimism for a potential fund recovery. However, if the WazirX hacker moves the ETH funds to Tornado Cash, the chances of recovering the funds could significantly diminish.

Intensifying the intricacy of the incident, there are suspicions that the infamous North Korean hacking collective, Lazarus, may be responsible for the WazirX exploit. Known for their involvement in various high-profile cyber attacks on crypto exchanges and financial institutions across the globe, the implication of Lazarus adds to the complexity of the situation. This discovery emphasizes the advanced and global dimension of the threat, potentially complicating the recovery process further.

Here’s What WazirX Investors Need To Know

WazirX investors are currently grappling with the question of whether they will be able to recover their investments. Several elements will shape the final result:

1. Tracing & Recovery Efforts:

As a cyber forensic analyst, I can assure you that the collaboration between forensic investigations and law enforcement, as well as international cooperation, will play a pivotal role in the outcome of this situation. Tracing the movement of funds and seizing or retrieving assets calls for sophisticated cyber forensic skills and global coordination. Based on WazirX’s recent announcement concerning their hack, it appears that their forensic team is actively engaged, increasing the chances that investors may be able to recover their losses.

2. Community Support:

Engaging the entire cryptocurrency ecosystem, comprised of exchanges and blockchain analysis companies, can greatly improve the prospects of identifying and retrieving pilfered digital assets. Furthermore, the Indian exchange has reached out to more than 500 Cryptocurrency Exchanging Platforms (CEXs) in search of collaboration, potentially speeding up the recovery process.

3. Legal Actions:

The steps taken by WazirX in response to the legal issue, such as filing a police report and notifying regulatory bodies, will significantly impact the situation. These measures could potentially lead to the identification and capture of the culprits, and even the recovery of some of the misappropriated assets.

4. Compensation Plans:

As a crypto investor, if unfortunately my funds are stolen and can’t be fully recovered by WazirX, they may offer various compensation plans to lessen the blow for affected investors. These solutions could include utilizing insurance policies, establishing a recovery fund, or exploring alternative methods to minimize the damage caused.

5. Use of Tornado Cash:

As a financial analyst, I’ve come across reports of criminals using notorious crypto mixers like Tornado Cash to launder stolen assets, specifically those connected to the WazirX exchange exploit. If these exploits manage to transfer the ill-gotten crypto funds to Tornado Cash, the likelihood of a successful recovery becomes extremely slim. Consequently, it is imperative for the exchange to take swift action and freeze the wallets linked to the exploiters before any further damage is done.

6. Not An Inside Job:

As an analyst, I would rephrase Nischal Shetty’s statement as follows: I, Nischal Shetty, founder of WazirX, disputed allegations suggesting an insider was responsible for the hack. If true, the recovery process would have been simpler. Nevertheless, the implication of a sophisticated hacker group and utilization of complex platforms like Tornado Cash adds layers of intricacy to the situation.

In his post about X, he explained that the cyber intrusion arose from a inconsistency between the information shown on Limital’s platform and the true details of the transaction. During the hacking incident, there was a disparity between the data displayed on Limital’s interface and the authentic contents being signed. We believe that the attacker managed to swap out the payload in order to seize control of the wallet.

Read More

2024-07-20 10:40