Inside the Wazir-X Hack: How Safe Are Your Digital Assets?
Imagine waking up to find half of your savings gone. That’s what happened to Wazir-X users on July eighteenth when over two hundred and thirty million dollars vanished in a cyberattack. One of India’s largest crypto exchanges saw its reserves halved overnight. Was it a sophisticated hack or a security lapse? The real story behind this shocking breach might surprise you.
What happens when a trusted digital vault, holding millions of dollars worth of cryptocurrency, gets breached? On the morning of 18 July 2024, users of WazirX, one of India’s largest crypto exchanges, woke up to a shocking revelation: over two hundred and thirty million dollars had been stolen in a cyberattack. Imagine waking up to find half of your savings gone. This is what users of WazirX experienced, as nearly half of the exchange’s five hundred and three million dollar reserves were wiped out overnight.
The first whisper of the attack came from Cyvers, a blockchain security firm, and soon after, WazirX confirmed the breach. One of their multi-signature wallets, operated by the custody platform Liminal since February of the previous year, had been compromised. Picture a multi-signature wallet like a high-security bank vault, requiring multiple keys to open. In this case, the vault had six keys, one held by Liminal and the rest by WazirX, with Liminal providing the final approval. Despite these measures, hackers managed to break in, forcing WazirX to temporarily halt all rupee and crypto withdrawals.
The enormity of this breach cannot be overstated. Edul Patel, co-founder of Mudrex, a crypto investment platform, labeled it the largest crypto exchange breach in India and one of the biggest globally. WazirX described the event as a force majeure, meaning it was beyond their control, and assured users that every effort was being made to recover the stolen funds.
But what exactly happened? The exact details of the hack are still murky, but preliminary investigations revealed some insights. The breach occurred due to a discrepancy between the actual transaction data and what was displayed on Liminal’s wallet. Liminal later clarified that the attack targeted a self-custody wallet outside of their ecosystem, emphasizing that funds within their own system remained secure. It’s a bit like a security guard insisting that the vault inside their building is safe, even though the thieves managed to break into an annex.
Mudit Gupta, Chief Information Security Officer of Polygon, provided a deeper look into the hackers’ methods. He explained that the attackers had been practicing on-chain hacking for at least eight days before executing their plan on July eighteenth. They upgraded the multisig wallet to a malicious version, allowing them to steal the crypto assets. It’s akin to someone silently switching the security cameras in a bank with tampered ones that help them evade detection.
Who were these cyber culprits? Blockchain analytics firm Elliptic traced the attack back to hackers from North Korea, involving around two hundred different assets. These included ninety-six point seven million dollars worth of Shiba Inu, fifty-two point six million dollars of Ether, eleven million dollars of Matic, and seven point six million dollars of Pepe. Imagine a digital heist where the loot isn’t just piles of cash, but a wide array of cryptocurrencies.
For WazirX users, this breach means a lot of uncertainty. Many are left wondering if they’ll ever see their money again. In a proof-of-reserves report from June, the company stated their total holdings were over five hundred and three million dollars. With nearly half of that now gone, WazirX faces a daunting challenge. While the company has stated it is working to recover some of the funds, experts in the crypto space hint that the chances of full recovery are slim. Patel from Mudrex suggested that the exchange could block suspicious transactions and freeze the funds, but retaining user trust remains a significant hurdle.
Another layer of complexity in this saga is the question of responsibility. Since 2022, WazirX has been embroiled in a legal tussle with Binance over ownership of the exchange. This ongoing dispute raises questions about accountability and who will ultimately bear the brunt of this massive loss. It’s like a complex court case where the defendant and plaintiff are still debating who actually owns the company.
In the aftermath of the attack, WazirX pointed to a discrepancy in the transaction data displayed on Liminal’s interface as the cause. They suspect the payload was tampered with to transfer control to the attacker, a tactic known as a transaction manipulation attack. This involves altering the content of a transaction authentication message to change details like the amount being transferred or the beneficiary account. Imagine sending a signed check, only for someone to sneakily change the amount and the recipient before it reaches the bank.
WazirX claimed they had implemented all necessary security measures, but the hackers still managed to bypass these protections. It’s like a fortress with multiple layers of defense, yet the invaders found a secret tunnel nobody knew about.
So, what exactly is a force majeure? This term, rooted in French law, refers to unforeseeable events that prevent someone from fulfilling a contract. It’s typically used for natural disasters like hurricanes or earthquakes, or human actions such as wars. In this case, WazirX invoked it to indicate that the hack was beyond their control. Think of it as a legal get-out-of-jail-free card when the unexpected happens.
In the end, this breach leaves us pondering some critical questions. How will WazirX recover from such a significant loss? Will users ever get their money back? And perhaps most importantly, in the ever-evolving world of digital finance, how can we truly protect our assets in the face of increasingly sophisticated cyber threats? The world of cryptocurrency is like the wild west, full of opportunities but also dangers lurking around every digital corner. As we move forward, the challenge will be balancing innovation with security, ensuring that our digital vaults remain impenetrable. But will we ever reach a point where such breaches become a thing of the past? Only time will tell.
References
Knight, O. (2024, July 19). WazirX, Liminal Custody Blame Each Other as $230M Crypto Exploit Leaves Customers Stranded. Coindesk.
Singh, A. (2024, July 19). WazirX Files Police Complaint After $230M Hack, Engages With India’s Cyber Crimes Unit. Coindesk.
Singh, N. (2024, July 18). WazirX temporarily suspends crypto deposits and withdrawals after $230M hack. The Economic Times.
Wazir X Announces $23 Million Bounty
Affected WazirX Wallet Address: 0x27fD43BABfbe83a81d14665b1a6fB8030A60C9b4
************
A bangla audio version of this article is available on Financial Rupkotha where Finance related stories are told in Bangla. The podcast channel has many such articles narrated in bangla and is available in Spotify, Amazon Prime Music, and youtube. Like, share, and subscribe the podcast channel.
