On July 18, 2024, WazirX, one of the largest cryptocurrency exchanges, confirmed a significant security breach that resulted in the loss of about $235 million from one of its multisig wallets. 

The breach led the exchange to temporarily halt withdrawals of Indian Rupees (INR) and cryptocurrencies, raising alarms within the crypto community.

Details of the Attack

Incident Overview:

WazirX reported that the attack targeted a multisig wallet—a wallet requiring multiple private keys to authorize transactions. The compromised wallet had been in use since February 2023, leveraging digital asset custody services provided by Liminal. 

The security breach involved a loss exceeding $230 million, triggering an immediate response from WazirX to secure the remaining assets and address the situation.

Wallet Configuration and Breach Mechanics:

The affected wallet had six signatories: five from the WazirX team and one from Liminal. Typically, a transaction needed approval from three of the WazirX signatories, who used Ledger Hardware Wallets for added security, followed by final approval from Liminal’s representative. 

Despite these security measures, the breach reportedly occurred due to a mismatch between the data displayed on Liminal’s interface and the transaction details. The transaction payload was apparently manipulated to gain unauthorized control over the wallet.

According to WazirX, the attack exploited a discrepancy between the data shown and what was signed, likely replacing the transaction payload to redirect funds. Although the multisig wallet and whitelisting policies were in place to safeguard assets, the attackers managed to breach these defenses.

Response and Recovery Efforts

In response to the hack, WazirX filed a police complaint and initiated additional legal actions. 

The exchange reported the incident to the Financial Intelligence Unit (FIU) and CERT-In. They reached out to over 500 exchanges to block the identified addresses and are collaborating with them to recover the stolen funds.

WazirX is reportedly working with forensic experts and law enforcement agencies to trace the stolen funds and recover customer assets. They are also conducting a thorough analysis of the attack to understand its scope and prevent future breaches.

WazirX assured its users that it is committed to resolving the situation and is taking all necessary steps to address the breach. 

Insights from Experts

Mudit Gupta, Chief Information Security Officer at Polygon Labs, suggested that the hackers had been preparing for the attack for over a week. According to Gupta, the hackers upgraded the multisig to a malicious version, enabling them to drain the wallet. 

Blockchain analysts suspect that the Lazarus Group, a notorious North Korean hacking collective, might be behind the attack.