2024 WazirX hack
From Wikipedia, the free encyclopedia
| Date | July 18, 2024 |
|---|---|
| Type | Cyberattack; cryptocurrency theft |
| Target | WazirX |
| Outcome | Approx. US$230–235 million stolen; withdrawals and trading suspended |
| Suspects | Attributed to the Lazarus Group |
On 18 July, 2024, WazirX, an Indian cryptocurrency exchange, reported a cyberattack in which approximately US$234.9 million (around ₹2,000 crore) in digital assets were stolen from a multi-signature wallet used under a third-party custody arrangement with Liminal Custody.[1][2] Global analysis later linked the attack to the Lazarus Group, a North Korea–associated threat actor targeting crypto infrastructures worldwide.[3]
Modus operandi
On 18 July 2024, $234.9 million worth of crypto assets have been taken out of the exchange and sent to a new address by North Korean hackers belonging to Lazarus Group.[4][5]
WazirX's multisig wallet, controlled by five WazirX and one Liminal signature, required three WazirX and one Liminal signature to initiate transactions. Hackers created a fake WazirX account, deposited tokens, and began purchasing Gala (GALA) tokens. After draining the hot wallet, they accessed the cold wallet. When WazirX signatories accessed the multisig wallet, the hackers altered the smart contract controlling it. Once modified in their favor, the attackers gained full control, no longer needing WazirX's keys, and drained all the funds.[6] Before the attack, the crypto exchange stated in its June 2024 proof-of-reserves disclosure that it had about $500 million in digital assets.[7]
Exchange closure
On 18 July 2024, the exchange suspended crypto trading by disclosing the incident.[8][9] User balances were reset to 18 July 2024 (1:00 PM IST), reversing trades made after the hack. This followed user protests after WazirX froze some funds, halted withdrawals, and proposed spreading losses across all users.[10] A First Information Report (FIR) was filed with the Special Cell in New Delhi. One individual, SK Masud Alam, was arrested for opening a "mule" account (under the alias Souvik Mondal) that facilitated the hack.[11][12]
Investigation
According to a report by Mandiant dated 14 August, WazirX’s cyberattack originated from Liminal Custody which was a Singapore-based security partner of the crypto exchange.[13]As per the report, the attack did not affect the exchange’s hot wallets or primary trading platform infrastructure and was confined to the externally managed multisig custody environment. Liminal Custody disputed aspects of the forensic methodology and conclusions[14] and they commissioned Grant Thornton for a comprehensive review of their frontend, backend, UI, and transaction workflow. As per their report, of the 240,000 wallet addresses WazirX submitted to the Singapore court, only a handful were warm/cold wallets managed through Liminal and majority of them had zero balance[15]; the vast majority were hot wallets controlled directly by WazirX. They drew a direct parallel to the Radiant Capital hack (same attack vector: compromised signer devices, Ledger, UI mismatch and malicious contract upgrade), noting that Radiant took full transparency and accountability while WazirX did not.[16]
However, investigative developments in India added further scrutiny to the custody provider’s response. Reports related to the incident noted that the Delhi Police's Intelligence Fusion and Strategic Operations (IFSO) unit alleged that Liminal failed to provide critical logs and technical data associated with the date of the breach. While responses were submitted, authorities stated that the required technical information was not fully provided.[17][18]
WazirX terminated its custody agreement with Liminal, and began moving assets to other secure institutional partners.[19]