2024 WazirX hack

From HandWiki
Short description: Cyberattack and cryptocurrency theft
2024 WazirX hack
DateJuly 18, 2024
TypeCyberattack; cryptocurrency theft
TargetWazirX
OutcomeApprox. US$230–235 million stolen; withdrawals and trading suspended
SuspectsAttributed to the Lazarus Group

On 18 July, 2024, WazirX, an Indian cryptocurrency exchange, reported a cyberattack in which approximately US$234.9 million (around ₹2,000 crore) in digital assets were stolen from a multi-signature wallet used under a third-party custody arrangement with Liminal Custody.[1][2] Global analysis later linked the attack to the Lazarus Group, a North Korea–associated threat actor targeting crypto infrastructures worldwide.[3]

Hack

On 18 July 2024, $234.9 million worth of crypto assets have been taken out of the exchange and sent to a new address by North Korean hackers belonging to Lazarus Group.[4][5]

Modus operandi

WazirX's multisig wallet, controlled by five WazirX and one Liminal signature, required three WazirX and one Liminal signature to initiate transactions. Hackers created a fake WazirX account, deposited tokens, and began purchasing Gala (GALA) tokens. After draining the hot wallet, they accessed the cold wallet. When WazirX signatories accessed the multisig wallet, the hackers altered the smart contract controlling it. Once modified in their favor, the attackers gained full control, no longer needing WazirX's keys, and drained all the funds.[6] Before the attack, the crypto exchange stated in its June 2024 proof-of-reserves disclosure that it had about $500 million in digital assets.[7]

Exchange closure

On 18 July 2024, the exchange suspended crypto trading by disclosing the incident.[8][9] User balances were reset to 18 July 2024 (1:00 PM IST), reversing trades made after the hack. This followed user protests after WazirX froze some funds, halted withdrawals, and proposed spreading losses across all users.[10] A First Information Report (FIR) was filed with the Special Cell in New Delhi. One individual, SK Masud Alam, was arrested for opening a "mule" account (under the alias Souvik Mondal) that facilitated the hack.[11][12]

Investigation

According to a report by Mandiant dated 14 August, WazirX’s cyberattack originated from Liminal Custody which was a Singapore-based security partner of the crypto exchange.[13]As per the report, the attack did not affect the exchange’s hot wallets or primary trading platform infrastructure and was confined to the externally managed multisig custody environment. Liminal Custody disputed aspects of the forensic methodology and conclusions[14] and they commissioned Grant Thornton for a comprehensive review of their frontend, backend, UI, and transaction workflow. As per their report, of the 240,000 wallet addresses WazirX submitted to the Singapore court, only a handful were warm/cold wallets managed through Liminal and majority of them had zero balance[15]; the vast majority were hot wallets controlled directly by WazirX. They drew a direct parallel to the Radiant Capital hack (same attack vector: compromised signer devices, Ledger, UI mismatch and malicious contract upgrade), noting that Radiant took full transparency and accountability while WazirX did not.[16]

However, investigative developments in India added further scrutiny to the custody provider’s response. Reports related to the incident noted that the Delhi Police's Intelligence Fusion and Strategic Operations (IFSO) unit alleged that Liminal failed to provide critical logs and technical data associated with the date of the breach. While responses were submitted, authorities stated that the required technical information was not fully provided.[17][18]

WazirX terminated its custody agreement with Liminal, and began moving assets to other secure institutional partners.[19]

Aftermath

On 13 October 2025, the High Court of Singapore sanctioned (with modifications) a creditor-approved restructuring scheme submitted by Zettai Pte Ltd., WazirX’s Singapore-based entity, after the proposal was supported by about 95.7% of creditors by number and 94.6% by value.[20] The scheme of arrangement was pursued under Singapore’s Insolvency, Restructuring and Dissolution Act 2018 and included steps to restructure liabilities, pro-rata distribution of rebalanced assets (approx. 85 % of claim value), and issuance of Recovery Tokens (RTs) for potential future distributions.[21] Following the court sanction, the endorsed scheme was filed with Singapore’s Accounting and Corporate Regulatory Authority (ACRA).[22]

During the restructuring process, WazirX continued court proceedings and creditor engagement, including a creditor vote reported as showing high participation and renewed support for the restructuring scheme after an earlier proposal was rejected by the Singapore court.[23] The exchange later resumed operations under revised custody arrangements and implemented additional security measures, including the use of institutional custody providers such as BitGo.[24][25]

Exchange restart

After the restructuring scheme became legally effective, WazirX restarted operations within ten business days, 24 October 2025, and returned 85% funds to users. The platform introduced a temporary 0% trading-fee offer.[26] Platform operations resumed with the exchange migrating custody to global crypto institutional custody providers such as BitGo.[27][28][29]

References

  1. Venugopal, Sahana (3 September 2024). "WazirX Cyberattack: What is WazirX's legal status after a $230 million wallet hack?" (in en-IN). The Hindu. https://www.thehindu.com/sci-tech/technology/what-is-wazirxs-legal-status-after-a-230-million-wallet-hack/article68595715.ece. 
  2. "WazirX cryptocurrency exchange halts withdrawals after security breach" (in en). 2024-07-18. https://indianexpress.com/article/india/wazirx-cryptocurrency-withdrawals-security-breach-9461946/. 
  3. "Joint Statement on Cryptocurrency Thefts by the Democratic People’s Republic of Korea and Public-Private Collaboration" (in en). https://2021-2025.state.gov/office-of-the-spokesperson/releases/2025/01/joint-statement-on-cryptocurrency-thefts-by-the-democratic-peoples-republic-of-korea-and-public-private-collaboration/. 
  4. Shukla, Siddharth (2024-07-18). "WazirX Pauses Crypto, Rupee Withdrawals After Wallet Breach" (in en). Bloomberg.com. https://www.bloomberg.com/news/articles/2024-07-18/wazirx-pauses-crypto-rupee-withdrawals-after-wallet-breach-lyqzzwm1. 
  5. Anand, Vijay (2024-07-29). "North Korean Lazarus Group linked to $235 million WazirX crypto breach - CNBC TV18" (in en). https://www.cnbctv18.com/technology/wazirx-crypto-breach-cyfirma-north-korean-lazarus-group-19450904.htm. 
  6. Anupam, Suprita (2024-09-25). "The End Of WazirX: The $234 Mn Heist, Nischal Shetty Under Fire And The Blame Game" (in en). https://inc42.com/features/wazirx-crypto-heist-nischal-shetty-blame-game/. 
  7. "WazirX crypto exchange hack: how much of the assets was lost, CEO Nischal Shetty's announcement, and what happens next" (in en-IN). The Hindu. 2024-07-29. ISSN 0971-751X. https://www.thehindu.com/sci-tech/technology/wazirx-crypto-exchange-hack-how-much-of-the-assets-was-lost-and-what-happens-next/article68459460.ece. 
  8. Singh, Manish (2024-07-21). "WazirX halts trading after $230 million 'force majeure' loss" (in en-US). https://techcrunch.com/2024/07/21/wazirx-halts-trading-after-230-million-hit-to-crypto-exchange/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAEqQb3DWP_YrVKDE1Q-eSYG-fqRWZTsj8fXpaIkOtiq_BnXD9WNfAgJR9Xl6ysmU0W_KRakHLRgKg3SdcdKqLbS08NUaD7vsgbLSIPzlekFATRNS5ZjQfFb1hPEc1PCWFdanjXZ9m0W5qwu5fR2axTOfFadiT_W_jEI-auYNXKgZ. 
  9. Sharma, Manoj (2024-07-10). "WazirX halts trading, announces $23 mn bounty after hackers steal $234 mn. Key updates" (in en). https://www.fortuneindia.com/macro/wazirx-halts-trading-announces-23-mn-bounty-after-hackers-steal-234-mn-key-updates/117654. 
  10. "WazirX CEO Nischal Shetty shares move to restore account balances and undo all platform trades post-withdrawal halt" (in en-IN). The Hindu. 2024-08-09. ISSN 0971-751X. https://www.thehindu.com/sci-tech/technology/wazirx-ceo-nischal-shetty-shares-move-to-restore-account-balances-and-undo-all-platform-trades-post-withdrawal-halt/article68504503.ece. 
  11. Singh, Navdeep (2024-07-18). "WazirX temporarily suspends crypto deposits and withdrawals after $230M hack". The Economic Times. ISSN 0013-0389. https://economictimes.indiatimes.com/markets/cryptocurrency/wazirx-temporarily-suspends-crypto-deposits-and-withdrawals-after-230m-hack/articleshow/111834527.cms. 
  12. Singh, Manish (2024-07-21). "WazirX halts trading after $230 million 'force majeure' loss" (in en-US). https://techcrunch.com/2024/07/21/wazirx-halts-trading-after-230-million-hit-to-crypto-exchange/. 
  13. Singh, Divyesh (2024-09-09). "Crypto firm WazirX's security partner says no evidence of cyberattack on its system" (in en). https://www.indiatoday.in/business/story/wazirx-security-partner-liminal-company-cyberattack-security-breach-audit-findings-2596809-2024-09-09. 
  14. Radhika Parashar & Siddharth Suvarna (29 July 2024). "WazirX Wallet Hack: Liminal Denies Responsibility Amid Recent Allegations". NDTV. https://www.gadgets360.com/cryptocurrency/news/liminal-refutes-responsibility-wazirx-hack-recent-allegations-6212869. 
  15. "WazirX Shares 2.4 Lakh Non-Zero Fund Crypto Addresses but Investigators Say They’re Lying". 20 October 2024. https://www.binance.com/en/square/post/15129385610761. 
  16. "WazirX accused of running “persistent disinformation campaign” by Liminal while users wait for court updates" (in en-IN). The Hindu. 2024-10-24. ISSN 0971-751X. https://www.thehindu.com/sci-tech/technology/wazirx-accused-of-running-persistent-disinformation-campaign-by-liminal-while-users-wait-for-court-updates/article68786444.ece. 
  17. "WazirX Cyberattack: Liminal Responds To Claims Of Non Cooperation; Here's What It Said" (in en). 2024-11-14. https://news.abplive.com/business/crypto/wazirx-cyberattack-liminal-responds-to-claims-of-non-cooperation-here-s-what-it-said-1731266. 
  18. "Indian police arrest suspect in $230 million WazirX crypto exchange hack" (in en). https://therecord.media/wazirx-crypto-exchange-hack-suspect-arrested-india. 
  19. Singh, Navdeep (2024-08-14). "WazirX ends custody deal with Liminal, begins migration of funds to new wallets after $230 million hack". The Economic Times. ISSN 0013-0389. https://economictimes.indiatimes.com/markets/cryptocurrency/wazirx-ends-custody-deal-with-liminal-begins-migration-of-funds-to-new-wallets-after-230-million-hack/articleshow/112527520.cms?from=mdr. 
  20. "WazirX News: Singapore Clears Plan for Restart, Bringing Respite to Victims of $230M Hack" (in en). https://www.coindesk.com/markets/2025/10/13/wazirx-restructuring-cleared-in-massive-relief-for-usd230m-hack-victims. 
  21. "WazirX’s Revival - an understated moment for India’s Crypto Industry?". https://m.economictimes.com/wealth/invest/wazirxs-revival-an-understated-moment-for-indias-crypto-industry/amp_articleshow/125462692.cms. 
  22. "WazirX to reopen within 10 business days after Singapore High Court approval" (in en-US). https://news.superex.com/articles/6047.html. 
  23. "WazirX users vote again to support restructuring scheme after Singapore court struck down the first proposal" (in en-IN). The Hindu. 2025-08-19. https://www.thehindu.com/sci-tech/technology/wazirx-users-vote-again-to-support-restructuring-scheme-after-singapore-court-struck-down-the-first-proposal/article69950414.ece. 
  24. V, Decrypt / Vismaya (2025-10-23). "WazirX to Resume Trading and Withdrawals More Than a Year After $234M Hack" (in en-US). https://decrypt.co/345632/wazirx-to-resume-trading-and-withdrawals-more-than-a-year-after-234m-hack. 
  25. "Watch: WazirX founder Nischal Shetty candid on the aftermath of 234M hack" (in en). TheStreet Crypto: Bitcoin and cryptocurrency news, advice, analysis and more. https://www.thestreet.com/crypto/markets/watch-wazirx-founder-nischal-shetty-candid-on-the-aftermath-of-234m-hack. 
  26. "India's crypto exchange WazirX to resume operations on October 24 with 0% trading fees". The Times of India. 2025-10-23. ISSN 0971-8257. https://timesofindia.indiatimes.com/technology/tech-news/wazirx-to-resume-operations-on-october-24-with-0-trading-fees/articleshow/124759623.cms. 
  27. "WazirX resumes operations, looks to rebuild trust - The Economic Times". https://m.economictimes.com/tech/technology/wazirx-resumes-operations-looks-to-rebuild-trust/amp_articleshow/124886580.cms. 
  28. Sanzgiri, Vallari (2025-03-13). "WazirX Partners with BitGo Trust to enhance security funds" (in en). https://www.thehindubusinessline.com/money-and-banking/cryptocurrency/wazirx-partners-with-bitgo-trust-to-rebuild-user-trust/article69321066.ece. 
  29. Sharma, Manoj (2025-11-05). "After restructuring and restarting post hack, WazirX is now rebuilding to reclaim No. 1 spot: Nischal Shetty" (in en). https://www.fortuneindia.com/business-news/after-restructuring-and-restarting-post-hack-wazirx-is-now-rebuilding-to-reclaim-no-1-spot-nischal-shetty/127922. 

Template:Hacking in the 2020s



Retrieved from "https://handwiki.org/wiki/index.php?title=2024_WazirX_hack&oldid=4298584"