WazirX crypto exchange hack and its bounty programme: what it means to India’s crypto

On July 18, Indian cryptocurrency exchange WazirX was hit by a cyberattack that led to a loss of digital assets worth more than $230 million from one of its wallets. The exchange responded by pausing normal trading activities and reported the incident to the Indian authorities and other crypto exchanges. The company also launched two bounty programmes aimed at ethical hackers who can help the exchange track, freeze and recover the stolen funds.

WazirX said there was a cyberattack against a multi-signature wallet it managed through a digital asset custody service known as Liminal. Multi-signature wallets have a built-in security feature that requires several parties to sign off on transactions.

“The impact of the over $230M cyberattack is on the digital assets of our customers,” said WazirX in a blog post, adding that INR funds were not affected. The company strongly denied that WazirX itself was breached, and brushed aside rumours that it was duped by a phishing attack.

The exchange also noted that it was “certain” that its hardware keys were not compromised, adding that an external forensic team would be engaged to further investigate the matter.

But Liminal, after completing investigations at its end, said, “It is evident that the genesis of this hack stems from three compromised devices at WazirX’s end.”

Meanwhile, WazirX founder and CEO Nischal Shetty said that the attack was only possible if there had been four points of failure in the digital signing process.

Who is behind the hack?

WazirX has not yet revealed the suspected parties or perpetrators responsible for the hack. However, news reports have emerged that North Korean hackers were responsible for the incident.

On-chain analysis and other information indicate “that this hack was perpetrated by hackers affiliated with North Korea,” said blockchain analytics platform Elliptic.

In response to The Hindu’s queries to WazirX about the North Korean hackers, the crypto exchange WazirX directed us to its blog and said it was working with law enforcement officials to see if any known threat group might be behind the attack.

“This incident has affected the Ethereum multisig wallet, which consists of ETH and ERC20 tokens. Other blockchain funds are unaffected,” said WazirX in its official blog, specifying that approximately 45% (as per preliminary workings) of crypto assets were affected by the attack.

The company has largely shifted the blame to the process of securing multisig Ethereum wallets, and claimed the vulnerability was not unique to WazirX.

How important is WazirX in the crypto sector?

WazirX calls itself India’s largest cryptocurrency exchange by volume. As of June 10, it reported total holdings of ₹4,203.88 Crores, or USDT 503.64 Million. Tether [USDT] is a stablecoin, or a cryptocurrency that is pegged to the value of the U.S. Dollar but is not an official U.S. currency.

When The Hindu tried to access WazirX’s public and real-time proof of reserves after the cyberattack, we were welcomed by a notice saying that the page was under maintenance.

WazirX has received both positive and negative press in India. The Directorate of Enforcement froze the exchange’s assets in 2022, lambasting its operating procedures and loose Know-Your-Customer (KYC) and Anti-Money Laundering (AML) norms.

“By encouraging obscurity and having lax AML norms, it has actively assisted around 16 accused fintech companies in laundering the proceeds of crime using the crypto route. Therefore, equivalent movable assets to the extent of Rs. 64.67 Crore lying with WazirX were frozen under PMLA, 2002,” said the ED in a statement.

What will happen to WazirX’s assets?

It is unlikely that WazirX’s stolen assets will be recovered in full soon. This is due to the nature of cryptocurrency itself, where assets can be easily mixed, transferred, converted, and sent to anonymous wallets. The chances of asset recovery are even slimmer if it is confirmed that North Korean hackers were behind the incident.

CEO Shetty said on X on July 22 that “small” parts of the stolen funds had been frozen but declined to provide further details. He added that most of the funds had not moved from the attacker’s wallet.

North Korean hackers have stolen billions of dollars in crypto assets in recent years, with the aim of bypassing various financial and economic sanctions.

WazirX is currently working to resume normal operations and has planned to run an online poll to decide how to begin trading on the platform again.

While the Indian exchange has defended its own security practices and pointed to the challenges of the crypto sector at large, more experienced crypto traders will be looking for action plans and accountability, rather than emotional assurances.

What is its bounty programme?

WazirX has announced two bounty programmes: one is to get more information around the stolen funds, and the other is aimed at recovering them. Both programmes are open to all, except WazirX employees and their immediate family members.

Under the first programme, WaxirX will reward upto $10,000 to anyone who can provide the exchange with information that can help it freeze the funds. If the bounty hunter is unable to freeze the fund by themselves, they should collaborate with WazirX by providing sufficient proof to facilitate the process.

But “if the participant fails to freeze themselves and/or fails to collaborate with WazirX to facilitate the freezing of the funds, then the participant shall not be entitled to any rewards,” the exchange said.

The second programme, called White Hat Recovery, is aimed at recovering the funds. Participants are offered 10% of the recovered amount as a white hat incentive.

“This reward will be disbursed only after and subject to the successful receipt of the stolen amount by WazirX. The said rewards shall be payable in USDT or in the form of recovered funds at the sole discretion of WazirX,” the exchange noted.

The bounty programmes are expected to run for the next three months.