WazirX, a leading Indian crypto exchange, halted withdrawals Thursday after a security breach it called a “force majeure event” resulted in the loss of $230 million, nearly half its reserves.
The Mumbai-based firm said one of its multisig wallets had suffered a security breach. A multisig wallet requires two or more private keys for authentication. WazirX said its wallet had six signatories, five of whom were with WazirX team. Liminal, which operates a wallet infrastructure firm, said in a statement to TechCrunch that its preliminary investigation had found that a wallet created outside its ecosystem had been compromised.
“The cyber attack stemmed from a discrepancy between the data displayed on Liminal’s interface and the transaction’s actual contents,” said WazirX in a statement on Thursday. “During the cyber attack, there was a mismatch between the information displayed on Liminal’s interface and what was actually signed. We suspect the payload was replaced to transfer wallet control to an attacker.”
Lookchain, a third-party blockchain explorer, reported that more than 200 cryptocurrencies, including 5.43 billion SHIB tokens, over 15,200 Ethereum tokens, 20.5 million Matic tokens, 640 billion Pepe tokens, 5.79 million USDT and 135 million Gala tokens were “stolen” from the platform.
Blockchain data suggests the attackers are trying to offload the assets using the decentralized exchange Uniswap. Risk-management platform Elliptic reported that the hackers have affiliation with North Korea.
About $230 million in missing assets is significant for WazirX, which reported holdings of about $500 million in its June proof-of-reserves disclosure.
CoinSwitch and CoinDCX, two other leading crypto exchanges in India, assured their customers that their funds were secure and unaffected by this incident.
“Our wallet security remains robust,” Sumit Gupta, co-founder and chief executive of CoinDCX, wrote in a tweet.
“We advise all our crypto investors to be mindful of potential market volatility during this time and exercise caution in their trading and investment activities,” tweeted Ashish Singhal, co-founder and chief executive of PeepalCo, the group holding firm of CoinSwitch.
This is the latest setback for WazirX, which separated from Binance in early 2023 after the two crypto exchanges had a public and high-profile fallout in 2022. Two years after Binance announced it had acquired WazirX, the two companies started a dispute over the ownership of the Indian firm. Binance founder Changpeng Zhao eventually said that the two firms hadn’t been able to conclude the deal and moved to terminate Binance’s businesses with the Indian firm.
“This is a force majeure event beyond our control, but we are leaving no stone unturned to locate and recover the funds. We have already blocked a few deposits and reached out to concerned wallets for recovery. We are in touch with the best resources to help us in this endeavor,” WazirX said in a statement posted on its X account.
The story was updated throughout the day, including most recently at 11:03 p.m. India Standard Time to include WazirX’s confirmation that it lost the crypto assets in the security breach.
Comment