WazirX, one of India’s leading centralised crypto exchanges, has lost almost half its total assets after it was hacked Thursday morning.
“We’re aware that one of our multisig wallets has experienced a security breach,” WazirX’s X account said in a post at 8:48 am London time. “Our team is actively investigating the incident.”
Blockchain security firm Cyvers was among the first to spot the hack.
🚨ALERT🚨Hey @WazirXIndia, Our system has detected multiple suspicious transactions involving your Safe Multisig wallet on the #ETH network.
A total of $234.9M of your funds have been moved to a new address. Each transaction's caller is funded by @TornadoCash.
The suspicious… pic.twitter.com/4sajAwd4Hb
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) July 18, 2024
Suspicious transactions began moving funds out of one of WazirX’s Ethereum wallets at around 6:19 am.
In Just over an hour, almost $235 million in assets had been drained.
Among the loot was over $102 million worth of Shiba Inu, a dog-themed memecoin.
The hacker also stole $53 million worth of Ether and $11 million worth of Polygon’s MATIC token, along with smaller amounts of over a dozen more tokens.
Onchain records show the hacker is already selling portions of the stolen crypto.
WazirX held $503m worth of assets, according to the exchange’s June proof of reserves report. The $235 million loss accounts for 46% of its total assets.
WazirX has since suspended cash and cryptocurrency withdrawals.
The hack adds to the $684.3 million already stolen in similar incidents in 2024, according to DefiLlama.
While the amount stolen dropped 56% between 2022 and 2023 to $1.42 billion, security experts have warned that cybercriminals will return with the bull market.
Cracking the safe
WazirX used a Safe multisignature wallet — or multisig — to hold its user’s crypto.
Such wallets are typically viewed as more secure than regular wallets as they require multiple people to sign off of each transaction.
This time, the hacker found a way around this security measure.
“It seems that the signers of the affected account signed a transaction that changed the implementation contract address in the proxy,” Mikhail Mikheev, a software developer at Safe, said in a group on messaging app Telegram and confirmed to DL News.
In other words, after the hacker gained access to WazirX’s systems, they upgraded the code governing the wallet to get around its security features.
“To our knowledge, no other Safes are affected,” Mikheev said. “We’re currently cooperating with WazirX to investigate the issue further.”
Another exchange hack
The WazirX hack is not the first such incident in recent months.
In May, Japanese exchange DMM Bitcoin suffered an ‘unauthorised leak’ of more than $300 million.
Pseudonymous onchain sleuth ZachXBT said North Korea’s Lazarus Group may be behind the DMM Bitcoin hack due to “similarities in laundering techniques and off chain indicators.”
Ari Redbord, the global head of policy at TRM Labs, a blockchain intelligence company said the attack bore “the hallmarks of a prototypical [North Korean] hack.”
It’s not yet known whether Lazarus Group is also behind the WazirX hack.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.