- Blockbasis
- Posts
- WazirX: Analyzing the $235 Million Security Breach
WazirX: Analyzing the $235 Million Security Breach
An In-Depth Analysis of the $235 Million WazirX Heist: Uncovering Security Flaws, Attack Methods, and Implications for Cryptocurrency Custody Solutions
Blockbasis
July 19, 2024
In partnership with
TL;DR
The $235 million WazirX heist exploited vulnerabilities in the exchange's multisig wallet. Attackers executed a sophisticated scheme involving privacy tools and phishing to gain control and drain funds. This breach highlights critical flaws in current custody solutions and underscores the growing risk of sophisticated, potentially state-sponsored attacks.
Cybersecurity Check: See How You Stack Up
Ever wonder how your cybersecurity measures stack up against your peers?
With Critical Start's Quick Start Risk Assessments, you're just 15 questions away from discovering how your organization’s security compares with industry standards.
It's a quick, free way to find your strengths and get actionable steps to improve your defenses, so you can set yourself apart as a cybersecurity leader.
Why wait? Take the assessment and up your security game in minutes!
Best for: Organizations with 500+ employees.
Make Sure This Hack Doesn’t Happen To You 🫵
Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐
For a limited period only, you can get a 7 day FREE trial!
Tried to scan your wallet for any exploited contracts connected to your wallet?
If not, you probably should. Better be safe than sorry 🙏
— Blockbasis (@Blockbasis)
1:19 PM • May 6, 2022
All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇
WazirX, India's leading cryptocurrency exchange, suffered a significant loss of $235 million due to a breach in its Safe multisig wallet.
Cyvers, a security firm, detected the attack shortly after it occurred, noticing multiple suspicious transactions funded by Tornado Cash on the platform.
Despite efforts to alert WazirX, the attacker had already begun converting the stolen tokens to Ethereum (ETH) and was in the process of exiting.
Approximately 30 minutes later, WazirX confirmed the security breach and announced the suspension of withdrawals.
📢 Update: We're aware that one of our multisig wallets has experienced a security breach. Our team is actively investigating the incident. To ensure the safety of your assets, INR and crypto withdrawals will be temporarily paused. Thank you for your patience and understanding.… x.com/i/web/status/1…
— WazirX: India Ka Bitcoin Exchange (@WazirXIndia)
7:48 AM • Jul 18, 2024
This incident places WazirX at number seven on the notorious Rekt Leaderboard, just behind DMM Bitcoin, which lost $304 million in a similar multisig wallet breach in May.
This serves as another stark reminder of the importance of the principle "not your keys, not your crypto."
Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.
The WazirX hack showcased patience and deception at its finest.
According to a technical analysis by Mudit Gupta, the attackers started preparing at least eight days before the main attack, conducting small test transactions to set the stage.
Their target was WazirX's multisig wallet, which required six signatures: five from WazirX and one from Liminal, their custody provider. WazirX confirmed this in their preliminary report on the exploit.
At WazirX, our commitment to transparency and community welfare is paramount. There was a cyber attack on one of our multisig wallets. Below are the preliminary findings to clarify the situation:
» Incident Overview: A cyber attack occurred in one of our multisig wallets… x.com/i/web/status/1…
— WazirX: India Ka Bitcoin Exchange (@WazirXIndia)
4:56 PM • Jul 18, 2024
Rather than simply draining the wallet, the hackers took a more subtle approach by upgrading the multisig wallet to a malicious version they controlled.
To do this, they had to bypass WazirX's security measures, including Ledger Hardware Wallets for signatories and a whitelist policy for destination addresses.
The attackers likely compromised two of the four necessary private keys directly. For the remaining two, they used signature phishing, tricking signers into approving what seemed to be a regular USDT transfer.
The deception also involved Liminal's interface, where WazirX suspects that a difference between the displayed data and the actual transaction contents allowed the attackers to replace the transaction payload.
Minutes before the hack, a legitimate USDT transfer failed, which should have been a warning sign but went unnoticed.
Two of the four signatures were not for the USDT transfer but for upgrading the wallet to a malicious contract.
Once everything was set, the hackers carried out their plan.
Using the two compromised keys and the two phished signatures, they successfully upgraded the multisig wallet to their malicious contract.
One of the phished signatures was from Liminal Custody, the co-signer responsible for final checks, indicating a major lapse in their verification process—a vulnerability the attackers exploited effectively.
Once the upgrade was complete, the attackers had full control of the wallet and could drain funds at will.
ZachXBT's investigation detailed a complex trail of transactions, broken down into the following timeline...
July 8th:
A ChangeNOW hot wallet sent two transactions to this address: 0xC891b507A7c109179d38E2Cb4DE6CD8Dc70D2ad4
0.36 ETH: Transaction 1
0.66 ETH: Transaction 2
Timing analysis suggests these funds originated from Bitcoin transactions:
Address 0xc687 received 1 ETH from Tornado Cash:
The matching 1 ETH deposit to Tornado Cash was made 9 hours earlier:
July 9th:
July 10th:
Six deposits of 0.1 ETH each were made to Tornado Cash from this address: 0xc6873ce725229099caf5ac6078f30f48ec6c7e2e
The main attack address received 6 x 0.1 ETH from Tornado Cash:
The attack address began test transactions involving ETH, SHIB, and USDT with the 0x09b multisig:
ETH: Transaction
SHIB: Transaction
USDT: Transaction
July 18th (Attack Day):
The attack was executed on the WazirX Wallet: 0x27fD43BABfbe83a81d14665b1a6fB8030A60C9b4
Funds were drained to the main attack address: 0x6EeDF92Fb92Dd68a270c3205e96DCCc527728066
Flow of Funds:
In a twist worthy of a spy novel, ZachXBT cracked an Arkham bounty by identifying a KYC exchange deposit made by the WazirX hacker.
This complex web of transactions highlights the meticulous planning and execution behind the WazirX hack.
The attackers' use of privacy tools, test transactions, and multiple addresses demonstrates a level of sophistication rarely seen in crypto heists.
Mudit Gupta commented on the attack, stating, “It's a very methodical and organized attack, pointing towards DPRK as the hacker.”
While this hasn't been confirmed, it raises the question: could this be another case of state-sponsored crypto theft?
Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter
This $235 million heist not only undermines user confidence but also casts doubt on the reliability of current custody solutions and multisig setups.
In an era where even the strongest security measures can be breached, is it wise to trust large sums to any single entity, no matter how reputable?
The emergence of sophisticated, potentially state-sponsored attacks adds a chilling new layer to an already perilous landscape.
With data breaches becoming more frequent and phishing attacks, compromised private keys, and multisig vulnerabilities on the rise, the question arises: where is it truly safe to store our funds?
The short answer seems clear—centralized exchanges are not the answer.
Is the only solution a future where every user must become their own bank, guardian, and ultimate line of defense?
Master the market in 5 minutes per day
Hot stock alerts sent directly to your phone
150,000+ active subscribers and growing fast!