India’s largest cryptocurrency exchange, WazirX, suffered a devastating security breach on July 18, 2024, resulting in the theft of approximately $230-$235 million worth of digital assets.
The attack, which occurred at 06:19 AM UTC, drained roughly half of the exchange’s total assets, affecting a platform that serves over 16 million users.
The heist wasn’t a simple smash-and-grab.
Attackers executed a sophisticated deception by replacing WazirX’s legitimate multisig wallet with a malicious smart contract eight days before the actual theft.
Think of it as swapping out a bank’s vault door with an identical-looking replica that secretly has a back entrance—except this vault required four people to open it simultaneously.
WazirX had implemented robust security measures, including a multisig wallet requiring 4-of-6 signatures to approve transactions, with keys stored on hardware wallets.
The system also maintained a whitelist of approved destination addresses.
However, attackers exploited a clever loophole: they presented signers with transaction data that looked legitimate while the actual payload contained malicious code. This discrepancy between what appeared in the Liminal interface and the actual transaction data was critical to the attack’s success.
The stolen bounty included more than 190 different tokens, with significant losses in Shiba Inu, Ether, Matic, and Pepe.
Following the breach, blockchain detectives tracked the funds moving through multiple wallets, with the thief gradually converting various tokens to Ether.
This breach highlights why many exchanges now employ cold storage wallets to protect the majority of user funds from online attacks.
Security experts noted that the attack didn’t involve compromising the hardware wallets themselves—forensic analysis by Mandiant found no evidence of compromise on the three laptops used by WazirX team members.
The initial funding for the attack came via Tornado Cash on July 10, suggesting meticulous planning.
While attribution remains uncertain, some analysts have pointed to similarities with tactics used by North Korean hacking group Lazarus, known for orchestrating large-scale cryptocurrency heists.
WazirX immediately paused all withdrawals to protect remaining assets, though the exchange has yet to announce a thorough plan for user reimbursement.
The incident has sparked renewed scrutiny of security practices across centralized exchanges globally.
After acknowledging the breach, WazirX officially announced the suspension of both INR and crypto withdrawals as a protective measure.
