The inside story of WazirX’s $235M hack and how it’s destroying users lives left without answers


The inside story of WazirX’s $235M hack and how it’s destroying users lives left without answers

  crypto.news  + 1 more 10 September 2024 13:40, UTC

Inside stories from WazirX’s victims reveal the real human toll of the hack, while experts question whether the exchange’s recovery efforts will be enough to restore trust.

Table of Contents

The beginning of the crisis

On Jul. 18, the Indian crypto community was shaken when WazirX, the country’s largest crypto exchange, became the victim of a massive hack.

Allegedly carried out by the infamous Lazarus Group from North Korea, the attack resulted in a staggering loss of $235 million worth of crypto assets.

The hackers initially stole 15,298 Ethereum (ETH) before swapping various tokens, including Shiba Inu (SHIB), Polygon (MATIC), and Pepe Coin (PEPE), ultimately amassing 59,097 ETH in total.

This severely impacted WazirX’ ability to maintain a 1:1 collateral ratio with its underlying assets, potentially destabilizing the platform.

In response, WazirX temporarily suspended all withdrawals, both in INR and crypto assets, in an attempt to contain the damage. However, this sudden halt only exacerbated the situation, leaving users unable to access their funds, even in emergencies.

More than 45 days have passed, and withdrawals remain on hold. Meanwhile, social media has become a hotspot for frustrated users, many of whom feel abandoned by the platform.

To make matters worse, WazirX has not provided any substantial updates on recovery efforts. The exchange seems to be talking more than acting, leaving users in the dark about when — or if — they will ever recover their funds.

Let’s take a closer look at the current situation, the frustrations of the users, and where things stand nearly two months into this crisis.

A series of missteps

Following the devastating hack on Jul. 18, WazirX’ handling of the situation quickly spiraled into a series of missteps, which have only deepened the mistrust of its user base.

July 18: the blame game begins

On the same day after the hack, WazirX attempted to deflect responsibility by pointing fingers at its digital custody partner, Liminal.

In a post on X, WazirX claimed that the exploit was connected to a discrepancy in a multisig wallet using Liminal’ custody services.

At WazirX, our commitment to transparency and community welfare is paramount. There was a cyber attack on one of our multisig wallets. Below are the preliminary findings to clarify the situation:

» Incident Overview: A cyber attack occurred in one of our multisig wallets…

— WazirX: India Ka Bitcoin Exchange (@WazirXIndia) July 18, 2024

The company stated that there was a mismatch between the data displayed on Liminal’ interface and the actual contents of the transaction, suggesting that the issue was on Liminal’ end.

However, Liminal quickly pushed back, denying any fault. In a detailed blog post, Liminal asserted that its infrastructure had not been compromised and that all wallets, including WazirX’, were safe.

Liminal stated that the attack was sophisticated, involving malicious payloads on three of WazirX’ machines, which targeted one specific Gnosis Smart Contract Multi-Sig wallet (no details about the wallet were revealed). The custody firm distanced itself from the responsibility, effectively shifting the blame back to WazirX.

As the fallout continued, cryptosecurity firms began weighing in on how the hack might have happened. TruthLabs, revealed that concerns about WazirX’ security practices had been raised days before the hack – pointing to potential vulnerabilities that could have led to the exploit.

A showing @WazirXIndia’s own misleading actions and security lapses which most likely led to their Customers loosing over $230M in assets

1/18 pic.twitter.com/Yw021PPPk0

— TruthLabs (@BoringSleuth) August 1, 2024

WazirX has so far denied all the accusations, insisting that it had followed industry best practices and employed multiple key holders for its multisig wallets.

July 27: the socialized losses controversy

In what became one of the most controversial moves, WazirX attempted to introduce a “socialized losses” program on Jul. 27.

The exchange proposed that users would only be able to access 55% of their assets, while the remaining 45% would be locked as USDT-equivalent tokens. Two recovery options were presented to users:

  • Option A allowed users to access 55% of their assets for trading, with priority for recovery proceeds.
  • Option B permitted staggered withdrawals of the 55% but gave lower recovery priority.

This plan, which was initially framed as a way to distribute losses fairly, was met with immediate backlash from users. Many felt that the proposal was unfair and that WazirX was attempting to shift the burden of the hack onto its users, further eroding trust in the platform.

why is the strategy socialised?

Choosing to invest in a coin and losing the funds due to hack is a risk the investors of said coin chose

why should holders of other coins make up for them?

those who had assets that didn’t get hacked should get full withdrawal

— Kalpit Veerwal (@kalpitveerwal) July 27, 2024

You are solely responsible for the stolen funds. Why should the user bear the loss? If you are making a profit from your exchange, are you distributing the profit to all the investors? @PMOIndia @nsitharaman are you ignoring this fraud because of what reason?

— Indian (@Resourc12710791) July 27, 2024

The uproar was swift, and WazirX co-founder Nischal Shetty had to clarify that the poll was not legally binding and was only meant to gather feedback.

1. This poll is a preliminary step to understand your opinions.
2. This poll is not legally binding upon the users or WazirX
3. We will soon launch feedback form to collect more ideas
4. We are now looking into next steps based on all the feedback received

This is a major… https://t.co/tcdDjWzIYI

— Nischal (Shardeum) (@NischalShetty) July 29, 2024

August 14: ending the custody partnership with Liminal

Weeks of back-and-forth accusations followed, with WazirX attempting to salvage its reputation. On Aug. 14, the exchange announced that it was terminating its partnership with Liminal Custody. According to WazirX, the decision was made to enhance security by migrating remaining assets to new multisig wallets.

Meanwhile, WazirX hired Mandiant, a Google subsidiary specializing in cybersecurity, to conduct a forensic analysis of the machines involved. The report, according to WazirX, cleared them of any wrongdoing, further deepening the tension between the two companies.

Liminal chose to blame WazirX laptops quickly post the incident without any proofs.

WazirX decided to bring in one of the best forensic team which is Mandiant, a Google subsidiary, to conduct a thorough forensic analysis of all three laptops that were involved during the… https://t.co/A285cMtNoA

— Nischal (Shardeum) (@NischalShetty) August 19, 2024

However, new developments from Liminal paint a different picture. Liminal’s internal investigation, supported by a third-party audit from Grant Thornton, found no evidence of compromise within its systems.

Liminal state in a blog post that the audit concluded that both the frontend and backend, along with the user interface (UI), remained secure. Liminal’s self-custody wallet services — where private keys stay with the clients — were not vulnerable to the type of breach that occurred at WazirX.

Liminal has since reiterated that any claims tying the vulnerability to its services are unsupported, and it remains confident that the breach occurred due to issues within WazirX’s setup.

In a nutshell, audit results from both sides point to external factors as the source of the compromise. However, the question remains: where exactly did the breach occur?

You might also like: Why is USDT more expensive in India? We talked to top local exchanges

WazirX’s dubious withdrawal strategy

As the chaos surrounding WazirX continued, users were dealt another blow when the exchange revealed new restrictions on withdrawals, deepening the frustration already felt by the community.

On Aug. 23, in a bid to appease its users, WazirX announced that it would be lifting the suspension on INR withdrawals. However, there was a catch.

While the exchange promised that INR balances were secure, it disclosed that only 66% of users’ INR funds would be available for withdrawal. The rest? Frozen due to ongoing disputes and investigations by law enforcement agencies.

This meant that from Aug. 26 to Sep. 8, users could only withdraw a portion of their balances in phases, with the remaining half becoming available by mid-September.

The exchange clarified that Zanmai Labs, the entity responsible for INR-related activities, wasn’t the target of these investigations. Yet, the fact remained — 34% of user balances were frozen indefinitely, with no clear timeline for when they’d be released.

Things took an even more worrying turn when WazirX, alongside financial advisory firm Kroll, announced during a digital town hall on Sep. 2 that they would seek a moratorium through Singapore’ legal system.

This move would temporarily shield WazirX from legal action while it attempted to restructure its liabilities, but it came at a steep cost — users would be unable to withdraw their crypto for at least six more months.

The legal protection, WazirX claimed, was the fastest way to work on a plan to recover funds. However, during the town hall, users were warned that a full recovery of their crypto assets was highly unlikely.

In fact, Kroll’ director, George Gwee, stated that customers would probably lose about 43% of their assets. Even in the best-case scenario, users could only expect to recover 55% to 57% of their funds—a bleak forecast for those hoping to recoup their investments.

The untold stories of WazirX’s users

The aftermath of the WazirX hack has left thousands of users stranded, their funds locked away with no clear path to recovery.

crypto.news reached out to several victims who shared their personal experiences, frustrations, and the devastating impact this has had on their financial lives.

One of the hard-hitting stories comes from Sana Afreen, Director of Partnerships at Rizzle, who has been vocal about her situation. Afreen is one of many users whose colossal investment is caught up in the chaos. Speaking to crypto.news, she described her frustration:

As someone with 25 lakhs (about $30,000) stuck in crypto assets, I can say without hesitation that this is a blatant breach of customer trust. WazirX’ handling of the situation has been nothing short of disastrous. The blame-shifting, delayed responses, and freezing of funds have only added to the anxiety and frustration for users like myself, who trusted the platform with significant investments. We see the communication with the community, but it lacks transparency. Instead of addressing the problem head-on, they keep deflecting responsibility.

Afreen didn’t hold back when discussing the recent decision to move the case to Singapore. For her, this move only deepened the mistrust:

Moving the case to Singapore feels like WazirX is trying to dodge accountability under Indian laws. While they may argue it’s a strategic move, it raises serious concerns about their commitment to their Indian users. It’s deeply troubling that WazirX seems to be using users’ money to amortize the losses from the hack rather than tapping into their own profits. This raises serious ethical and operational questions about how they manage their finances. They are choosing to absorb the loss by diminishing the value of the users’ holdings. This is not only unfair but demonstrates a lack of accountability.

Afreen also highlighted how this situation has left her and others in serious financial distress. The uncertainty of recovery has weighed heavily on users who trusted the platform. She explained:

The recent statement suggesting that users might only recover around a part of their crypto assets is particularly alarming. It signals that WazirX is unwilling or unable to bear full responsibility for the breach. Instead of leveraging their own profits—profits that were made possible because of us, the users—they are choosing to push the burden onto us. This isn’t just about money anymore; it’s about trust, responsibility, and ethics. WazirX should be taking the lead in rectifying this situation by contributing their profits to cover the losses. Anything less than that is a disservice to the crypto community.

Another user, who chose to remain anonymous, shared their painful experience with crypto.news. Unlike Afreen, who has taken a more public stance, this victim preferred to stay under the radar but spoke with equal frustration and despair:

I have over 15 lakhs (about $18,000) tied up on WazirX, and the last few months have been nothing but a nightmare. When the hack first happened, I hoped for quick action, but as the days turned into weeks, I realized WazirX was more interested in saving face than helping its users. The decision to freeze our crypto, to shift the case to Singapore—it’s all felt like a series of calculated moves to buy them time while we suffer.

This user went on to criticize WazirX’ lack of transparency and communication, mirroring the concerns expressed by Afreen:

Every time they make an announcement, it feels like they’re just trying to pacify us without giving any real answers. We get bits of information, but nothing concrete. It’s terrifying to think that even after all of this, we may only get back half of what we invested, if that.

For this user, the emotional toll wasn’t just about lost funds but also about losing a sense of control:

I had been in some great positions when the hack happened. Now? I’m watching those same coins pump, but I can’t touch them. That’s the worst part—not being able to do anything while my money is just sitting there, locked up. You start feeling helpless. The more time passes, the more you realize you’re at their mercy. And the idea of recovering only half of what I had? It’s gut-wrenching. I don’t know if I’ll ever fully trust another exchange again.

Meanwhile, across social media, users are sharing their despair in heart-wrenching posts, reflecting just how far-reaching this disaster has become.

Some users are concerned about their health, stating that stress from the situation has worsened their physical condition, making it difficult to repay loans and pushing them toward dark thoughts.

I can’t live sir because my health conditions not well just because of wazirx and I have pay every months loan repayment how can I pay now and think always to die

— Mohammed Ahmed (@Mohamme20211813) August 31, 2024

Users are struggling to cope, left feeling abandoned and helpless. As this crisis drags on, the voices of those suffering only grow louder, demanding a resolution before it’s too late.

Expert opinions: the fallout from WazirX’s missteps

The WazirX hack has left the crypto community and experts questioning the exchange’ response and transparency.

crypto.news spoke exclusively with Suraj Sharma, Global Head of Public Policy & Government Affairs at BitBNS and Onramp.money, who pointed out that the exchange’ failure to communicate effectively had a devastating impact on its credibility:

Since the hack, WazirX’ approach has raised serious concerns regarding transparency. The freezing of INR funds, even for non-affected users, and the delayed communication have significantly eroded customer trust. A clearer and more immediate response—providing specific timelines and steps being taken to safeguard users’ assets—could have alleviated much of the confusion. What’s most concerning is that WazirX didn’t seem to have any crisis management system in place.

When asked about WazirX’ decision to shift legal proceedings to Singapore, Sharma highlighted the strategic motives behind the move but warned of its impact on Indian users:

Given that the parent company, Zettai, is registered in Singapore, this jurisdiction was likely chosen to mitigate many liabilities. But this could easily be interpreted as an attempt to sidestep Indian regulatory oversight…Coupled with co-founder Shetty’ move to Dubai, it doesn’t paint a picture of a company committed to its Indian user base. I’ve spoken to several law enforcement officials who’ve expressed serious concerns about this shift, as it effectively renders Indian authorities powerless in ensuring the safety of funds under their seizure.

The outlook for users with locked funds is particularly grim. Sharma cautioned that any recovery could take a long time, and even then, full restitution might be out of reach:

Users with significant funds locked on the platform face a potentially lengthy resolution process, given the restructuring efforts in Singapore. While Indian users may explore legal remedies through the judiciary, litigation could be protracted and further exacerbate the financial strain for those already affected. Class-action lawsuits might give users a collective platform to hold WazirX accountable, but a rapid resolution seems highly unlikely.

A second expert from the Indian crypto community, who wished to remain anonymous, shared similar concerns. They criticized WazirX’ lack of transparency, noting how the exchange’s actions have severely eroded customer confidence. On the decision to move the case to Singapore, the anonymous expert added:

The shift to Singapore could be motivated by the promise of a more favorable legal framework and more efficient processes, but it raises serious concerns about WazirX’ commitment to its Indian users. It feels like an attempt to dodge responsibility under Indian law, leaving users in an even more vulnerable position.

The future for affected users, according to this expert, remains uncertain, with little hope of full recovery:

The outlook for users is bleak. Even if WazirX is working on recovering funds, there’ no guarantee they’ll get everything back. Users should explore legal options, but the process will be long and arduous. Many may be forced to rely on online communities for support and guidance, as WazirX has shown little interest in offering any real solutions.

Both experts agreed that the WazirX hack is a wake-up call for the Indian crypto industry. The exchange’s failure to communicate effectively, its controversial legal maneuvers, and the growing frustration among users point to a deeper problem — one that requires both regulatory intervention and internal reforms.

Legal troubles brewing for WazirX

As WazirX grapples with the aftermath of the July hack, the exchange is now facing increasing legal challenges. Indian users, frustrated by the freezing of their funds and WazirX’ controversial decision to shift legal proceedings to Singapore, are seeking justice.

crypto.news spoke exclusively with Siddhant Pandey, Managing Partner at Is It Legal Sid, who has received several queries from victims and is guiding them through the complexities of their legal options.

Pandey mentioned that any company’ attempt to move legal proceedings outside India, does not strip Indian users of their rights to pursue action within Indian courts:

“My legal opinion in a nutshell is that all users are Indian customers. Many companies tactfully draft their Terms of Use to bind users to arbitration in an overseas jurisdiction, likely in an attempt to discourage cases from being filed in India. But such tactics don’t void the jurisdiction of Indian consumer forums. Indian users should contest and reject similar proceedings outside India.”

Pandey guides his clients to pursue their claims in India, specifically through the National Consumer Disputes Redressal Commission (NCDRC), which handles high-value consumer disputes:

“The most effective route is the NCDRC, but complainants need to meet the pecuniary jurisdiction of ₹10 crore (about $1.2 million). That’s the threshold to get your case heard there.”

Although the exact number of complainants remains confidential, Pandey confirmed that there are enough victims seeking legal recourse to satisfy the NCDRC’ jurisdiction.

With increasing legal pressure from affected users, the exchange may soon face the full force of Indian consumer protection laws. If these efforts gain traction, WazirX could be forced to address the concerns of its Indian user base in local courts, potentially setting a precedent for how crypto exchanges are held accountable in India moving forward.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top