Advisory
Breach
6
mins read

WazirX Incident: Explained

WazirX, a leading Indian cryptocurrency exchange, faced a major security breach on July 18, 2024 resulting in significant financial losses of over $200 Million. Dive into our detailed analysis to uncover how the attack unfolded, potential culprits, and the broader implications for WazirX users.

CloudSEK TRIAD
July 19, 2024
Green Alert
Last Update posted on
July 22, 2024
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.

Executive Summary

WazirX Crypto Exchange Suffers Multi-Million Dollar Security Breach

On July 18, 2024, a cyberattack compromised a multi-signature Ethereum (ETH) and ERC-20 token wallet belonging to the Indian cryptocurrency exchange WazirX. The attackers siphoned off approximately $230 million worth of digital assets, representing nearly half of WazirX's total holdings according to their most recent proof-of-reserve report (approximately $503 million).

Potential North Korean Involvement

The attack bears hallmarks of previous campaigns by the Lazarus Group, a North Korean state-sponsored hacking group. This suspicion stems from similarities in tactics and the identification of the attacker's KYC wallet on the Binance exchange.

Exploiting the Multi-Signature Wallet

The perpetrators gained unauthorized access to multiple keys required for authorizing transactions within the targeted multi-signature wallet. They employed various techniques to obfuscate their movements, including:

  • Transferring stolen funds across multiple blockchain networks (chain hopping)
  • Fragmenting large sums into transactions involving various cryptocurrencies
  • Executing transactions resulting in zero ETH balances or generating spoofed transaction tokens

Blockchain analysis indicates that the attackers may have been preparing for this assault for eight days prior to its execution.

Lookalike Domain Scam

Capitalizing on the confusion surrounding the breach, a separate group of fraudsters has deployed lookalike domains that mimic the legitimate WazirX platform. These deceptive websites utilize similar naming conventions to lure unsuspecting victims, particularly those impacted by the initial security breach. The objective is to trick users into surrendering any remaining cryptocurrency holdings within their wallets.

Limited Recovery Potential and User Impact

A full recovery of the stolen funds by WazirX appears unlikely. This incident is expected to have significant negative consequences for WazirX users who had invested in cryptocurrencies through the platform. 

Recommendations

CloudSEK researchers strongly advise against clicking on suspicious links promising refunds or asset recovery, as these tactics are likely further scams designed to exploit the situation.

Analysis and Attribution

Information from the Post

  • On 18 July 2024, WazirX made a post about one of their multisig wallet getting compromised. They also stopped cash and crypto withdrawals from the platform. [3]
Post made by WazirX’s twitter account.
  • This was followed by investigations by independent researchers and evangelists from the Web3 space. [4] [5]
  • Preliminary investigations revealed that about ~$230 Million worth of crypto assets from their wallet were transferred to an unknown malicious wallet. Affected WazirX Wallet Address: 0x27fD43BABfbe83a81d14665b1a6fB8030A60C9b4

This was super critical as this is almost 50% of all assets owned by WazirX based on their recent asset inventory filing. WazirX, as per its latest proof-of-reserve report, was holding $503 million of assets.

How did the attack unfold?

WazirX claims that the cyber attack stemmed from a discrepancy between the data displayed on Liminal’s interface and the transaction’s actual contents.
“During the cyber attack, there was a mismatch between the information displayed on Liminal’s interface and what was actually signed. We suspect the payload was replaced to transfer wallet control to an attacker.” - WazirX [3]

The provided information suggests a potential phishing attack. In the past, we have observed instances where attackers injected malicious JavaScript code into web pages. This code manipulates the displayed information on the website's interface, while the actual transaction value remains undisclosed.[8]

A similar tactic is known as signature phishing. This method involves attackers tricking users into signing an off-chain message. This signature can then be exploited later to steal the user's assets. [6]

What is a multi-sig wallet?

A multi-signature wallet, often abbreviated as multi-sig, necessitates the use of multiple private keys to authorize cryptocurrency transactions. This security measure can be likened to a safe requiring two or more keys for access.

In this specific instance, the wallet employed a 6 key multi-signature configuration. Five keys were held by authorized WazirX personnel, while the remaining key was entrusted to a Liminal signatory. To execute a transaction, a minimum of three keys from the WazirX contingent, along with Liminal's key, were required. This multi-layered security approach aimed to mitigate potential financial losses arising from compromised or stolen credentials, effectively preventing single points of failure attacks.

Unfortunately, according to reports, attackers gained unauthorized access to two of the keys and employed phishing techniques to compromise an additional two.

Cashout Process: 

The perpetrators are reportedly leveraging Tornado Cash, an open-source, decentralized cryptocurrency mixing service built on the Ethereum Virtual Machine (EVM) network. This technology facilitates the obfuscation of transaction trails by commingling potentially identifiable or compromised cryptocurrency funds with those from other users. In this instance, the objective appears to be the concealment of the final destination of the stolen assets.

To further complicate tracking efforts, the threat actors are employing a technique known as "chain hopping." This involves transferring illicit funds across multiple blockchains, fragmenting the overall transaction and making it more challenging to trace the complete path of the stolen cryptocurrency.

The perpetrators are further obfuscating their movements by executing a high volume of transactions that ultimately result in either zero ETH balances or the generation of spoofed transaction tokens. This tactic injects a layer of abstraction, making visual transaction history analysis exceptionally challenging.

All of the above transactions don't actually result in any money transfer

People are trying to make the most of this situation by further attacking the people in distress

These deceptive websites mimic the legitimate WazirX platform through similar naming conventions. The goal is to lure unsuspecting victims, likely those affected by the initial security breach, to unwittingly surrender any remaining cryptocurrency holdings within their wallets.

Whois records, a publicly accessible registry of domain name ownership information, reveal that the fraudulent domain was registered on the same day as the attack. This swift action underscores the perpetrators' opportunistic and active nature. This tactic exemplifies another form of signature phishing attack, where seemingly trusted sources are exploited to deceive victims. Further information regarding such impersonation attempts can be found here [6]

A compromised Twitter gold account impersonation WazirX was sharing this, more about such accounts here - [7]

Lookalike fake domain of WazirX

  • Bots on Twitter started advertising scammers' services, who claim they will be able to help with refunds but are actually in the business of scamming people.

References

  1. *Intelligence source and information reliability - Wikipedia
  2. #Traffic Light Protocol - Wikipedia
  3. Preliminary Report: Cyber Attack on WazirX Multisig Wallet ( Official statement from wazirx )
  4. https://x.com/Mudit__Gupta/status/1813881385800913327 (Technical Analysis of the attack)
  5. https://x.com/zachxbt/status/1813896332022882686 (Attacker wallet and Identity )
  6. Signature phishing | MetaMask Help Center 🦊♥️ 
  7. Gold Rush on the Dark Web: Threat Actors Target X (Twitter) Gold Accounts | CloudSEK (Spreading fake domains through Twitter gold accounts )
  8. Cryptocurrency Racket: The Growing Perils of Investing in Mysterious Cryptocurrencies | CloudSEK 

Appendix

  • Flow of funds before the actual attack happened on the wallet.
  • Primary Hacker’s address: 0x04b21735E93Fa3f8df70e2Da89e6922616891a88
  • Secondary Address: 0x35febC10112302e0d69F35F42cCe85816f8745CA
  • Tertiary address: 0x90ca792206eD7Ee9bc9da0d0dF981FC5619F91Fd


  • List of stolen assets from the Wallet.

Author

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
Threat Intelligence
September 24, 2024

Starhealth Insurance Debacle: Information warfare using fabricated evidence

On 20 September 2024, CloudSEK’s XVigil discovered threat actor “xenZen” selling 7TB of data from Star Health Insurance, impacting over 31 million customers. While the data is confirmed authentic, claims of insider involvement from the company’s CISO appear fabricated.

Blog Image
Adversary Intelligence
June 26, 2024

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Blog Image
Adversary Intelligence
March 5, 2024

Shadow Banking in Your Pocket: Exposing Android App Used by Money Mules

CloudSEK's Threat Intelligence (TI) team continued its investigation and has uncovered a network of money mules, posing a significant risk to the Indian banking ecosystem.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Advisory
Breach

6

min read

WazirX Incident: Explained

WazirX, a leading Indian cryptocurrency exchange, faced a major security breach on July 18, 2024 resulting in significant financial losses of over $200 Million. Dive into our detailed analysis to uncover how the attack unfolded, potential culprits, and the broader implications for WazirX users.

Authors
CloudSEK TRIAD
CloudSEK Threat Research and Information Analytics Division
Co-Authors
No items found.

Executive Summary

WazirX Crypto Exchange Suffers Multi-Million Dollar Security Breach

On July 18, 2024, a cyberattack compromised a multi-signature Ethereum (ETH) and ERC-20 token wallet belonging to the Indian cryptocurrency exchange WazirX. The attackers siphoned off approximately $230 million worth of digital assets, representing nearly half of WazirX's total holdings according to their most recent proof-of-reserve report (approximately $503 million).

Potential North Korean Involvement

The attack bears hallmarks of previous campaigns by the Lazarus Group, a North Korean state-sponsored hacking group. This suspicion stems from similarities in tactics and the identification of the attacker's KYC wallet on the Binance exchange.

Exploiting the Multi-Signature Wallet

The perpetrators gained unauthorized access to multiple keys required for authorizing transactions within the targeted multi-signature wallet. They employed various techniques to obfuscate their movements, including:

  • Transferring stolen funds across multiple blockchain networks (chain hopping)
  • Fragmenting large sums into transactions involving various cryptocurrencies
  • Executing transactions resulting in zero ETH balances or generating spoofed transaction tokens

Blockchain analysis indicates that the attackers may have been preparing for this assault for eight days prior to its execution.

Lookalike Domain Scam

Capitalizing on the confusion surrounding the breach, a separate group of fraudsters has deployed lookalike domains that mimic the legitimate WazirX platform. These deceptive websites utilize similar naming conventions to lure unsuspecting victims, particularly those impacted by the initial security breach. The objective is to trick users into surrendering any remaining cryptocurrency holdings within their wallets.

Limited Recovery Potential and User Impact

A full recovery of the stolen funds by WazirX appears unlikely. This incident is expected to have significant negative consequences for WazirX users who had invested in cryptocurrencies through the platform. 

Recommendations

CloudSEK researchers strongly advise against clicking on suspicious links promising refunds or asset recovery, as these tactics are likely further scams designed to exploit the situation.

Analysis and Attribution

Information from the Post

  • On 18 July 2024, WazirX made a post about one of their multisig wallet getting compromised. They also stopped cash and crypto withdrawals from the platform. [3]
Post made by WazirX’s twitter account.
  • This was followed by investigations by independent researchers and evangelists from the Web3 space. [4] [5]
  • Preliminary investigations revealed that about ~$230 Million worth of crypto assets from their wallet were transferred to an unknown malicious wallet. Affected WazirX Wallet Address: 0x27fD43BABfbe83a81d14665b1a6fB8030A60C9b4

This was super critical as this is almost 50% of all assets owned by WazirX based on their recent asset inventory filing. WazirX, as per its latest proof-of-reserve report, was holding $503 million of assets.

How did the attack unfold?

WazirX claims that the cyber attack stemmed from a discrepancy between the data displayed on Liminal’s interface and the transaction’s actual contents.
“During the cyber attack, there was a mismatch between the information displayed on Liminal’s interface and what was actually signed. We suspect the payload was replaced to transfer wallet control to an attacker.” - WazirX [3]

The provided information suggests a potential phishing attack. In the past, we have observed instances where attackers injected malicious JavaScript code into web pages. This code manipulates the displayed information on the website's interface, while the actual transaction value remains undisclosed.[8]

A similar tactic is known as signature phishing. This method involves attackers tricking users into signing an off-chain message. This signature can then be exploited later to steal the user's assets. [6]

What is a multi-sig wallet?

A multi-signature wallet, often abbreviated as multi-sig, necessitates the use of multiple private keys to authorize cryptocurrency transactions. This security measure can be likened to a safe requiring two or more keys for access.

In this specific instance, the wallet employed a 6 key multi-signature configuration. Five keys were held by authorized WazirX personnel, while the remaining key was entrusted to a Liminal signatory. To execute a transaction, a minimum of three keys from the WazirX contingent, along with Liminal's key, were required. This multi-layered security approach aimed to mitigate potential financial losses arising from compromised or stolen credentials, effectively preventing single points of failure attacks.

Unfortunately, according to reports, attackers gained unauthorized access to two of the keys and employed phishing techniques to compromise an additional two.

Cashout Process: 

The perpetrators are reportedly leveraging Tornado Cash, an open-source, decentralized cryptocurrency mixing service built on the Ethereum Virtual Machine (EVM) network. This technology facilitates the obfuscation of transaction trails by commingling potentially identifiable or compromised cryptocurrency funds with those from other users. In this instance, the objective appears to be the concealment of the final destination of the stolen assets.

To further complicate tracking efforts, the threat actors are employing a technique known as "chain hopping." This involves transferring illicit funds across multiple blockchains, fragmenting the overall transaction and making it more challenging to trace the complete path of the stolen cryptocurrency.

The perpetrators are further obfuscating their movements by executing a high volume of transactions that ultimately result in either zero ETH balances or the generation of spoofed transaction tokens. This tactic injects a layer of abstraction, making visual transaction history analysis exceptionally challenging.

All of the above transactions don't actually result in any money transfer

People are trying to make the most of this situation by further attacking the people in distress

These deceptive websites mimic the legitimate WazirX platform through similar naming conventions. The goal is to lure unsuspecting victims, likely those affected by the initial security breach, to unwittingly surrender any remaining cryptocurrency holdings within their wallets.

Whois records, a publicly accessible registry of domain name ownership information, reveal that the fraudulent domain was registered on the same day as the attack. This swift action underscores the perpetrators' opportunistic and active nature. This tactic exemplifies another form of signature phishing attack, where seemingly trusted sources are exploited to deceive victims. Further information regarding such impersonation attempts can be found here [6]

A compromised Twitter gold account impersonation WazirX was sharing this, more about such accounts here - [7]

Lookalike fake domain of WazirX

  • Bots on Twitter started advertising scammers' services, who claim they will be able to help with refunds but are actually in the business of scamming people.

References

  1. *Intelligence source and information reliability - Wikipedia
  2. #Traffic Light Protocol - Wikipedia
  3. Preliminary Report: Cyber Attack on WazirX Multisig Wallet ( Official statement from wazirx )
  4. https://x.com/Mudit__Gupta/status/1813881385800913327 (Technical Analysis of the attack)
  5. https://x.com/zachxbt/status/1813896332022882686 (Attacker wallet and Identity )
  6. Signature phishing | MetaMask Help Center 🦊♥️ 
  7. Gold Rush on the Dark Web: Threat Actors Target X (Twitter) Gold Accounts | CloudSEK (Spreading fake domains through Twitter gold accounts )
  8. Cryptocurrency Racket: The Growing Perils of Investing in Mysterious Cryptocurrencies | CloudSEK 

Appendix

  • Flow of funds before the actual attack happened on the wallet.
  • Primary Hacker’s address: 0x04b21735E93Fa3f8df70e2Da89e6922616891a88
  • Secondary Address: 0x35febC10112302e0d69F35F42cCe85816f8745CA
  • Tertiary address: 0x90ca792206eD7Ee9bc9da0d0dF981FC5619F91Fd


  • List of stolen assets from the Wallet.