Skip to main content

Day-Wise Report: WazirX Cyber Attack Incident

By July 28, 2024September 3rd, 202410 minute read

At WazirX, our commitment to transparency remains unwavering. We believe in keeping our community well-informed, especially in light of recent events. To this end, we are providing a day-wise report on actions taken after the cyber attack on July 18, 2024. We will update this blog frequently to inform you about our progress and the steps we are taking.

Incident Overview

On July 18, 2024, WazirX experienced a cyber attack targeting one of our multisig wallets, resulting in the theft of digital assets exceeding $230 million. The affected wallet was managed using Liminal’s digital asset custody and wallet infrastructure. As a result of the attack, our ability to maintain 1:1 collaterals with assets has been deeply impacted.

Day-Wise Report

Sept 3, 2024:

  • INR Withdrawals Phase 2 Starts Early: All eligible users can now withdraw up to the full 66% limit of their INR balances. Originally scheduled for September 9, we’ve expedited this process to provide quicker access.

Sept 2, 2024:

  • First TownHall: We held our first Townhall with the community to discuss the proposed restructuring and Moratorium Application, and to address some of the frequently asked questions. If you missed the TownHall, you can watch it here.

Aug 28, 2024:

  • Moratorium Application Filed in Singapore Court: We wish to update all users of the WazirX Platform that we have taken the next step to address users’ crypto balances following the 18 July 2024 cyberattack by filing for a moratorium with the Singapore High Court under the Insolvency, Restructuring and Dissolution Act 2018. This will provide the necessary space to restructure crypto liabilities of the Platform through a Scheme of arrangement. For more details, read here

Aug 26, 2024:

  • INR Withdrawals Phase 1: We went live with Phase 1 of INR withdrawals, allowing all eligible users to withdraw up to half of the available 66% limit of their INR balance.

Aug 23, 2024

  • Update on INR Withdrawals and Crypto Next Steps: Over the past few weeks, the WazirX team has been working with partners to address concerns about crypto balances and INR balances. As a result, we are lifting the suspension on INR withdrawals starting 26 August 2024. Withdrawals will be enabled in phases, allowing eligible users to withdraw up to 66% of their INR balances:

    – From 26 August to 8 September 2024, users will be able to withdraw up to half of the present ~66% limit of their INR balances; and
    – From 9 to 22 September 2024, users will be able to withdraw up to the full ~66% limit of their INR balances.

    For more details, read here.

Aug 21, 2024

  • Canceled All Open Orders: We have canceled all Open Orders currently placed on WazirX. Any INR and crypto assets blocked in these Open Orders will be added to the user’s respective balances.

Aug 19, 2024

  • A globally renowned and leading cybersecurity and investigations firm has confirmed that WazirX laptops were not compromised, marking a crucial milestone in our ongoing investigation. We have shared our findings with law enforcement to aid in the recovery of stolen assets. We continue to work closely with global partners to protect our community and strengthen the crypto ecosystem. You can read about it here.

Aug 16, 2024

  • Restoration of Balances Completed: We have completed the restoration of account balances, undoing all trades made after the withdrawal stoppage at 1 PM IST on 18th July 2024.
  • Crypto & INR Balances: We’re working on these two aspects on priority. Both these solutions need legal analysis which is ongoing.

Aug 15, 2024

  • Announced Downtime for Balance Restoration: We announced a downtime from 6 PM on 15th August to 4 AM IST on 16th August to restore account balances and undo trades made after the withdrawal stoppage at 1 PM IST on 18th July 2024.

Aug 14, 2024

  • Migration of Remaining Assets Held with Liminal: We are migrating the remaining assets held with Liminal to new multisig wallets to ensure maximum security following the July 18th cyber attack. The list of new wallets will be published once the migration is complete. The list of affected assets is available on-chain, and you can view all related transactions performed by the attacker after 18th July, 11:45 AM here 👉 https://wrx.gg/raa

Aug 13, 2024

  • Withdrawals: We are working with legal experts to help us formulate an effective method for enabling withdrawals.
  • Bounty Program: We have received entries from 344 bounty hunters, including security professionals and ethical hackers, who are actively pursuing the trail of the stolen funds.
  • Partnership Outreach: We are in touch with multiple partners to explore all possible solutions to mitigate the financial impact of the cyberattack. Currently, we are in discussions with seven partners and making steady progress.

Aug 8, 2024

  • After careful consideration of the situation and feedback from numerous users, we are constrained to restore the balances of all accounts and undo all trades carried out on the WazirX platform following the stoppage of withdrawals on July 18, 2024, at 1 PM IST. You can read more about it here.

Aug 6, 2024

  • An FIR was registered under BNS & IT Act on August 5, 2024, at PS Special Cell, New Delhi, following our complaint about the cyber attack on our multisig wallet.

July 27, 2024

  • Customer Poll: We have launched the way-forward poll. Read more here. We are actively answering queries from our community regarding the poll on asset management preferences. We will continue to share responses as we receive more questions.
  • Investigations: We continue to explore all possible sources of the breach.
  • Continued Coordination: Maintained efforts to connect with exchanges and collaborate closely with Law Enforcement Agencies (LEAs).
  • Bounty Update: Received additional inquiries regarding our bounty program.
  • Partnership Outreach: Engaged with potential partners to find solutions that will benefit our customers.
  • Token Project Outreach: Continued efforts to contact projects associated with the stolen tokens, seeking their support in the recovery process. We are also appealing to these projects to assist us with any available emergency reserves to help mitigate the impact of the cyber attack.
  • Recovery Plans: Evaluating emerging options to aid in the recovery process.

July 26, 2024

  • Customer Poll: We have finalized the implementation of the way-forward poll, which is scheduled to go live tomorrow.
  • Investigations: We continue to explore all possible sources of the breach. For more details, please read our detailed blog here.
  • Platform Reopening: We are actively working towards reopening the WazirX platform.
  • Continued Coordination: Maintained efforts to connect with exchanges and collaborate closely with Law Enforcement Agencies (LEAs).
  • Bounty Update: Received additional inquiries regarding our bounty program.
  • Partnership Outreach: Engaged with potential partners to find solutions that will benefit our customers.
  • Token Project Outreach: Continued efforts to contact projects associated with the stolen tokens, seeking their support in the recovery process. We are also appealing to these projects to assist us with any available emergency reserves to help mitigate the impact of the cyber attack.
  • Recovery Plans: Evaluating emerging options to aid in the recovery process.
  • Community Engagement: Addressed the community with updates and information.

July 25, 2024

  • Customer Poll: We are finalizing the implementation of the way-forward poll, aiming to have it reviewed and go live tomorrow. We are consulting with legal to determine the poll duration and potential reopening date for the platform. Our initial goal is to unlock a portion of each user’s crypto portfolio value in locked tokens while continuing to seek solutions to unlock additional tokens.
  • Investigations: Our ongoing investigation has found no evidence of compromise on our signers’ machines. We continue to explore all possible sources of the breach. For more details, please read our detailed blog here.
  • Continued Coordination: Maintained efforts to connect with exchanges and work closely with Law Enforcement Agencies (LEAs).
  • Bounty Update: Received over 229 inquiries regarding our bounty program.
  • Withdrawals: Actively working on enabling withdrawals for our users.
  • Activities: Exploring various strategies to enable deposits, withdrawals, and trading on the platform.
  • Partnership Outreach: Engaged with potential partners to find solutions that will benefit our customers.
  • Token Project Outreach: Continued efforts to contact projects associated with the stolen tokens, seeking their support in the recovery process. We are also appealing to these projects to help us with any available emergency reserves to help mitigate the impact of the cyber attack. 
  • Recovery Plans: Evaluating emerging options to assist in the recovery process.

July 24, 2024

  • Continued Coordination: Maintained efforts to connect with exchanges and work closely with Law Enforcement Agencies (LEAs).
  • Bounty Update: Received over 195 inquiries regarding our bounty program.
  • Withdrawals: Actively working on enabling withdrawals for our users.
  • Activities: Exploring various strategies to enable deposits, withdrawals, and trading on the platform.
  • Partnership Outreach: Engaged with potential partners to find solutions that will benefit our customers.
  • Token Project Outreach: Continued efforts to contact projects associated with the stolen tokens, seeking their support in the recovery process. We are also appealing to these projects to help us with any available emergency reserves to help mitigate the impact of the cyber attack. 
  • Recovery Plans: Evaluating emerging options to assist in the recovery process.
  • Customer Poll: We will soon run a poll to gather feedback from our customers on the best approach for reopening the platform. Our team is working on the poll setup to ensure everyone has the opportunity to participate.

July 23, 2024

  • Continued Coordination: Continued efforts to reach out to/follow up with exchanges and collaborate with LEAs.
  • Bounty Update: Received over 133 inquiries regarding our bounty program in the last 48 hours.
  • Withdrawals: Actively working on enabling withdrawals for our users.
  • Deposits: Exploring various strategies to enable deposits, withdrawals, and trading on the platform.
  • Partnership Outreach: Engaged with potential partners to find solutions that will benefit our customers.
  • Token Project Outreach: Actively contacting projects associated with the stolen tokens to seek their support in the recovery process.

July 22, 2024

  • Continued Coordination: Continued efforts to reach out to/follow up with exchanges and collaborate with LEAs.
  • Bounty Update: Received over 80 inquiries for our bounty program within 24 hours.
  • Activities: Deposits, withdrawals, and trading remain paused for all users.
  • Withdrawals: Actively working on enabling withdrawals for our users.

July 21, 2024

  • Continued Coordination: Continued efforts to reach out to/follow up with exchanges and collaborate with LEAs.
  • Bounty Announcement: Launched a bounty program to recover the stolen assets. Rewards of up to $10,000 worth of USDT will be given for actionable intelligence that leads to the freezing and recovery of the stolen funds. We are offering 10%, i.e., up to $23 Million, as White Hat Bounty. Read more.
  • Trading Paused: Temporarily paused trading on WazirX as we continue our recovery efforts.
  • User Update: Comprehensive update shared with our users to keep them fully informed about the current status and actions being taken.
  • Recovery: We have recovered small portions of the stolen assets. We cannot disclose specific details at this time.

July 20, 2024

  • Continued Coordination: Continued efforts to reach out to exchanges and collaborate with LEAs.
  • Trading Alert: Advised users to refrain from trading on WazirX during this critical period.

July 19, 2024

  • Global Outreach: Started reaching out to over 500 exchanges to block the identified wallet addresses.
  • Law Enforcement Collaboration: Engaged with Law Enforcement Agencies (LEAs) and forensic experts.
  • Service Suspension: Temporarily paused deposits and withdrawals for all users to prevent further loss.
  • Community Awareness: Updated the community on our progress with LEAs and issued warnings about potential scams impersonating WazirX.

July 18, 2024

  • User Notification: Immediately informed our users about the cyber attack and its potential impact. 
  • Official Complaints: Filed an online complaint with the National Cyber Crime Reporting Portal and are processing a physical complaint.
  • Notified Authorities: Informed the Financial Intelligence Unit (FIU) and Computer Emergency Response Team (CERT-In).
  • Investigation Initiated: Began tracking the chain of transfers and initiated further investigations.
  • Exchange Coordination: Contacted multiple exchanges to block and recover the stolen assets based on available intelligence.
  • Community Updates: Shared preliminary findings and updates with our community. Read here.

Fact Checks

  • The impact of the over $230M cyber attack is on the digital assets of our customers.
  • INR funds are unaffected in this attack.
  • The WazirX platform was NOT breached.
  • The breach happened on July 18, and there was no breach of the WazirX multi-sig wallet before that.
  • Our hot wallets don’t hold more than a few percent of funds at any given time.
  • The cyber attack was on our multi-sig wallet hosted outside the WazirX product infrastructure, which we were accessing through a third-party custody provider, Liminal.
  • This incident has affected the Ethereum multisig wallet, which consists of ETH and ERC20 tokens. Other blockchain funds are unaffected. 
  • The smart contract was created using Gnosis Safe. We started using Liminal in February 2023, and that’s when Liminal’s key was also added to the smart contract.
  • The wallet had six signatories—five from our WazirX team and one from Liminal, who were responsible for transaction verifications. A transaction typically requires approval from three of the WazirX signatories (all three of whom use Ledger Hardware Wallets for security), followed by the final approval from Liminal’s signatory. A policy to whitelist destination addresses was also in place to enhance security. These whitelisted addresses were earmarked and facilitated on the interface by Liminal; consequently, the WazirX team had the ability to initiate transactions to the said whitelisted addresses. 
  • Three signatures of WazirX from three different devices, each using different hardware wallets, were used. All three devices were at different locations, and the links were bookmarked. They sign looking at what information is shown on their Liminal website interface. They cannot see details on the hardware wallet since ErC20 is blind signing so they can only trust the web interface of custody wallet service provider. 
  • We’re certain that the hardware keys of any of the 3 WazirX wallets were NOT compromised. For the 3 WazirX devices used for signing, our preliminary analysis has not found any signs of compromise. But we’re not experts at forensics, so an external forensic team will be engaged to conduct a thorough audit. This will confirm whether any or all of the 3 WazirX devices were compromised. This will give us better insight into whether the 3 signatures on the malicious payload were a result of a compromise or not.
  • Liminal is conducting a detailed analysis of how the malicious payload was signed on their end. They’re working on finding the root cause, and we await their final report. This will give us a better insight into how the fourth signer ended up signing the malicious payload.
  • This attack is only possible if there are 4 points of failure in the signing process.
  • This cyber attack was not due to a Phishing link.

We will update this blog frequently with the latest information and developments. Your trust and security are our top priorities, and we are working diligently to resolve this situation.

Thank you for your continued support and understanding.

Disclaimer: Cryptocurrency is not a legal tender and is currently unregulated. Kindly ensure that you undertake sufficient risk assessment when trading cryptocurrencies as they are often subject to high price volatility. The information provided in this section doesn't represent any investment advice or WazirX's official position. WazirX reserves the right in its sole discretion to amend or change this blog post at any time and for any reasons without prior notice.
Participate in the Indian Crypto Movement. Share:
Announcements

Leave a Reply

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

You May Also Like

Announcements

INR Withdrawals Phase 2 Starts Early!

WazirX Content Team
WazirX Content TeamSeptember 3, 2024
Announcements

Announcement: WazirX Moratorium Application Filed in Singapore Court

WazirX Content Team
WazirX Content TeamAugust 28, 2024
Announcements

Important Announcement About INR Withdrawals and Crypto Next Steps

WazirX Content Team
WazirX Content TeamAugust 23, 2024