This article is more than three months old

How a hacker just stole $235m from Indian crypto exchange WazirX

How a hacker just stole $235m from Indian crypto exchange WazirX
Web3
Suspicious transactions began moving funds out of one of WazirX’s Ethereum wallets at around 6:19 am. Credit: Andrés Tapia
  • WazirX saw $235 million drained from the exchange on Thursday.
  • It is one of the biggest crypto hacks so far in 2024.
  • Security experts warn that cybercriminals will up their attacks as the bull market returns.

WazirX, one of India’s leading centralised crypto exchanges, has lost almost half its total assets after it was hacked Thursday morning.

“We’re aware that one of our multisig wallets has experienced a security breach,” WazirX’s X account said in a post at 8:48 am London time. “Our team is actively investigating the incident.”

Blockchain security firm Cyvers was among the first to spot the hack.

Suspicious transactions began moving funds out of one of WazirX’s Ethereum wallets at around 6:19 am.

In Just over an hour, almost $235 million in assets had been drained.

Among the loot was over $102 million worth of Shiba Inu, a dog-themed memecoin.

The hacker also stole $53 million worth of Ether and $11 million worth of Polygon’s MATIC token, along with smaller amounts of over a dozen more tokens.

Onchain records show the hacker is already selling portions of the stolen crypto.

Join the community to get our latest stories and updates

WazirX held $503m worth of assets, according to the exchange’s June proof of reserves report. The $235 million loss accounts for 46% of its total assets.

WazirX has since suspended cash and cryptocurrency withdrawals.

The hack adds to the $684.3 million already stolen in similar incidents in 2024, according to DefiLlama.

While the amount stolen dropped 56% between 2022 and 2023 to $1.42 billion, security experts have warned that cybercriminals will return with the bull market.

Cracking the safe

WazirX used a Safe multisignature wallet — or multisig — to hold its user’s crypto.

Such wallets are typically viewed as more secure than regular wallets as they require multiple people to sign off of each transaction.

This time, the hacker found a way around this security measure.

“It seems that the signers of the affected account signed a transaction that changed the implementation contract address in the proxy,” Mikhail Mikheev, a software developer at Safe, said in a group on messaging app Telegram and confirmed to DL News.

In other words, after the hacker gained access to WazirX’s systems, they upgraded the code governing the wallet to get around its security features.

“To our knowledge, no other Safes are affected,” Mikheev said. “We’re currently cooperating with WazirX to investigate the issue further.”

Another exchange hack

The WazirX hack is not the first such incident in recent months.

In May, Japanese exchange DMM Bitcoin suffered an ‘unauthorised leak’ of more than $300 million.

Pseudonymous onchain sleuth ZachXBT said North Korea’s Lazarus Group may be behind the DMM Bitcoin hack due to “similarities in laundering techniques and off chain indicators.”

Ari Redbord, the global head of policy at TRM Labs, a blockchain intelligence company said the attack bore “the hallmarks of a prototypical [North Korean] hack.”

It’s not yet known whether Lazarus Group is also behind the WazirX hack.

Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.

Related Topics