Daily report. WazirX cyber attack incident

At WazirX, our commitment to transparency remains unwavering. We believe in keeping our community well informed, especially in light of recent events. To that end, we provide a daily report on the actions taken since the July 18, 2024 cyber attack. We will be updating this blog daily to let you know about our progress and the steps we are taking.

Incident overview

On July 18, 2024, WazirX suffered a cyber attack targeting one of our multi-sig wallets, resulting in the theft of over $230 million in digital assets. The affected wallet was managed using Liminal’s digital asset custody and wallet infrastructure. As a result of the attack, our ability to maintain 1:1 collateral with assets was severely impacted.

Wise report of the day

Day 1: July 18, 2024

• User NoticeWe immediately informed our users about the cyber attack and its potential impact.
• Formal complaintsFiled an online complaint with the National Cybercrime Reporting Portal and are processing the physical complaint.
• Notified bodiesNotified Financial Intelligence Unit (FIU) and Computer Emergency Response Team (CERT-In).
• An investigation has been launchedBegan to trace the chain of transmission and initiate further investigations.
• Exchange systemContacted multiple exchanges to block and recover stolen assets based on available intelligence.
• Community updatesInitial findings and updates have been shared with our community. Read here.

Day 2: July 19, 2024

• Global Outreach:Started applying to over 500 exchanges to block detected wallet addresses.
• Cooperation of law enforcement agenciesEngaged with law enforcement agencies (LEAs) and forensics.
• Suspension of ServiceTemporarily suspended deposits and withdrawals for all users to prevent further losses.
• Community outreachUpdated the community on our progress with LEAs and issued warnings about potential WazirX impersonation scams.

Day 3: July 20, 2024

• In continuous coordinationEfforts to reach exchanges and collaborate with LEAs are ongoing.
• Trade alertUsers have been advised to refrain from trading on WazirX during this critical period.

Day 4: July 21, 2024

• In continuous coordinationEfforts are ongoing to reach/track exchanges and engage with LEAs.
• Bounty announcementLaunched a bounty program to recover stolen assets. USDT rewards of up to $10,000 will be offered for actionable intelligence leading to the freezing and recovery of stolen funds. We offer 10% i.e. up to $23 million as White Hat Bounty. Read more.
• Trading is suspendedTrading on WazirX has been temporarily suspended as we continue our recovery efforts.
• User updateA comprehensive update shared with our users to keep them fully informed of the current status and actions being taken.
• RestorationWe recovered a small portion of the stolen property. We cannot provide specific details at this time.

Day 5: July 22, 2024

• In continuous coordinationEfforts are ongoing to reach/track exchanges and engage with LEAs.
• Bounty updateReceived over 80 requests for our rewards program within 24 hours.
• Activity:Deposits, withdrawals and trading remain suspended for all users.
• WithdrawalsActively working on enabling cashback for our users.

Fact checking

• This incident affected the Ethereum multisig wallet, which consists of ETH and ERC20 tokens. Other blockchain funds are unchanged.
• The smart contract was created using Gnosis Safe. We started using Liminal in February 2023, and that’s when the Liminal key was added to the smart contract.
• The wallet had six signatories, five from our WazirX team and one from Liminal, responsible for verifying transactions. A transaction typically requires the approval of three of the WazirX signers (all three of whom use Ledger Hardware Wallets for security), followed by final approval from the Liminal signer. A whitelisting policy of destination addresses was also in place to increase security. These whitelisted addresses are assigned and facilitated on the interface by Liminal; therefore, the WazirX team had the ability to initiate transactions with the specified whitelisted addresses.
• Three WazirX signatures from three different devices, each using different hardware wallets, were used. All three devices were in different locations and the links were bookmarked. They sign in by seeing what information is displayed on their Liminal website interface. They cannot see the hardware wallet details because ErC20 is a blind signature, so they can only trust the web interface of the custodial wallet service provider.
• We are confident that the hardware keys of any of the 3 WazirX wallets have NOT been compromised. Our initial analysis of the 3 WazirX devices used for signing found no sign of compromise. But we are not forensic experts, so an external forensic team will be brought in to conduct a thorough audit. This will confirm if any or all of the 3 WazirX devices are compromised. This will give us a better idea of ​​whether the 3 signatures on the malicious payload are the result of a compromise or not.
• Liminal performs a detailed analysis of how the malicious payload was signed on their end. They are working to find the root cause and we await their final report. This will give us a better idea of ​​how the fourth signer signed the malicious payload.
• This attack is only possible if there are 4 points of failure in the signing process.
• This cyber attack did not occur due to a phishing link.

We will update this blog daily with the latest information and developments. Your trust and security are our top priorities and we are working diligently to resolve this situation.

Thank you for your continued support and understanding.

Disclaimer: Cryptocurrency is not legal tender and is currently unregulated. Please ensure that you carry out a sufficient risk assessment when trading cryptocurrencies as they are often subject to high price volatility. The information presented in this section does not represent any investment advice or the official position of WazirX. WazirX reserves the right, at its sole discretion, to modify or amend this blog post at any time and for any reason without prior notice.