Cyber Heist at an Indian crypto exchange
WazirX, an Indian crypto exchange got hit by one of the worst cyber heists on an Indian exchange and funds lost exceeded $230 million. Typically, crypto heists would not entirely be in my wheelhouse, but financial fraud that size always gets me curious. Been poking around their blog and chatting up my hacker friend circuit for more deets. Sharing a layperson summary here.
The perps behind it
The attack is being widely speculated to be attributed to a nation state actor called Lazarus, a hacker group (from North Korea, a sanctioned country) with a tendency for running crypto theft ops.
The Breach mechanics & Security Layers
As per the blog the attack occurred on one multisig wallet. The affected wallet was managed using Liminal’s digital asset custody and wallet infrastructure. The wallet had 6 signatories, 5 from WazirX (of which approval from 3 is required), and a final approval from Liminal’s signatory. As for security features there was the multisig platform, Liminal’s whitelisting policy that earmarked whitelisted addresses, and Ledger hardware wallets.
The cyber-attack stemmed from a discrepancy between the data displayed on Liminal’s interface and the transaction’s actual contents that was signed. WazirX suspects the payload was replaced to transfer wallet control to an attacker.
One cyber firm suspects anything from social engineering to phishing to malware. Liminal seems to suspect a MIM (man-in-the middle attack). My friend suspects that it might be a 51% attack (where a group of miners controls over 50% of a blockchain’s hashing power and can alter transactions). The jury’s still out on the root cause, I guess.
Recovery
While loss recovery is actively underway WazirX announced a controversial plan to “socialize the losses” amongst all its customers.
Force Majeure Event
Another little detail on the blog says: “This is a force majeure event beyond our control.” A ‘force majeure’ event (an Act of God) is a clause usually in terms of use of crypto exchanges that most investors signing up rarely read. Certainly not God, but it’s the devil that lies in the fine print here. Because this clause if invoked, it potentially shuts the legal doors for customers from claiming assets lost to such an event.
Bounty
Meanwhile WazirX has proposed a bounty program of upto $23 million / 10% of the lost funds recovered to be “disbursed only after and subject to the successful receipt of the stolen amount.” I asked my nameless hacker friend if he was gonna take a shot at the bounty. He said “I can neither confirm, nor deny.’ I said, “That is exactly what I thought. Thanks for confirming ;)”
Would I invest in Cryptocurrency?
Crypto markets in India at this point are about as regulated as the street vendor peddling cheap fakes in Bandra’s Elco market. So, my answer to that question is exactly what I would say to him, “Nahi Chaiye, Boss!” (No thanks, bro).