WazirX hacker launders over $64m, insider involvement suspected

WazirX abuser laundered more than $64 million through Tornado Cash as allegations of insider involvement emerged.

According to PeckShieldAlert, the WazirX hacker moved 5,000 ETH (about $11.8 million) to a new address on September 13 and then laundered the stolen money through cryptocurrency mixer Tornado Cash, attempting to cover up the tracks.

With the latest transaction, the attacker has laundered approximately 27,600 ETH worth around $64.97 million in recent weeks.

As the attacker moved the money, allegations emerged that an insider may have been involved in the $230 million data breach that led to the collapse of what was once India’s largest cryptocurrency exchange.

What are the allegations?

Citing unnamed sources and data from the First Information Report submitted to the Delhi Police, an X account called Justice For WazirX Users stated that there was some unusual activity on the exchange before the attack.

The attacker allegedly opened a WazirX account using fake KYC information and deposited cryptocurrency that was traded in exchange for GALA tokens.

On July 18, the same day the breach occurred, the hacker began withdrawing GALA tokens, which resulted in WazirX’s hot wallet being depleted. This forced the exchange to replenish the hot wallet by transferring additional GALA tokens from cold storage managed by its former custodian, Liminal.

During this process, the attacker allegedly injected malicious code, causing the transfer of tokens from cold storage to hot storage to fail. As subsequent attempts were made by cold storage signatories to move the funds, the attacker was able to steal credentials during the process.

Having obtained the necessary signatures, the attacker allegedly used the WazirX team’s login session to initiate a final transaction on Liminal’s platform that updated the WazirX cold wallet contract, which ultimately led to the breach.

“After these 3 signatures were forwarded to Liminal, the final 4th signature was made, allowing the contract to be upgraded,” JfWU added.

An analysis by Crystal Intelligence confirmed that key personnel laptops used to sign off on transactions had not been compromised. A separate audit of Liminal’s system by Grant Thornton also found no evidence of a custody breach, adding further confusion.

JfWU argued that the cold wallet’s smart contract would be difficult to change without the cooperation of an insider, raising suspicions of insider interference.

The allegations are yet to be confirmed, but both JfWU and several WazirX customers are demanding the Central Bureau of Investigation and Enforcement Directorate to conduct a thorough investigation into the case.

WazirX’s restructuring attempt faces setbacks

Amidst all this chaos, the restructuring process of WazirX, which was announced on August 28, is facing hurdles as the exchange is seeking customer support to file for a moratorium under Singapore bankruptcy laws to get approval from the Singapore court.

However, the process hit a snag as users initially expressed disappointment over a survey that only offered a “Yes” option to support the app. On September 12, following backlash, WazirX management expanded the survey to include “No” and “No Position” options, allowing users to voice their opposition or remain neutral on the issue.

A September 10 affidavit obtained by Crypto.news showed that only 441 of WazirX’s 4.4 million users supported the proposal. A later affidavit confirmed that the hearing on the moratorium application will be held on September 25, 2024, at the High Court of Singapore.