WazirX co-founder Nischal Shetty told CoinDesk the exchange has asked other exchanges for help after it suffered a $230 million hack – worth nearly 45% of customer funds – earlier this month, without naming any entities.
Shetty said he could not disclose how much INR (Indian rupees) WazirX held on its books because that could "open up a new attack vector for someone right now."
Indian cryptocurrency exchange WazirX’s co-founder Nischal Shetty told CoinDesk that outreach efforts to different exchanges "are going to be crucial," as it remains open to "everything that is possible to help solve this situation."
WazirX is effectively closed after the exchange stopped trading and withdrawals after the hack on July 18.
Shetty said his exchange would learn from past hacks in one of his first interviews since WazirX lost $230 million earlier this month, saying he hoped other industry players would step in to help relieve his customers' losses.
In the past few days, Shetty’s WazirX faced industry and customer heat for a user survey on the next steps, which it clarified was not legally binding, an on-going blame-game with custody provider Liminal over whose system was breached, and the tough question of when the exchange would open to trading again.
On several questions, Shetty declined to comment citing legal, confidentiality or ongoing investigation obligations.
Opinion Poll
Customers and industry colleagues, including at least three co-founders of rival cryptocurrency exchanges, criticized WazirX’s "Withdrawal Management Programme: Opinion Poll," which the exchange revealed over the weekend.
The opinion poll by WazirX gave customers two choices – access 55% of their funds without withdrawals and get first priority for when potential recovery funds come through or access 55% of their funds with withdrawals with second priority to potential recovery proceeds.
Given the $230 million hacked amount was 45% of the customer funds, the company is only able to give access to the remaining 55% of funds to its customers. If customers choose option A they will get access to trade 55% of their funds but won’t be able to withdraw and will get first priority on recovered funds over those customers whose funds were not among the stolen funds.
Option B gives customers the choice to get access to 55% of their funds with withdrawals but if funds were recovered they would be second in line to get those funds behind customers whose funds were not stolen.
Shetty said the exchange is seeking community consensus and that "no unilateral decision" would be taken regarding its proposals. Shetty insisted that the poll was just to gather customer feedback and not to make any decisions. "That's why it's called a poll … we can't have a poll and then say this is decided," he said, adding that the company was not going to move forward with its recovery plan without proper consent.
"This is a narrative being spread across to scare people," Shetty said. "We are fighting so many things. We thought we'll put this out for our customers. Unfortunately, it's been twisted. From the first instance, we said it was not legally binding."
The opinion poll did have a disclaimer that the survey was not legally binding.
The $230 million in stolen funds, accounted for nearly 45% of WazirX’s user funds. "We've always had one is to one banking, meaning if we have to open we'll have to make sure it is only with the assets that are collateral," Shetty said.
The July 27 poll was described by the exchange as a "socialized loss strategy to distribute the impact equitably among all users."
"We will have to rally on the community to decide the way forward," Shetty said. "We are only trying to give more options to the community but we need some time. We are trying to see what other ways we can fill the hole faster."
Steps WazirX is taking
Shetty said the exchange can only learn from previous hacks and there can only be two outcomes. The poll was one step to determine what direction should be taken because one way is to take this the judicial proceeding way which "takes years and years" but the second is to resume operations with what you have and then fill it up later," he said. That way there might be a short-term effect, but in the long term, "we can resolve this." Shetty doubled down on his claim that the exchange will not take any steps without community consensus.
The co-founder said, "we are trying everything and anything that helps with the recovery of the stolen funds. We launched a bounty program too."
WazirX is running two parallel phases – immediate revival, which helps unlock what is collateralized to the customers, and finding ways to fill the gap, he said.
The outreach to other exchanges and projects requires WazirX to keep engaging and some percentage of those entities have responded, he said.
"The outreach to different exchanges is going to be crucial. If we get something positive, someone who steps in to help the customers. And it can be in many ways," he said. "For example, we reached out to all 200 project teams because they also have these emergency funds. They'll have some way to maybe crowdsource some of these gaps. This is a large gap to fill in a few weeks. But it may be faster with lesser impact if we can figure out how to fill 10%, 20% or 40% of that gap."
"The timeline [for when to make a decision] is what we are trying to come up with," Shetty said.
Shetty also said that several different Indian and international authorities had been reaching out for help but refused to divulge names. WazirX has already filed a police complaint in Mumbai and reported the incident to the Indian Computer Emergency Response Team (CERT-In).
India’s CERT asked WazirX some "pointed questions," Shetty said. He added he believes that's a sign the entity is investigating the hack. A person familiar with the matter, but unauthorized to speak, said the Federal Bureau of Investigation (FBI) was also in touch with the exchange.
"FBI usually gets after any such situation because it doesn't want funds to get to North Korea," the person said. The FBI has issued statements about similar incidents in the past involving North Korea.
Shetty refused to comment on a report which said India's Enforcement Directorate (ED) put nearly $1.1 million in seized crypto assets in a wallet with WazirX in January, months before the July hack.
Binance and WazirX
WazirX declined to comment on whether a takeover by any other company could be included in the options on the table seeking help.
"We have reached out to several partners and several exchanges for help," Shetty said. Asked if Binance was among those exchanges, Shetty said "We are bound by confidentiality."
Binance and Zanmai Labs, the Singapore-based parent of WazirX, have been embroiled in a public spat around the ownership of the Indian exchange since 2022. The internal dispute became public in August 2022 when Binance CEO Changpeng Zhao tweeted Binance didn't control WazirX, resulting in WazirX co-founder Nischal Shetty hitting back later.
Since then, the entities have been involved in "private discussions" to work out their ownership issue.
Asked if those talks had been impacted by the hack, Shetty said "I'm not legally allowed to speak about it because of our ongoing dispute (with Binance)."
A person familiar with the matter said a takeover by Binance or any other entity cannot be ruled out in the interest of salvaging the situation and helping customers, conditional on legal requirements.
A Binance spokesperson did not directly respond to CoinDesk’s question about whether Binance was considering buying WazirX out or taking over, but said "We have been in communication with the WazirX team since July 18 to support their incident response efforts."
INR
Shetty said he could not disclose how much INR (Indian rupees) WazirX held on its books because that could "open up a new attack vector for someone right now."
He also cited a lack of regulatory clarity as the reason why WazirX currently does not allow crypto withdrawals.
"Right now if one person deposits even 10,000 rupees ($120) and then they withdraw that crypto but then after one or two months someone takes a claim to that 10,000 saying this was fraudulently taken from my account by that other person then what happens? Our entire bank account gets frozen. So this is more of a challenge from a regulatory clarity point of view, and a banking thing."
Read More: WazirX Surveys Users on Recovery Options After $230M Hack, Leaves Customers and Industry Players Fuming