en
Back to the list

A single malicious transaction led to $230M drained from WazirX

source-logo  protos.com 18 July 2024 10:26, UTC

Indian crypto exchange WazirX lost over $230 million worth of assets after addresses governing its multisig wallet were compromised.

Cyvers was the first to flag the outflows, identifying the compromise of WazirX’s Safe wallet by a Tornado Cash-funded attacker on the Ethereum network.

Read more: Hackers switching to centralized exchanges to fund crypto attacks

The alert was followed up by crypto sleuth ZachXBT, who shared the hacker’s primary address, later receiving a bounty for identifying a further funding source that came from an exchange with know-your-customer (KYC) procedures.

WazirX’s acknowledgment of the ‘security breach,’ posted approximately half an hour after the initial alert, states that to “ensure the safety of [customers’] assets, INR and crypto withdrawals will be temporarily paused.”

Safety in numbers?

The affected wallet is a Safe ‘multisig,’ a type of account that requires a specified threshold of authorized addresses in order to confirm transactions. This ostensibly makes multisigs more secure than a regular address controlled by a single private key.

However, in this case, a single malicious transaction was all that was needed to drain WazirX of $230 million worth of crypto assets.

The exploiter was able to pass the transaction either by compromising the authorized addresses directly or via the use of social engineering techniques on the signers.

After describing the incident as ‘Desi Mt. Gox,’ Polygon Network’s CISO, Mudit Gupta posted a full analysis of the hack to X (formerly Twitter). He notes that two addresses were likely compromised, with a further two signatures needed to hit the multisig’s threshold for approving transactions.

Read more: Mt. Gox site down for 24 hours, creditors flag scam login emails

Gupta highlights that “two signers were tricked into signing malicious transaction (sic) in the name of a normal USDT transfer.”

These two signatures were later used to modify the logic of the Safe multisig wallet, allowing the hacker’s own attack contract (deployed eight days ago) to automate token transfers, which sent the assets directly to the attacker’s address.

Laundering the loot

At the time of writing, the hacker’s primary address contains $136 million of ETH and other tokens, according to data from blockchain explorer Etherscan.

Much of the stolen assets are gradually being moved on to additional addresses, where they are swapped for ETH. Some funds were also traced to exchanges ChangeNOW and Binance, according to Beosin, which tallied over 200 tokens that had been drained.

SHIB represented almost $100 million of the total loss. Around a third of this has been sold, resulting in a price drop of almost 10%, according to data from CoinMarketCap

Based on the attack vector and funding/laundering patterns, Gupta, ZachXBT, and blockchain forensics firm Elliptic all suspect the hack was carried out by a team of North Korean hackers known as the Lazarus Group.

Read more: Axie co-founder hacked for $10M two years after $625M Ronin attack

Lazarus is suspected to be responsible for a seemingly endless stream of crypto hacks, including last year’s $41 million hack on crypto casino Stake and the $625 million hack of Axie’s Ronin Bridge in 2022.

protos.com