- WazirX suffers a massive hack, losing $230 million USD (2,000 crore INR).
- Attack methods point towards North Korean involvement.
- Malicious multisig upgrade enabled full wallet drain.
Meticulous Planning Leads to Massive Losses
In a significant blow to the cryptocurrency exchange WazirX, hackers successfully executed a massive attack, resulting in losses exceeding $230 million USD (2,000 crore INR). The attackers targeted the exchange’s multisig wallet, compromising its security through a well-planned and methodical approach. The exploit, which began with on-chain practice over eight days ago, culminated in today’s major breach.
The meticulous nature of the attack suggests the involvement of the notorious North Korean hacking group, DPRK. The hackers upgraded the existing multisig wallet to a malicious version, facilitating the complete drainage of the funds. This upgrade was a strategic move, as it allowed the hackers to bypass the time-consuming process of draining funds through multiple transactions.
How the Hack Unfolded
The intricacies of the attack reveal a combination of direct private key compromises and sophisticated signature phishing. It appears that the hackers initially compromised two out of four private keys directly. The remaining two keys were obtained through phishing, exploiting a vulnerability in the wallet’s UI or custody provider.
During the hack’s execution, the wallet attempted a USDT transfer. However, the transaction failed as the required signatures were for upgrading the wallet to a malicious contract rather than approving the transfer. The two compromised signers were tricked into signing what they believed to be a routine USDT transfer. Once these signatures were publicly submitted, the hackers used them alongside the other two compromised keys to upgrade the multisig wallet, effectively transferring all funds to their control.
Blockchain detective @ZachXBT provided crucial evidence linking the hack to a KYC-verified deposit address used by the attackers. This deposit address was funded through Tornado Cash, with transactions meticulously traced back to test transactions involving SHIB and ETH.
The attackers’ operational tactics and the precision of their methods strongly hint at the involvement of the Lazarus Group, a well-known North Korean cybercrime syndicate. Despite this, the exact attack paths and the custody of keys remain under investigation. The initial clues indicate a blend of compromised private keys and malware-infected devices accessing the remaining keys.
The trace provided by @ZachXBT ends at a Bitcoin funding source, highlighting the sophisticated obfuscation methods employed by the hackers. The analysis shows that the attack was carefully orchestrated, leveraging both on-chain and off-chain tactics to achieve the desired outcome.
As the WazirX team works to unravel the details of the attack, the crypto community watches closely. Transparency from WazirX regarding their findings will be crucial in understanding the full scope of the breach and preventing future incidents.
