WazirX, an Indian cryptocurrency exchange, experienced a significant cyberattack resulting in the loss of over $230 million from a multisig wallet. The attack targeted one of WazirX’s multisig wallets, which had been using Liminal’s digital asset custody and wallet infrastructure since February 2023. The wallet had six signatories, with one from Liminal and five from WazirX, ensuring secure transactions through multiple approvals.
The breach of the wallet occurred due to discrepancies between the data displayed on Liminal’s interface and the actual transaction contents. The hacker was able to replace the payload during the attack, gaining control of the multisig wallet and stealing the funds held within it. Despite the use of security measures such as the Gnosis Safe multisig smart contract platform and a whitelisting policy, the attack was able to exploit these defenses.
Liminal Custody confirmed that its platform was not breached and that its assets, wallets, and infrastructure remained safe. However, the incident highlighted the regulatory hurdles faced by the crypto industry in India. Joanna Cheng, associate general counsel at Fireblocks, noted the absence of specific guidelines for security measures, risk management, and consumer protection. Indian Prime Minister Narendra Modi called for a global crypto framework at the G20 Summit in August 2023, emphasizing the need for comprehensive global regulation.
In response to the attack, WazirX assured its stakeholders that efforts were underway to recover the stolen assets. The company described the incident as a “force majeure event” and explained that despite taking all necessary steps to protect customer assets, the theft still occurred. WazirX invoked a force majeure clause, which excuses a party from fulfilling contractual obligations due to unforeseen events. The exchange is currently collaborating with cybersecurity teams to locate and retrieve the funds, and updates will be provided to the community.
According to Asia Express, the WazirX hackers had prepared for eight days before the attack, using fraudulent means to convert fiat into USDT.