New Delhi: The hack resulting in a loss of $235 million worth of cryptocurrencies at WazirX and the exchange’s subsequent responses are “flimsy and contradictory”, and bring to the fore the need for regulation of the sector in India, say market participants and analysts.
They say that the manner in which WazirX has been handling the issue will make it difficult for the industry to convince the government to confer self-regulatory status to it, since the attempt of the company “isn’t community first” and seeks to protect the company at the expense of its customers.
Finally, crypto specialists and lawyers say that WazirX’s solution to “socialise” the losses incurred by distributing crypto funds among its customers — a solution it had mooted, but later said was not final — will open the company up to lawsuits and potential violations of the Reserve Bank of India’s capital account rules.
On 18 July, WazirX, one of India’s largest cryptocurrency exchanges, informed its users that a “cyber attack occurred in one of our multisig wallets involving a loss of funds exceeding $230 million”. This amount, the exchange said, worked out to 45 percent of its assets. The exchange suspended trading activity following the attack, filed a police complaint in Mumbai and reported the incident to the Indian Computer Emergency Response Team (CERT-In).
So far, it has been able to recover only a “small percentage” of the stolen cryptocurrencies, the company informed ThePrint.
Even as WazirX’s subsequent handling of the crisis has drawn widespread criticism, new information has come to light about the potential involvement of North Korea-backed hackers ‘Lazarus Group’.
Force majeure, ‘loss socialisation’ & backtracking
On 21 July, the company said that the attack was “a force majeure event beyond our control”. A week later, on 27 July, it said that it was implementing “a fair and transparent socialised loss strategy to distribute the impact across all users equitably”.
Basically, it meant that it would take crypto assets from users who did not face a loss due to the attack and distribute them among users who did. Regarding this, it also released a poll to its users, asking them to choose one of two methods by which this loss socialisation could take place.
The manner in which WazirX has responded to the attack has been met with strong criticism from users, other industry participants and industry analysts. They say that the exchange, instead of taking responsibility for the loss and bearing the financial cost, is indulging in blame games with its business partners, transferring the financial burden to users, and in the process, harming the entire industry.
Following the criticism, WazirX on 29 July clarified that its loss socialisation plan was not legally binding, and that the poll was “a preliminary step” to understand the opinions of the users.
“We are considering approaches based on successful use cases, where exchanges have been able to retrieve stolen funds and compensate users,” WazirX said, in response to ThePrint’s queries via email. “We will consider the best approach based on the community consensus. Our priority remains to ensure that we are able to help the affected users.”
Also Read: WazirX, Liminal Custody trade blame after crypto platform loses Rs 2,000 crore in cyber attack
WazirX should provide ‘transparent, user-centric solutions’
Taking to LinkedIn following the attack and WazirX’s responses, Edul Patel of Mudrex, a prominent cryptocurrency exchange in India, said that the potential solutions offered by WazirX “ultimately favoured the platform over the users”.
“These options lacked a clear plan of action and did not specify how the platform would take responsibility for returning users’ money,” he wrote. “As a fiduciary entity, WazirX should take this responsibility seriously and provide transparent and user-centric solutions.”
He added that the WazirX team’s communication lacked ownership and responsibility for the loss, and that the company was “effectively socialising the losses while privatising the profits”.
Similarly, Sumit Gupta, co-founder of CoinDCX, another prominent crypto exchange in India, said that the first contribution to making up losses “should always come from the company (i.e. WazirX in this case) and the treasury and assets the company holds”.
“I have not seen any such commitment around this from the company side, instead making customers directly absorb the 45 percent losses is utter nonsense,” he wrote on X. “The poll options are also framed in a manner to protect the business first and not the customers.”
“Hate to be saying this, but the way WazirX is handling this entire situation isn’t community first and this IMO (in my opinion) won’t go down well for them,” Gupta posted. “This sadly is also hurting the other ecosystem participants.”
When asked about these comments, WazirX noted that the respective founders had concerns over the exchange not using its own resources to support the loss of assets.
“However, a majority of our funds are tied up, which makes it difficult for us to take that route,” the company informed ThePrint. “As a result, we are unable to access or redistribute these funds to users. This is why we suggest the strategy of socialising losses. Our goal is to provide users with access to the remaining funds on the exchange, aligning with our user-first approach.”
Akash Karmakar, a cybersecurity specialist, fintech lawyer and a partner with Law Offices of Panag & Babu, noted that WazirX hasn’t so far conducted a root cause analysis, which, he said, was a basic requirement of incident management.
“They should get an external audit done of their systems to ascertain root cause before claiming force majeure to fob off liability,” he told ThePrint.
“They are saying the hack was not preventable and beyond their control. This is a flimsy and self contradictory argument because they’ve not established the root cause, and have not been able to recover assets, and have rushed to the only label that would help them shed liability,” Karmakar added.
The beginning of blame games
WazirX said that the attack took place in one of its multi-signature (multisig) wallets. Such wallets need multiple different authenticators to authorise transactions before they can be completed.
In the affected wallet, WazirX said that there were six authenticators — five of which were with it, and one with Liminal, a digital asset custody and wallet infrastructure service provider. A transaction in this wallet needed approval from three of the WazirX signatories, followed by final approval from Liminal’s signatory.
On 18 July itself — the day the attack was made public — Liminal took to X to say that it could “confirm that Liminal’s platform is not breached and Liminal’s infrastructure, wallets and assets continue to remain safe”, adding that the breached wallet was “created outside of the Liminal ecosystem”.
This effectively placed the blame on WazirX’s infrastructure, something the exchange soon denied.
In a 25 July post, WazirX effectively laid the blame for the breach on Liminal’s infrastructure. It said that, following an investigation, it had come up with two likely scenarios of how the breach happened.
In the first one, “all three WazirX signers received malicious transactions directly from Liminal due to a potential breach of the Liminal infrastructure”. In the second scenario, all three WazirX signers would have been compromised by malware on three devices “by some means by the attackers”.
“Given our preliminary analysis showing no evidence of tampering or malicious malware on our systems, we currently believe Scenario 1 is the more likely cause of this attack,” WazirX said. Liminal, meanwhile, has maintained that its systems have not been compromised.
This back-and-forth quickly drew criticism from users and competitors.
“The way WazirX and Liminal shared their forensic reports shows there is a complete lack of cooperation between the two,” Patel, Mudrex’s co-founder and CEO, wrote in his LinkedIn post. “This situation left users divided, confused, and unsure whom to trust among the platforms.”
Also Read: Gaming app fraud led ED to set up its own crypto wallet. It now has 300 coins, but can’t liquidate
Social engineering, tricks and phishing
“The incident serves as a stark reminder of the vulnerabilities that can plague even the most sophisticated security systems of crypto exchanges,” Subrahmanyam Oruganti, partner in EY India’s financial services risk management division, noted.
According to CYFIRMA, an external threat landscape management platform, the attack was carried out by the Lazarus Group, and that this “state-sponsored attack is linked to North Korea’s Reconnaissance General Bureau (RGB), a primary intelligence service”. It added that Lazarus typically attacks crypto exchanges worldwide.
The attack, according to both CYFIRMA and Karmakar, could have taken place through several ways. One could have been through ‘social engineering’, where the authenticators of the transactions were tricked into revealing sensitive information or performing actions that compromised the exchange’s security.
The other method could have been for WazirX’s systems to have been compromised through phishing attacks, with infection through malware, or by exploiting weaknesses in the software.
“This brings to the fore the question of how secure the whole system is, which would typically be assessed with a vulnerability audit to assess what, if any, vulnerability was exploited to cause the breach,” Karmakar said.
The need for regulation
Apart from criticising WazirX, industry participants and analysts also said the incident makes clear the need for regulation in the industry, something the Indian government has shied away from doing.
“This is not happening for the first time, and it won’t be the last,” Patel told ThePrint. “Attempts to hack exchanges in crypto have been happening for quite some time.”
“With regulations, what becomes possible is that, when an event like what happened with WazirX takes place, there is a clear pathway for investors to get their wealth back,” he explained. “Otherwise they are dependent on the platform and the platform can choose to do whatever it wants.”
According to Patel, the Indian crypto industry is about $2-3 billion in size, with existing domestic compliance and tax requirements forcing the bulk of the users to conduct their crypto trading on international platforms. He estimates the international crypto activity by Indian users would be “3-5 times larger” than that in India.
“I genuinely feel bringing regulations in will help users bring that money back to India,” he added.
Crossroads for WazirX
According to Karmakar, WazirX has been arguing for the crypto industry in India to be self-regulated rather than have a government regulator. Several senior officials from WazirX have spoken publicly about this in the past.
Following the hack, he said, WazirX is faced with a choice, and its actions will dictate whether the government looks favourably at self-regulation or not.
“This is the cross-roads it finds itself at, where, in one direction, it can show that it is a responsible organisation and can self-regulate, and in the other, where it plans to do something like this (loss socialisation) and destroys any hope of self-regulation and autonomy to be granted by Indian regulators,” Karmakar explained.
What such regulation should look like
But, if the government chooses to regulate the industry, what should such regulation look like? Oruganti of EY India has some answers.
“Regulators should consider introducing more compliance requirements for crypto exchanges, including mandatory security audits and regular penetration testing by certified external auditors,” he told ThePrint.
He also said that an official regulator should mandate a certain ratio of user funds to be held in “cold storage” (offline wallets), thereby increasing security against online attacks.
Thirdly, he suggested that regulators must mandate that exchanges establish compensation funds to protect users’ assets against security incidents.
Finally, regulators must require exchanges to use advanced artificial intelligence and machine learning techniques for real-time threat detection and prevention, he said.
The government, too, appears to be at a crossroads here, with the Ministry of Finance reportedly looking to release a discussion paper on crypto regulations in September. This paper will reveal whether it will choose to regulate the sector, leave it to its own devices as it has so far done, or grant it self-regulatory status.
Potential legal hurdles for WazirX
WazirX, in its response to ThePrint, said that it had looked at some cases from the past to take cues on how to recover assets and get their platform back up and running.
“Mt. Gox (hacked in 2014) went through a tedious legal procedure and started repayments only after 10 long years after the platform was affected, Bitfinex (hacked in 2016) did it within a year from the incident by socialising the losses,” the company explained.
“This got us thinking that we could adopt the socialising of losses strategy to minimise impact on users and enable them to get their funds faster, without any legal hurdles,” it added.
According to Karmakar, WazirX risks opening up itself to legal hurdles, even if it does go ahead, because if the terms and conditions include a provision for such unilateral transfers, then that would likely be viewed as a one-sided contract.
“Indian courts have time and again ruled against such agreements that offer no meaningful choice to consumers,” he explained. “And if WazirX retrospectively includes such a provision, then that would also be open to a challenge, owing to how the terms have been unilaterally amended without notice to allow WazirX to access its users’ funds.”
He added that if WazirX’s accounts were stored abroad, then the loss socialisation process would constitute a capital account transaction, which, conceptually, would require approval from the Reserve Bank of India before being completed.
“And you can bet that the central bank will never approve such a move,” he emphasised.
(Edited by Mannat Chugh)
This report has been updated to incorporate WazirX’s response to the ThePrint’s queries.
Also Read: Who are wilful defaulters & what happens to them? RBI lays out new rules