By Ronaldo Marquez 19 July 2024 | 1:18 am

WazirX Exchange Releases Post-Mortem Report: Was North Korea Behind The $235M Exploit?

Indian-based cryptocurrency exchange WazirX recently fell victim to a significant security breach, resulting in the unauthorized transfer of over $230 million of assets. The incident led to the temporary suspension of withdrawals as the exchange worked to investigate and mitigate the breach. 

In a subsequent report released by WazirX, preliminary findings shed light on the causes of the exploit. At the same time, blockchain analytics firm Elliptic suggested the potential involvement of North Korea in this sophisticated attack.

WazirX Multisig Wallet Breach

WazirX disclosed that the cyber attack targeted one of their multisig wallets, which utilized the services of Liminal’s digital asset custody and wallet infrastructure since February 2023. 

The wallet allegedly had a configuration involving six signatories, including five from the WazirX team and one from Liminal, who were responsible for transaction verifications. 

Three WazirX signatories, who employed Ledger Hardware Wallets for added security, were required to approve a transaction, followed by the final approval from Liminal’s signatory. 

Additionally, a whitelisting policy was in place to “enhance security,” allowing transactions solely to predefined addresses facilitated by Liminal.

The exchange further disclosed that the breach originated from a “discrepancy” between the data displayed on Liminal’s interface and the actual contents of the transaction. 

During the attack, the exchange notes a “mismatch” between the information displayed on Liminal’s interface and what was signed. It is suspected that the payload was manipulated to transfer wallet control to the attacker, enabling them to exploit the vulnerability.

North Korean Affiliation In $235M Breach?

WazirX emphasized its implementation of “robust” security measures, including the Gnosis Safe multi-sig smart contract platform and Liminal’s whitelisting policy. Despite these precautions, the cyber attackers managed to breach the security features and execute the theft. 

Looking ahead, the exchange expressed its commitment to protecting customer assets and acknowledged the need for further investigation and reinforcement of security protocols. The exchange concluded by stating the following:

This is a force majeure event beyond our control, but we are leaving no stone unturned to locate and recover the funds. We have already blocked a few deposits and reached out to concerned wallets for recovery. We are in touch with the best resources to help us in this endeavor. While these are our findings from our preliminary investigation, we will keep you posted with further updates. Together with your support, we shall overcome this challenge and emerge stronger and more resilient than ever.

Blockchain analytics firm Elliptic, on the other hand, conducted an independent analysis of the exploit and indicated a potential connection to North Korea. 

According to Elliptic’s findings, approximately $235 million in various crypto assets were lost in the breach, including Shiba Inu (SHIB), Ethereum (ETH), Polygon (MATIC), and Pepe. 

The thief has reportedly converted some of these tokens into Ether using decentralized services, a common step in the laundering process. On-chain analysis and additional information reviewed by Elliptic suggest the alleged involvement of hackers affiliated with North Korea.

WazirX

Featured image from DALL-E, chart from TradingView.com