WazirX Multi-Sig Hack — July 2024

WazirX was founded in 2017 in India and grew to become the country's largest cryptocurrency exchange by trading volume. It had approximately 4.4 million users at the time of the incident. Multi-signature wallet operations were managed through Liminal Custody, a third-party provider, requiring four of five executive signatures to authorise outbound transfers.

On 18 July 2024, attackers initiated a single transaction transferring approximately $235M of SHIB, ETH, MATIC, PEPE, USDT and other assets out of one WazirX multi-sig wallet. Investigation by Liminal and external forensic firms established that the attackers had compromised the Liminal signing user interface in a way that displayed a benign transaction payload to signers while submitting a payload that delegated control of the wallet to an attacker-controlled address.

WazirX suspended withdrawals the same day and announced losses would be socialised across the entire customer base at approximately a 45% haircut. Public response was severe; users challenged the legal basis for the socialisation. In August 2024 WazirX's holding entity Zettai filed for a restructuring scheme in Singapore. Proceedings remained open at the time of writing.

In November 2024 the Federal Bureau of Investigation attributed the attack to North Korea's Lazarus Group, citing tooling consistent with the DMM Bitcoin and other contemporary exploits.