On 18 July, hackers siphoned about half of WazirX’s $500 million reserves from one of its multisig crypto wallets, following which the company filed a police complaint and reported the incident to the Financial Intelligence Unit (FIU) and the Indian Computer Emergency Response Team (CERT-In), besides reaching out to over 500 exchanges to block the identified addresseses.
Multisig crypto wallets require two or more private keys to authorise transactions, ensuring an extra layer of security ,but hackers bypassed this system.
WazirX alleged that the affected wallet was managed using Liminal’s digital asset custody and wallet infrastructure. Liminal contested the claim and shifted the blame back to WazirX.
It countered that its forensic reports and investigations revealed that “the genesis of this hack stems from three compromised devices at WazirX’s end” and that “…once the malicious smart contract was deployed,” all fund withdrawal transactions were made from outside of Liminal’s infrastructure.
WazirX’s $23 million bounty, or 10% of the stolen money, makes it one of the largest bounties offered in the crypto industry. According to Nischal Shetty, founder of WazirX, the company’s “foremost goal” is to recover the stolen funds, which explains the bounty programme that will be active for three months from 21 July.
According to WazirX, interested individuals should email the company with their intent to participate along with their contact details and methodologies they will use for tracking and recovery to ensure that the process is legal.
Before Blue Screens
The attack on WazirX came just a day before Windows computers and servers were paralysed due to a seemingly harmless software update by CrowdStrike. WazirX, though, fell prey to hackers.
Blockchain tracking firm Lookonchain revealed that the attackers swiftly converted these stolen assets into Ethereum and other cryptocurrencies, dispersing them across various addresses and using tools like Tornado Cash to obscure their trail.
Having cryptos stolen from its wallet would be the last thing that WazirX would have wanted since it has faced many issues over the past few years, not accounting for the current spat with Liminal. US-based crypto exchange platform Binance acquired WazirX in 2019 but on 5 August 2022, its CEO Changpeng Zhao tweeted that his company did not own any shares in Zanmai Labs—the entity operating WazirX.
Shetty contested the claim. The spat did not end there and in January 2023, Binance told Zanmai to withdraw all funds and assets in Binance wallets used for WazirX operations.
Binance, too, was fined $2.25 million by India’s FIU for violating local anti-money-laundering regulations before December 2023 but has been cleared to operate in India, subject to it paying the fine and complying with regulations.
To be sure, while WazirX’s bounty might incentivise cooperation from the hackers or individuals with pertinent information, the actual recovery of the funds remains fraught with challenges due to several factors.
Easier said than done
For one, cryptocurrencies offer a high degree of anonymity. Transactions are public, but the identities behind wallet addresses are not easily traceable.
Second, privacy tools like Tornado Cash complicate tracking efforts. It is a decentralised protocol designed to enhance transaction privacy on the Ethereum network by mixing transactions, making it incredibly challenging to trace the flow of funds.
When a user deposits cryptocurrency into Tornado Cash, the service generates a cryptographic proof (a secure digital certificate, which uses advanced mathematical algorithms known as zero-knowledge proofs, and verifies that a transaction occurred but does not reveal any transaction details) that allows them to withdraw the same amount later to a different address, making it difficult to trace the funds back to the original sender.
The legality of Tornado Cash varies by jurisdiction. In August 2022, for instance, the US Department of the Treasury sanctioned Tornado Cash, citing its use in laundering stolen cryptocurrency funds.
Third, blockchain transactions are irreversible. Once confirmed, they cannot be undone or altered without the recipient’s cooperation, unlike traditional banking transactions that can sometimes be reversed. The rapid conversion and dispersal of the stolen assets makes it difficult to trace and recover the funds before they are further distributed or cashed out.
Crypto curbs
Fourth, cryptocurrencies operate across borders and do not adhere to a single jurisdiction’s regulations. And it’s this global and decentralised nature that makes legal enforcement and coordination across countries complex and slow. While some countries embrace digital assets, others remain sceptical and have implemented stringent laws to curb their use.
India’s cryptocurrency industry, for instance, has not had it easy for the past few years. In 2018, the Reserve Bank of India (RBI) banned banks from cryptocurrency transactions, a ruling that was overturned by the Supreme Court two years later.
But individuals in India continue to shell out a 30% tax on crypto earnings and a 1% tax deducted at source on every crypto trade, dampening the enthusiasm over buying cryptos.
China has one of the most stringent policies against cryptocurrencies. The country has banned all forms of cryptocurrency trading and mining. The Chinese government has repeatedly cracked down on cryptocurrency-related activities, citing concerns over financial stability, fraud, and capital flight.
Russia, too, has implemented laws that restrict the use of cryptocurrencies as a means of payment. While owning and trading cryptocurrencies are not outright banned, the use of digital assets for payment is prohibited.
Turkey banned the use of cryptocurrencies for payments, citing risks associated with their volatility and potential use in illicit activities. Nigeria’s central bank issued a directive in February 2021 prohibiting financial institutions from dealing in cryptocurrencies or facilitating payments for cryptocurrency exchanges.
Bolivia has one of the strictest stances on cryptocurrencies in Latin America, with the country’s central bank banning the use of any type of cryptocurrency in 2014.
To be sure, there are countries and companies that promote the use of cryptocurrencies. El Salvador made Bitcoin legal tender in 2021 to boost financial inclusion and economic growth. Switzerland, particularly the city of Zug, known as “Crypto Valley,” supports a favourable regulatory environment for cryptocurrencies and blockchain startups.
Major companies including Tesla, Square (now Block, Inc.), and MicroStrategy have made significant investments in Bitcoin. Tesla, led by Elon Musk, bought $1.5 billion worth of Bitcoin and briefly accepted it as payment.
Square has invested heavily in Bitcoin, and MicroStrategy, under CEO Michael Saylor, has accumulated billions in Bitcoin reserves as part of its corporate strategy.
Traditional banks such as JPMorgan Chase have been promoting digital assets and blockchain, the underlying technology of cryptocurrencies, but its CEO Jamie Dimon has repeatedly called bitcoins as a “decentralised ponzi scheme“.
Goldman Sachs resumed its cryptocurrency trading desk, offering Bitcoin futures and derivatives, while Bank of America formed a research team to explore digital assets. Citibank has highlighted the potential of cryptocurrencies to transform global finance.
That said, the WazirX hack and the subsequent bounty offer to recover stolen funds highlight the ongoing security challenges in the cryptocurrency world. It consistently demonstrates that while blockchain technology provides robust security features, the ecosystem comprising user practices and centralised exchanges, remains vulnerable to attacks.
#recovering #stolen #cryptos #daunting #task #WazirX #rich #bounty