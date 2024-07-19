Representative image | wazirx

Mumbai: One of India’s biggest cryptocurrency exchanges, WazirX, confirmed on Thursday that they had been hit by a cybersecurity breach. Cybersecurity researchers who first spotted the breach told the FPJ in an exclusive interaction that the pattern of the attack was similar to those by the Lazarus Group, an infamous North Korean state-sponsored hacker group. According to independent researchers as well as data accessed by the FPJ, around $230 million, which is more than Rs 1,923 crore, has been lost in the incident.

“We’re aware that one of our multisig wallets has experienced a security breach. Our team is actively investigating the incident. To ensure the safety of your assets, INR and crypto withdrawals will be temporarily paused. Thank you for your patience and understanding. We’ll keep you posted with further updates,” said the official update from the company.

A multisig wallet is a crypto storage system that requires multiple approvals before the operator can access the funds in the wallet. While this is a very strong security measure, in this case, it also means that the hackers behind the breach were capable enough to crack it.

Breach Detected By Israel-Based Cybersecurity Firm

The breach was first noticed by Cyvers, a cryptocurrency cybersecurity firm based in Israel, who, after verifying it, immediately reached out to WazirX and also announced the breach on X, formerly known as Twitter.

🚨ALERT🚨Hey @WazirXIndia, Our system has detected multiple suspicious transactions involving your Safe Multisig wallet on the #ETH network.



A total of $234.9M of your funds have been moved to a new address. Each transaction's caller is funded by @TornadoCash.



— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) July 18, 2024

Hakan Unal, Senior Security Operation Center Lead at Cyvers, told the FPJ in an exclusive interview that the breach was detected almost as soon as it was executed, thanks to their advanced Artificial Intelligence-based monitoring systems.

“We are monitoring entire blockchains, 24/7, block by block, and searching for anomalies,” said Unal. “Whenever such an anomaly is spotted, we run it through one of our AI models, that were pre-trained with thousands of previous occurrences. The models are able to assess whether this was indeed a malicious attack and classify it as per the category, like a hack, scam, fraud etc. (In WaziX’s case,) given the sensitivity and the large amount of the hack, we verified it internally and immediately called it.”

Stolen Cryptocurrencies Sold On DEX

Information collated so far indicates that popular cryptocurrencies such as Ethereum and Shiba Inu were stolen in the breach. Investigators found that the hackers had sold them on decentralised exchanges (DEX). These are basically marketplaces for cryptocurrency where users trade directly with each other, without a middleman.

Further tracing revealed some of the stolen ‘$DENT tokens’ (a specific type of cryptocurrency) ended up in a Binance wallet. Binance is another major cryptocurrency exchange.

“We still don’t know for sure who is behind the attacks. Having said that, due to the nature of the attack and the money trail that succeeded it, we can estimate that the Lazarus Group, affiliated with the DPRK (Domestic Republic of North Korea), was behind it,” said Mr Unal.

About Lazarus Group

The Lazarus Group has been active since at least 2009 and was reportedly responsible for the November 2014 cyberattack against Sony Pictures Entertainment, as part of a campaign named Operation Blockbuster, according to an official update by MITRE ATT&CK, a global repository of information about known cyberthreats, adversaries and their tactics.

Experts were quick to recommend the immediate withdrawal of funds from WazirX wallets till further updates. Others in India and abroad are still working on reverse tracing the trajectory of the attack.

“Their (WazirX’s) safe multisig was compromised and drained. The hackers started practising the hack-on-chain at least eight days ago and finally executed it today. It’s a very methodical and organised attack, pointing towards DPRK as the hacker,” said Blockchain Security Researcher Mudit Gupta in an update on his X account.

Unal added, “It is very hard to mitigate such situations after they have happened. Our advice is to be mindful about the security partners of the trading venue that you invest in. Real-time security monitoring brings the danger of such cases in the future close to zero.”