WazirX $230M Hack July 2024 — How a Multi-Signature Wallet Was Drained: Technical Reconstruction & Indian Crypto Implications

WazirX was, until the morning of 18 July 2024, a credible candidate for the role of “trusted Indian crypto exchange.” Acquired by Binance in 2019 (under disputed terms that became its own multi-year saga), licensed under India’s emerging VDA framework, and serving over 15 million Indian users, WazirX represented the institutional respectability that the Indian crypto industry was straining toward. Then, in a single transaction, it lost more than the combined annual GDP of several small Indian municipalities. This post is a technical reconstruction of how the attack worked, who carried it out, what the recovery looks like, and what every Indian crypto user, exchange operator, and security professional should learn from one of the most operationally consequential cybersecurity incidents in Indian financial history.

What happened — the silent drain of a "secure" multisig wallet

WazirX, like most large crypto exchanges, used a multi-signature wallet architecture for its hot-wallet operations. The compromised wallet was configured as a 6-of-9 Gnosis Safe — meaning that any transaction required 6 of 9 designated signers to approve before it could execute on the Ethereum blockchain. Six signers were WazirX employees; three were operated by Liminal Custody, a third-party institutional custody service that provides the user interface, transaction policy engine, and the additional signing keys. This architecture is widely used across the industry and is generally considered robust against single-key compromise, social engineering of individual signers, and routine operational error. On 18 July 2024 at approximately 13:21 UTC, six of the nine signers approved what they understood — based on what Liminal’s interface showed them — to be a routine internal wallet rebalancing transaction. The actual transaction broadcast to the Ethereum network was a malicious upgrade to the Safe contract’s implementation address, replacing the legitimate Safe logic with attacker-controlled logic that immediately allowed the attackers to drain all assets to wallets they controlled. Within minutes, $230M in assorted tokens had moved from WazirX-controlled Safe addresses to attacker-controlled addresses. The signers had cryptographically signed a transaction whose payload they did not actually see.

The technical attack — UI substitution against a multisig signing flow

The mechanics of how the attacker substituted what the signers saw against what they actually signed remain partially opaque, but the leading hypothesis (supported by Liminal’s post-incident statements and on-chain forensics by Elliptic, TRM Labs, and ZachXBT) involves a compromise of either the Liminal interface itself or the signer endpoints viewing it. Path A (interface compromise): attacker compromises Liminal’s frontend or backend, substitutes the displayed transaction details (recipient, amount, calldata) without changing the actual hash signed. The signers see “transfer 50 ETH to internal wallet 0xABC…” and click Approve; what their hardware wallet actually signs is “upgrade contract implementation to 0xEvil…”. This requires either Liminal’s infrastructure compromise or interception of the signed payload before broadcast. Path B (signer endpoint compromise): attacker compromises individual signer machines, possibly via spear-phishing or supply-chain attack against the signing software, substitutes the transaction at the local browser level so the user sees the safe transaction but the hardware wallet receives the malicious payload. Hardware wallets that don’t fully verify and display the actual contract calldata being signed (a known limitation when Safe transactions involve complex multicall operations) cannot warn the signer. The deeper architectural problem: Gnosis Safe transactions involving contract interactions display as opaque hex calldata in most signer interfaces. Verifying what a Safe transaction actually does requires either trust in the interface, or independent decoding of the calldata against the Safe ABI — something that even sophisticated signers rarely do for routine operational transactions. This is the “blind signing” problem and it is the dominant vulnerability class across institutional crypto custody in 2024-2025.

Attribution — Lazarus Group and North Korea's crypto laundering machine

Within 48 hours of the attack, Elliptic and TRM Labs published preliminary analyses attributing the laundering pattern to the Lazarus Group, the umbrella designation for North Korean state-sponsored cyber operations. The on-chain fingerprint that supports this attribution: rapid token-to-token swaps via decentralised exchanges (especially Uniswap and 1inch); use of cross-chain bridges (Avalanche Bridge, Wormhole) to break tracking continuity; consolidation into ETH and BTC; routing through privacy-focused mixers (Tornado Cash forks like Railgun and Aztec, Bitcoin coin-joins via Wasabi or Whirlpool); and ultimately movement to addresses associated with previous Lazarus-attributed thefts. The economic context: Lazarus has been one of the most prolific cryptocurrency thieves in history, with confirmed attributions including the 2022 Ronin Bridge hack ($625M), the 2023 Atomic Wallet drain (~$100M), the 2023 Stake.com theft ($41M), the 2023 CoinEx hack ($55M), and many more. Total stolen by Lazarus across documented incidents exceeds $3 billion. The funds reportedly flow to North Korea’s missile and weapons programs as a sanctions-evasion mechanism. Implications for WazirX specifically: attribution to Lazarus means any negotiation with the attackers is effectively impossible — Lazarus does not respond to “white hat bounty” offers as some criminal groups do, and any payment would constitute a violation of US OFAC sanctions exposing both WazirX and any facilitating intermediary to secondary sanctions. Recovery via traditional law enforcement requires international cooperation that, while not zero, runs into the geopolitical reality that North Korean assets are not legally accessible.

Timeline — from compromise to creditor-protection filing in five weeks

~13:21 UTC, 18 July 2024: Malicious transaction signed and broadcast. ~13:30 UTC: First on-chain alerts as monitoring services (Forta, Chainalysis Reactor) flag unusual outflow. 13:45 UTC: WazirX engineering team identifies the unauthorised drain. ~16:00 UTC: WazirX pauses INR and crypto withdrawals globally. 17:30 UTC: Public statement issued — initial framing as a “force majeure event” while details still being assembled. 19 July: Detailed statement; engagement of forensics firms (Mandiant, ZachXBT independently); coordination with Indian Cyber Crime Coordination Centre (I4C). 21 July: First wave of customer outrage as withdrawal pause persists; Twitter/X becomes a 24/7 stream of customer complaints, conspiracy theories, and legal threats. 23 July – 5 August: Multiple public statements; promise of recovery efforts; engagement with law-enforcement (FBI, Interpol, Indian agencies). 21 August: WazirX files in Singapore High Court for a moratorium under the Insolvency, Restructuring and Dissolution Act — six-month protection from creditor enforcement to allow restructuring. September – December 2024: Creditor scheme of arrangement drafted; user vote scheduled. Early 2025: Vote conducted; partial recovery distribution begins (precise percentage of recovery undisclosed but estimated at 55-80% via creditor-vote acceptance rate). Mid-2025 onward: Slow distribution to verified claimants; ongoing legal proceedings and parallel SEBI / RBI / FIU India inquiries.

The Liminal question — vendor accountability in custody architecture

Liminal Custody, the third-party providing infrastructure for the compromised wallet, faced direct scrutiny in the aftermath. Liminal’s public position was that their infrastructure was not compromised — that the malicious transaction was authorised through their interface by valid WazirX signatures, and that any compromise occurred at the WazirX signer level. WazirX’s position was at minimum that the discrepancy between displayed and actual transactions originated within Liminal’s display layer. Both positions remain disputed in legal and forensic discovery as of mid-2025. The deeper question for any organisation using third-party custody: when a multi-party signing scheme involves both your team and a vendor’s team, and the assets are lost, who bears the loss and the legal consequences? The contracts between exchanges and custody providers typically include extensive carve-outs for security incidents, “force majeure” provisions, and limitations on liability that make full recovery from the vendor practically impossible even if vendor fault is established. Practical implications for crypto operators: if you use third-party institutional custody (Liminal, Fireblocks, Copper, BitGo, Anchorage, Coinbase Custody, MetaMask Institutional), you must independently verify what your signing flow actually signs — do not trust the interface. This means having at least one signer at each critical-asset transaction independently decode the calldata against the contract ABI, ideally using a separate machine, separate network, and separate verification tooling than the primary signing flow. This is operationally expensive; it is also the only durable defence against UI-substitution attacks.

Recovery and creditor process — the slow, contested return of funds

The Singapore moratorium and subsequent scheme of arrangement is the legal framework through which WazirX is attempting to return funds to affected users. The mechanics: (1) WazirX classifies all user balances as creditor claims; (2) the scheme proposes a partial repayment based on the remaining unhacked assets plus future revenue; (3) creditors vote to accept or reject; (4) if accepted by the requisite majority (75% by value of those voting), the scheme binds all creditors. What this means in practice: users who held INR balances or crypto assets on WazirX before 18 July 2024 became unsecured creditors of WazirX with no special preference over operational creditors. Their only realistic recovery path is acceptance of whatever percentage the scheme proposes. What it means for the broader Indian crypto industry: the WazirX situation is a stress-test of whether Indian crypto users have any meaningful legal protection when an exchange fails. The answer has been “limited and slow.” This shapes how Indian users will allocate trust across exchanges going forward — assume bigger reserves, more regulatory hostility to exchanges, and substantially more user demand for self-custody options.

India regulatory context — PMLA, SEBI, and the path to crypto law

India’s regulatory framework for cryptocurrency in 2024-2025 was, charitably, transitional. The Reserve Bank of India banned banks from servicing crypto exchanges in 2018 (overturned by the Supreme Court in 2020), then imposed a punitive 30% tax on crypto gains plus 1% TDS on every transaction in 2022. Parallel to this fiscal pressure, the Financial Intelligence Unit India (FIU-IND) extended PMLA reporting requirements to Virtual Digital Asset Service Providers (VDASPs) in March 2023, requiring registration with FIU-IND, suspicious-transaction reporting, and KYC compliance. The WazirX hack accelerated several specific regulatory threads. (1) Sectoral cybersecurity standards: CERT-In and SEBI both signalled that crypto exchanges would face dedicated cybersecurity audit requirements modelled on the SEBI System Audit Framework. (2) Custody segregation: draft regulations under discussion would require minimum cold-storage percentages, segregation of customer assets from exchange operational accounts, and proof-of-reserves disclosures. (3) Insurance mandates: mandatory cyber insurance for VDASPs above a turnover threshold, similar to bank deposit insurance but for crypto holdings. (4) Cross-border enforcement: India’s FIU-IND has begun engagement with the Egmont Group and FATF on cross-border tracing of stolen crypto, with Lazarus-attributed thefts as a primary case study. (5) Disclosure requirements: incident reporting to FIU-IND within 6 hours of discovery (matching CERT-In) and to the Ministry of Corporate Affairs within 24 hours for any incident materially affecting customer funds.

Detection and prevention — what every crypto exchange must implement

Concrete detection and prevention measures that would have either caught or contained the WazirX attack. (1) Out-of-band transaction confirmation: for any transaction above a threshold (e.g., $1M), require confirmation via a separate channel — SMS to a phone owned by the signer, hardware token presence, biometric confirmation. The signer must positively confirm not just “approve” but “approve transfer of X tokens to address Y.” (2) Independent calldata decoding: at least one signer per transaction must independently decode the on-chain calldata using a different tool than the primary signing interface. This catches UI substitution. (3) Anomaly detection on transaction patterns: bulk movement of assets, contract upgrades, signer additions/removals — these are rare events and should trigger monitoring alerts that pause execution pending human review. (4) Transaction simulation: tools like Tenderly and Foundry can simulate Ethereum transactions before execution, showing the actual state changes that would occur. Mandate simulation for all multisig transactions. (5) Time-locked transactions: for very high-value moves, build in a delay between signing and execution (24-72 hours) during which any signer can veto. This trades speed for safety; appropriate for cold-wallet movements. (6) Hardware wallet best practices: use hardware wallets that fully decode and display the contract operations being signed. Older hardware wallets show only the hash; modern Ledger and Trezor firmware can decode known contract types but require specific hardware models and configurations. (7) Separate signers physically: different signers should be on different networks, different machines, ideally in different geographic locations, to ensure no single compromise can affect quorum.

Lessons for end users — how Indian crypto holders should protect themselves

Six concrete actions for individuals holding cryptocurrency on Indian exchanges or in self-custody. (1) Self-custody for long-term holdings. Any cryptocurrency you do not actively trade should be in a hardware wallet you control, not on an exchange. The phrase “not your keys, not your coins” is repeated because it is true. Hardware wallets (Ledger Nano X, Trezor Model T, Coldcard for Bitcoin maxi setups) cost $50-200 and protect you against exchange compromise. (2) Exchange diversification. If you must hold balances on exchanges (active trading, INR conversion), spread across multiple exchanges so a single failure does not wipe you out. (3) KYC awareness. WazirX customer data was not the focus of this hack but in general, exchange breaches expose KYC documents (PAN, Aadhaar, address proof, selfies) and that is permanent. Choose exchanges that minimise data collection and have demonstrated security maturity. (4) Tax compliance. India’s 30% crypto tax + 1% TDS regime applies regardless of whether your exchange goes under. Maintain your own records (CSV exports of all transactions) so tax filings remain possible if exchange access is lost. (5) Beware of “recovery service” scams. After major hacks, scammers contact victims claiming they can recover stolen funds for an upfront fee. They cannot. Any upfront-fee recovery service is fraudulent. (6) Recognise the regulatory direction. Indian crypto regulation is tightening. Operating compliantly (filing taxes, completing KYC, reporting holdings if required) protects you from secondary problems if you become a fraud victim or witness.

Wider implications — what this means for institutional crypto adoption in India

Beyond the immediate operational consequences, the WazirX incident is a strategic setback for crypto adoption in India that will play out over years. (1) Bank cooperation hardens. Indian banks already restrict crypto-related accounts under RBI guidance; the WazirX failure provides the bank-side compliance teams with concrete evidence that crypto exchanges are higher-risk than traditional financial institutions. Expect harder banking access, longer onboarding times, and more frequent account closures for crypto exchanges and high-volume traders. (2) Talent flight. Senior security and engineering talent in Indian crypto exchanges, already a small pool, may move to traditional finance or crypto roles abroad. Operational maturity gaps widen. (3) Regulatory consolidation. The “wait and see” Indian crypto regulatory approach has lasted half a decade; WazirX provides the political cover for either a comprehensive crypto regulation bill (with strict licensing, capital requirements, and operational standards) or a more restrictive ban-by-attrition approach. Both paths likely reduce the number of operational Indian exchanges from the current ~10 to 2-3 highly-regulated entities. (4) International perception. Foreign exchanges (Binance, Coinbase, Kraken) cannot directly serve Indian retail without local licensing they do not currently hold; the WazirX failure does not benefit them and may increase their reluctance to engage with India. (5) DeFi adoption. Some sophisticated users will respond by self-custodying and using decentralised exchanges (Uniswap, dYdX, GMX) directly, bypassing centralised exchange risk entirely. This is more secure for the user but cuts the regulator out of the loop, creating its own tensions. The WazirX hack is therefore not just a single incident — it is a forcing function that will reshape how India regulates and consumes cryptocurrency for the rest of the decade.

FAQ

Will WazirX users get their money back?

Partially, eventually. The Singapore scheme of arrangement proposes partial repayment based on remaining assets and future revenue. The exact percentage and timeline depend on creditor vote acceptance and ongoing legal recovery efforts. Expect 55-80% recovery over 12-36 months for users who hold their claims through the process; smaller recoveries earlier for users who sell their claims to claims-trading firms at deep discounts.

Was self-custody crypto safe during the WazirX hack?

Yes. Only assets held in WazirX-controlled wallets were affected. If you self-custodied your crypto in a hardware or software wallet whose private keys you control, your assets were and remain unaffected.

Could this happen to other Indian exchanges?

Yes. The fundamental architectural vulnerability (UI substitution against blind-signing of complex contract calls) affects most multisig setups. Any exchange using third-party institutional custody with Gnosis Safe or similar is structurally exposed unless they have implemented out-of-band confirmation, independent calldata decoding, and transaction simulation.

Did Lazarus Group really do this?

Per Elliptic, TRM Labs, Mandiant, and US Treasury OFAC analysis, yes — the laundering pattern is consistent with Lazarus Group operations and inconsistent with most criminal-actor profiles. Attribution in cyber operations is rarely 100% certain but the technical and financial fingerprints in this case are strong.

Is it safe to use Indian crypto exchanges now?

It is safer than it was, in the sense that surviving exchanges have hardened their procedures post-WazirX. It is not safe in any absolute sense — exchange compromise risk remains real. Treat exchange balances as you would treat cash held by a third-party agent: useful for active trading, not for long-term storage.

What does this mean for the 30% crypto tax in India?

Tax obligations remain regardless of whether your exchange goes under. If you held WazirX positions that became creditor claims, your taxable position depends on the timing and treatment of the eventual distribution. Consult a chartered accountant familiar with crypto taxation; the rules are evolving.

📰 Note: This analysis is compiled from public reporting (Reuters, Bloomberg, court filings, threat-intel firm publications) and is intended for security education. Some technical details remain disputed in ongoing legal proceedings; we have attributed claims where the source is established and noted where matters remain contested.