WazirX Loses $230 Million in Suspected DPRK Hack

The attack that caused WazirX, the largest crypto exchange in India, to lose more than $230 million has been attributed to North Korea-based actors by cybersecurity firm Elliptic.

Meanwhile, WazirX has published its own analysis of the exploit in a July 18 preliminary incident report and on Friday morning wrote on Twitter that it has filed a police report.

WazirX explained in its report that the incident saw one of the firm's multi-signature wallets send funds to a non-whitelisted address. The firm says this happened because a whitelisted address was shown on the interface of multi-signature asset custody platform Liminal, even though the funds were really being sent to a different address.

According to the Liminal team, WazirX's multi-sig wallets were created "outside of the Liminal ecosystem." In its own report on Twitter, the team said that "Liminal’s platform is not breached and Liminal’s infrastructure, wallets and assets continue to remain safe."

This seems to suggest that the client device used to access Liminal's multi-signature asset management platform might have been breached in order to display an address different than the one it should have. Still, WazirX claims that the "whitelisted addresses were earmarked and facilitated on the interface by Liminal."

WazirX wrote in its report that the attack stemmed from "a discrepancy between the data displayed on Liminal’s interface and the transaction’s actual contents." The crypto exchange says it witnessed a mismatch between the information displayed on Liminal’s interface and what was actually signed.

"We suspect the payload was replaced to transfer wallet control to an attacker," WazirX wrote.

The exchange seems to be suggesting a failure on the custody service provider's part in approving a transaction with their multisignature address that to a non-whitelisted address.

It's not at all unheard of, said Mogu, the pseudonymous founder and CEO of blockchain data firm Chainbase.

"Various vulnerabilities pose risks of compromising front-end pages, leading to discrepancies between displayed and actual signed transactions," they told Decrypt. "These include XSS, server-side vulnerabilities, CDN vulnerabilities, MITM attacks, browser plugins, and logical flaws."

Meanwhile, a spokesperson at decentralized bug bounty platform Immunefi told Decrypt that it's most likely that Liminal's front-end interface may have inherited a vulnerability from one of its dependencies.  A similar issue was at play in December, when Ledger reported a vulnerability with its Ledger Connect Kit, they said.

"Another guess would be, the vulnerability might have been present in one of Liminal Custody's native apps, allowing the overwrite of address behavior and enabling spoofing," the Immunefi spokesperson said. "In this scenario, the signing message could be replaced with a payload that transfers wallet control to an attacker, who then exploits this vulnerability on the victim's client side."

Still, Liminal's report suggests that the WazirX multisignature wallet itself was compromised and that it was created outside the firm's purview—which could put the responsibility solely on the exchange.

Neither WazirX nor Liminal immediately responded to a request for comment from Decrypt.

Elliptic estimates the loss to be about $235 million composed of more than 200 different assets. That includes about $97 million worth of Shiba Inu (SHIB), $52.6 million worth Ethereum (ETH), $11 million of Polygon (MATIC), and $7.6 million of Pepe (PEPE).

A portion of those assets were already swapped for ETH using a number of decentralized exchanges, an expected first step in laundering hack proceeds. "On-chain analysis and other information reviewed by Elliptic indicates that this hack was perpetrated by hackers affiliated with North Korea," Elliptic wrote.

DPRK Special Representative of the Foreign Ministry Alejandro Cao de Benos de Les Perez did not immediately respond to a request for comment from Decrypt.

Editor's note: This article was updated to add comments from Chainbase and Immunefi sources.

Edited by Stacy Elliott.