The biggest cryptocurrency exchange in India, WazirX, is presently trying to retrieve $230 million in cryptocurrency assets that were lost in a cyberattack on one of its multisignature wallets, in addition to finalizing a plan to relaunch its platform, a top official said.
Crypto wallets, known as multisignature wallets, cannot be unlocked, and funds cannot be removed without two or more private keys.
The exchange lost approximately 45 percent of its assets in the hack that occurred on July 18.
As a significant portion of WazirX’s earnings, according to reports, are still under Binance’s control, the exchange had also contacted Binance, the biggest exchange in the world, and its previous partner, regarding potential support.
The loss of WazirX occurred at a crucial time, as Indian cryptocurrency companies were about to resume talks with government agencies to develop industry regulations. These talks were scheduled to take place following the Union Budget and election results.
The founder and CEO of WazirX, Nischal Shetty, addressed a number of topics in a thorough interview, including recovery strategies, continuing discussions with the government and international peers, and more.
A third of India’s crypto investors use your platform. Do you believe this breach will undermine trust in WazirX and the broader crypto space? What steps is WazirX taking to restore that trust?
In many historical hacks, exchanges are breached and funds are withdrawn from hot wallets, where the keys are stored on the server and can be accessed by hackers. However, in our case, this was not the issue; our servers were not hacked, and our systems remain uncompromised.
Therefore, moving the majority of your funds into a cold wallet is a normal business practice. Furthermore, the keys required to complete a transaction on a cold wallet are stored there, not on any server. It cannot be hacked if the keys are not online, since you do not have any. Additionally, some people require keys.
No one point of failure exists. We had four signers in our instance. Three are from our business, and one is from Liminal, a third party.
In the event of a compromise involving the three signatories from our company, there is a final layer of protection provided by a third-party custodian. Their sole responsibility is to serve as the ultimate safeguard, while we, as an exchange, manage numerous other tasks.
In order they maintain security even if we compromise something when it comes to signing. Regretfully, they too signed this fraudulent transaction. And at that point, the attacker had complete access to everything, even the token defense. We have subjected our gadgets to forensic testing. If there is a hack, it will only affect those three computers that are utilized for signing.
Users in India are now unable to take their cryptocurrency outright and store it in cold wallets. To withdraw money, they must sell it and then convert the proceeds into Indian rupees. Could you elaborate?
Not always; it depends. There are two kinds of clients. You can trade and withdraw cryptocurrency if you don’t deposit Indian rupees. However, we have the strictest compliance requirements for those who deposit INR.
For that category as well, we don’t approve everything right away; rather, we only do so after going through multiple compliance checks and only for a select group of individuals that we are certain we can trust. It’s a labor-intensive process. However, most of the time, we don’t. We are unable to do so due to compliance issues, in which individuals deposit money, take it out in cryptocurrency, and then have our bank accounts frozen as a result of the improper deposit. And after a month or three, we discover this. Withdrawals in cryptocurrency won’t be permitted until regulations are clear.
Are you discussing this issue with regulators and the government? Have they contacted WazirX? Are they assisting in resolving the crisis?
Yes, we keep in contact with all of them. We are in discussions with other government agencies to see if we may enlist their assistance in apprehending the offenders, tracking down the funds, and exploring alternative avenues for recovery in this case.
It’s early in the process. For instance, our staff has been incessantly calling the Financial Intelligence Unit—India (FIU) to inquire and provide updates. Our police complaint has been filed; it must now proceed through its process. Thus, it has not yet fully taken off.
The conversation about what happened and how it happened is currently underway.
Records have been forwarded to the Indian Computer Emergency Response Team, or CERT-In. They received calls. They have been cognizant of the circumstances. Thus, at this point, it’s advanced, and they are aware of what has transpired.
How are the Ministry of Electronics and Information Technology (MeitY) and the Financial Intelligence Unit (FIU) responding at this time?
An exchange consists of two parts. One is that you can lose money if you misuse it or use it for unrelated purposes. Additionally, there have been instances where the money was chosen to be used, such as in the case of FTX, an inside heist.
In contrast, we are the victims of a cyberattack carried out by a whole group (North Korea’s Lazarus Group), which has a history of doing this on several exchanges and other organizations, including banks, rather than a lone hacker operating out of a room. It is supported by the state. I believe that many people are now aware that this is a cyberattack.
We have never used client assets on WazirX for staking, rewards, or passive income generation from long-term holdings. We only have custody. For signers alone, we stored it in a cold wallet. It’s not as though we have access to the money, but these hackers managed to attack and remove it from the cold wallet as well.
Everyone attempting to communicate with us is aware of that.
When do you anticipate the results of the forensic tests will be available?
We can only comment on our devices. There are three devices involved, and the process will be extensive. They are starting with device 1, which is the most likely source, and we expect a detailed analysis by the end of this week or early next week. Following that, they will begin examining devices 2 and 3.
We understand that WazirX has contacted Binance for assistance with your WRX tokens, given Binance’s control over them.
As the previous case with Binance is still unresolved, we have no comments on it at this time.
Are you seeking support from other global exchanges to help resolve this situation? Binance has historically assisted other exchanges in similar circumstances. Have you been engaging with international peers and the broader community for support?
I am personally extending my reach to everyone of you. We are also having conversations. However, the sum is so great that no one can make that choice in a single day.
It will require some time. In addition to the pressure we are under to find a solution, several of our clients are requesting that the platform be made public.
You must now provide value if you hope to be able to find it. Here, partial solutions are not an option. To locate a possible buyer or potential investor, you would need to create an environment in which they can determine that there is value in the system and that they will make a purchase.
We implemented this plan—locking 45% of customers’ crypto assets in USDT while allowing them to trade with the remaining 55%—as a temporary measure. This approach enables immediate withdrawals for customers while we secure 45% of the assets. Once a potential buyer or solution is identified, we can address the remaining issues. This was our proposed solution.
We aimed to gauge public opinion on this approach and determine whether it was acceptable to the community.
Is there a chance that Binance will assist? Furthermore, if you could provide any other interactions, international colleagues, or local people you may have contacted,?
I am unable to mention identities at this time due to the early hour. It will, in my opinion, be unfair to the individuals we are speaking with. We have stated that we are talking to everyone about it. All that’s on our minds is how we can fix this for our clients.
Is your 55/45 recovery plan drawing criticism from clients? How do you think this will work out and aid in the prompt recovery of funds? And why did you decide to keep 45 percent of your money in USDT?
As a big platform, we are. Furthermore, there isn’t a way to resolve this issue so that everyone is satisfied. That’s just the way things are. Our goal was to identify a just strategy. Something akin to a fair strategy that you can use consistently.
Being unjust to a certain group of people is one thing you cannot do, and we are unable to offer various deals to different people. This applies to everyone throughout. This appears to be the simple solution, then.
We have historical evidence of this. Similar to Bitfinex’s circumstances. They socialized the loss as well. They took off thirty-six percent of each account. each and every account that participated in the swap.
Subsequently, the USDT denominator value was locked in. USDT is not locked in. All we’re stating is that the value is in USDT. And the reason for this is that if we take a deduction, say, from your account and there are assets involved, we will have to transfer those assets to someone whose income is impacted by more than 45%.
They will receive 70 or 80. We need to rebalance someone else’s portfolio out of your account. We will have a very difficult time recovering if we don’t lock it in at that price because things will change if the cryptocurrency market continues to rise.