On July 18, the Indian cryptocurrency trading platform WazirX was hacked and its multi-signature wallet on the Ethereum network was stolen. A total of $234.9 million has been transferred to a new address, and the caller of each transaction was funded by Tornado Cash.
Subsequently, WazirX officials responded to the theft on X, saying: "We have noticed that one of our multi-signature wallets has suffered a security breach. Our team is actively investigating the incident. In order to ensure the safety of user assets, INR and cryptocurrency withdrawals will be temporarily suspended, and further updates will be provided in the future."
In addition, Arkham issued a reward of 1000ARKM for the $235 million theft of WazirX. Contributions including identifying KYC CEX deposits, uncovering the attacker’s identity, and successfully recovering funds will be rewarded, and any information submitted by participants will be shared with the WazirX team.
Later, according to Lookonchain monitoring, about 230 million US dollars of assets were stolen from the Indian crypto trading platform WazirX, mainly involving:
5.43 trillion SHIB (about 102 million US dollars);
15,298 ETH (about 52.5 million US dollars);
20.5 million MATIC (about 11.24 million US dollars);
640.27 billion PEPE (about 7.6 million US dollars);
5.79 million USDT;
135 million GALA (about 3.5 million US dollars), etc.
Image source: Lookonchain
According to the on-chain analyst Yu Jin monitoring, these stolen assets are being sold for ETH through the 0x35f...5ca (WazirX Exploiter 2) and 0x90c...1fd (WazirX Exploiter 3) addresses, and then the ETH obtained is sold for ETH. Transfer to address 0x361...092 (WazirX Exploiter 4).
Address where stolen assets were stored (WazirX Exploiter 1):
https://debank.com/profile/0x04b21735e93fa3f8df70e2da89e6922616891a88/history
Address where assets were sold on the chain (WazirX Exploiter 2/3):
https://debank.com/profile/0x35febc10112302e0d69f35f42cce85816f8745ca
https://debank.com/profile/0x90ca792206ed7ee9bc9da0d0df981fc5619f91fd
Sell assets in exchange for ETH storage address (WazirX Exploiter 4):
https://debank.com/profile/0x361384e2761150170d349924a28d965f0dd3f092
The stolen assets transfer path, source: Embers
2024-07-18 16:19
Maybe affected by the news that "WazirX stolen assets involve more than $100 million worth of SHIB", SHIB fell by more than 5% in a short period of time, temporarily reporting $0.00001758.
2024-07-18 16:41
WazirX attackers have started selling SHIB, and have sold $618,000 worth of SHIB, leaving $95.45 million worth of SHIB.
2024-07-18 18:53
WazirX hackers have sold $62.3 million worth of altcoins in exchange for 18,111 ETH.
Currently, the hacker still has $106.9 million worth of stolen altcoins waiting to be sold (mainly $80.33 million worth of SHIB). The ETH held has reached 33,409 ($115 million): including 15,298 ETH stolen from WazirX + 18,111 ETH sold from altcoins.
2024-07-18 20:36
Two minutes ago, the WazirX hacker address transferred all the remaining 3.6 trillion SHIBs to the shipping address 0x35fe... 745CA, worth up to $63.32 million.
2024-07-18 22:21
WazirX hackers have completely sold off $100 million worth of SHIB, leaving $18 million in altcoins unsold.
The hacker currently holds 58,410 ETH ($202 million): 15,298 ETH stolen directly from WazirX and 43,112 ETH from the sale of altcoins.
2024-07-19 10:27
The total ETH holdings of the WazirX attacker have risen to 59,097, worth approximately $201 million. These tokens include 15,298 ETH (about $52 million) that were directly stolen, and 43,799 ETH (about $149 million) obtained by selling various assets. The attacker has not yet taken the next step with ETH, and only has about $12 million worth of altcoins (CHR, CELR, OOKI, and FRONT).
2024-07-22 16:45
The WazirX attacker transferred 15,290 ETH (about $53.2 million) to a new EOA address, and the hacker's initial address still held digital assets worth $9.8 million.
On July 18, according to Beosin Alert, the early warning found that the Indian trading platform WazirX was attacked. The attacker obtained the signature data of the multi-signature wallet administrator of the trading platform, modified the wallet's logical contract, and made the wallet execute the wrong logic to steal assets.
Attacker address: 0x6eedf92fb92dd68a270c3205e96dccc527728066;
Attacked address: 0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4.
Based on the attacker's attack behavior, it is speculated that the cause is the leakage of the administrator's private key of the multi-signature wallet. Beosin briefly analyzes the cause of the attack as follows:
1. The attacker deployed the attack contract: 0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4. The function of this contract is to extract the token assets specified by this contract.
2. The attacker obtains the signature data of the WazirX multi-signature wallet administrator and modifies the wallet's logical contract to the deployed attack contract. The corresponding transaction is: https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d3. The attacker submits a token withdrawal transaction to the WazirX multi-signature wallet. Due to the proxy mode mechanism, the wallet contract uses delegatecall to call the relevant functions of the attack contract and transfer the wallet tokens.
Blockchain analysis provider Elliptic said that hacker groups associated with North Korea may be behind the "WAZIRX $235 million hacking incident." On-chain detective ZachXBT also said that through on-chain data analysis of hacker behavior, the WazirX hacking incident has the attack characteristics of the North Korean hacker group Lazarus Group. As early as July 10, the address conducted a test transaction from 0x09b multi-signature through SHIB, and Tornado transferred 6 GAS fees of 0.1 ETH.
ZachXBT said: "Hopefully the WazirX team will make their findings public. I solved the Arkham bounty and found a KYC exchange deposit made by the WazirX hacker, which unfortunately may not be very helpful because a KYC verified account can be easily purchased online for any transaction."
On July 19, WazirX announced the preliminary results of the attack. WazirX said that one of the platform's multi-signature wallets suffered a cyber attack and lost more than $230 million. The report stated that since February 2023, the wallet has been operating using Liminal's digital asset custody and wallet infrastructure services. The cyberattack stems from the difference between the data displayed on the Liminal interface and the actual content of the transaction. During the cyberattack, the information displayed on the Liminal interface did not match the content of the actual signature. WazirX therefore suspects that the payload was replaced to transfer control of the wallet to the attacker.
WazirX: Multiple platforms have been contacted to block the identified attacker's address
On July 19, WazirX posted on the X platform that it had requested assistance from the police regarding the cyberattack and was taking other legal actions. WazirX has reported the incident to the Financial Intelligence Unit (FIU) and CERT-In, and is contacting more than 500 trading platforms to block the identified addresses. WazirX will track the stolen funds, recover customer assets, and conduct a deeper analysis of the cyberattack in the near future to identify and arrest the perpetrators. It was previously reported that on July 18, the Indian cryptocurrency trading platform WazirX was hacked, and its multi-signature wallet on the Ethereum network was stolen, with a total of $234.9 million in assets transferred by hackers.
WazirX increases white hat bounty to 10%
On July 21, WazirX stated on the X platform that based on the feedback from the on-chain detective ZachXBT, the white hat recovery bounty will be increased to 10%, or up to $23 million. And invite white hat hackers, blockchain forensics experts and cybersecurity professionals from all over the world to join this task.
BlockBeats will keep a close eye on the dynamics on the chain and provide readers with timely information on the sale of stolen assets and subsequent feedback from the trading platform.
欢迎加入律动 BlockBeats 官方社群:
Telegram 订阅群:https://t.me/theblockbeats
Telegram 交流群:https://t.me/BlockBeats_App
Twitter 官方账号:https://twitter.com/BlockBeatsAsia