Indian cryptocurrency users are having a tough time as centralized crypto exchange (CEX) WazirX struggles to find a recovery plan for its customers.
WazirX is one of the leading crypto exchanges in India, with a user base of more than 16 million. On July 18th, It was hacked for $230 million.
The security breach affected one of WazirX’s multisig wallets. A multisig wallet needs several people to sign a transaction before it can be executed. In WazirX’s case, the wallet had five signers to secure user assets.
The attacker drained $100 million in Shiba Inu (SHIB), $52 million in Ether, $11 million in MATIC, and $6 million in PEPE. According to the June 2024 report, these funds represented more than 45% of the exchange’s total reserves of $500 million.
According to blockchain tracker Lookonchain, the exploiter converted most of the stolen funds to Ethereum (ETH). Hackers generally use mixing services like Tornado Cash to convert tokens because they can obscure transactional activity.
The exploiter now holds more than 59,097 ETH, worth about $200 million, in various tokens. They have been selling the stolen tokens using the popular DEX Uniswap.
As a result of the attack, tokens listed on the exchange traded at steep discounts to both local and global prices due to a lack of liquidity. The exchange then halted all trading and crypto and fiat withdrawals on the platform. It’s been almost two weeks since WazirX was hacked, and the activities remain paused.
With everything frozen on the exchange, BTC/USDT is trading at 64,052 on WazirX compared to 66,687 on CoinDCX. Meanwhile, USDT/INR is trading at 88.64 on CoinDCX while it’s 68.40 on WazirX. The exchange’s native token, WZX, meanwhile, has dropped by 36.24% ever since the exchange was attacked.
As for what occurred, the exchange blamed a “mismatch” between the information displayed on Liminal Custody’s digital interface and the actual contents of the transaction signed. The exchange said in a post:
“We suspect the payload was replaced to transfer wallet control to an attacker.”
Meanwhile, Liminal Custody blamed WazirX for the attack, saying its infrastructure wasn’t breached.
“Unfortunately three of the victims machines have been found injecting malicious payloads into the transaction indicating a sophisticated, well planned and targeted attack on one specific Gnosis Smart Contract Multi-Sig wallet.”
– Liminal on X
However, not everyone is satisfied with the explanations and the blame game. According to Pankaj Tanwar, a popular crypto YouTuber on X:
“This mistake will damage #Crypto in India beyond imagination.”
WazirX Blasted for its “Socialized Loss Strategy”
Given the proportion of stolen funds to total reserves, there’s little expectation of getting any of them back, which, combined with the fact that the exploiter has been linked to North Korea, has severely squashed any hopes for recovery.
While the exchange has released a $23 million bounty for a resolution that received over 130 entries, it has begun to explore the distribution of intact funds.
For that, WazirX is looking into returning 55% of the crypto holdings while locking the remaining in USDT-equivalent tokens, notwithstanding whether the users’ tokens were stolen or not. This means that even those users who did not suffer losses in the hack would have access to only 55% of their assets while the rest will be converted to stablecoins and locked.
The exchange is now facing further scrutiny and heat from not just its customers but also the broad industry due to this “Withdrawal Management Programme: Opinion Poll.”
The poll was conducted on July 27th, during which the exchange introduced a “socialized loss strategy to distribute the impact equitably among all users.” This strategy allows users instantaneous access to the majority of their assets while “maintaining the possibility of further recovery for those who choose to wait.“
Under this poll, customers were asked to vote on two different options. In one option, users get access to the majority of their funds for trading, but they can also withdraw them, but they get second priority to any funds that get recovered. In contrast, the other option does not allow withdrawals, but users get first priority for recovery proceeds.
This suggestion resulted in WazirX receiving criticism from its users, with one saying, “socialized loss, privatized profits.” Another one questioned why users with non-stolen tokens should be penalized.
Rival crypto exchanges also expressed their opinions on WazirX’s latest move, with CoinDCX co-founder Sumit Gupta saying that this “isn’t community-first” decision. The way WazirX is handling the situation “won’t go down well for them,” said Gupta, adding that it is also “hurting the other ecosystem participants.“
Arjun Vijay, co-founder of Giottus, said WazirX’s poll “is not in the best interests of the ecosystem” because it is “designed to force customers” to choose the option to gain priority to recovery proceeds.
Unocoin co-founder Dr. Sathvik Vishwanath also shared his disappointment in the way the issue is being handled, saying that it is “only worsening the situation” when the event has already put the crypto industry “in trouble.”
WazirX defended itself, saying the poll wasn’t “legally binding” but rather just a step taken by the exchange to understand what customers want. The exchange will continue to collect ideas and feedback from users.
Talking about the reason for its plan to share the losses, WazirX VP Rajagopal Menon shared that they studied other major exchanges that had to deal with similar situations. The two major hacks that were looked into were Mt. Gox and Bitfinex.
Once accounting for the majority of Bitcoin transactions, Mt. Gox was hacked in 2014 in which 850,000 BTC were lost. In the aftermath, Mt. Gox went bankrupt, and it has only been after a decade, in July 2024, that users began receiving a small portion of their original holdings.
Then there was Bitfinex, which lost 119,756 BTC in a 2016 hack. The exchange handled the situation by spreading the loss across all users, reducing balances by 36%, and giving its customers BFX tokens that represented their losses.
More Options & Even ED’s Funds Stuck at WazirX
Besides the “socialized loss strategy,“ the exchange has been exploring other options, including asking Binance for help. WazirX went to its former partner to help bail out its customers, as per a report by local media outlet Moneycontrol, which cited an unnamed source.
Industry sources also said that Binance controls a surplus of the exchange’s revenue as well as about $80 mln of its WRX token. The source has been reported as saying:
“Their legal dispute is still ongoing. There are components of WazirX’s business which are still under Binance’s control, including the revenue — the surplus of it. Even its WRX token is under their control. So they have reached out to Binance and the talks are on but at early stages.“
Back in Jan. 2023, WazirX disclosed in its proof-of-reserves report that 90% of its user assets are held in Binance wallets. A few months later, in a blog post, WazirX said that its native token is controlled by Binance as the latter conducted the WRX IEO during which 108,401 BNB tokens worth $2 mln were sold, whose proceeds “were collected and retained by Binance.”
All this came after WazirX co-founder Nischal Shetty had a public X spat with Binance CEO Changpeng Zhao about who controls WazirX. Interestingly, back in November 2019, the world’s largest exchange, Binance, said that it had purchased WazirX only for the stories to change when, in the summer of 2022, Indian officials raided WazirX’s Mumbai office on suspicions that it was involved in money laundering.
In response, India’s Enforcement Directorate (ED) froze WazirX’s funds, and the country’s Ministry of Finance announced an investigation into the exchange under the Foreign Exchange Management Act (FEMA).
Now, reports suggest that even ED had almost $1.1 million of seized crypto assets on WazirX. These funds that were seized in a corruption case against a gaming app called E-Nuggets were moved into the exchange just months before the hack.
Indian news outlet The Print reported that after the investigation into E-Nuggets, ED asked all local crypto exchanges, including WazirX and CoinDCX, to help locate the source accounts. This led to the discovery of the Virtual Payment Address (VPA) used to purchase crypto. As a result, ED froze all the funds in 70 crypto accounts maintained with ZebPay, WazirX, and Dubai-based Binance.
So, after taking hold of the crypto, officials opened a crypto account for the ED and transferred all the crypto with WazirX due to the exchange being local and having the highest user base and liquidity. But now WazirX has been hacked and has lost 45% of its funds. It would be interesting to see if the authorities would come forward and finally offer some guidance and help to the industry.
It’s not that hacks are uncommon in the crypto space. Last year, attackers stole $1.7 billion from crypto platforms, according to a Chainalysis crypto crime report. While the amount stolen in such attacks has more than halved since 2022, the number of such attacks grew from 219 in 2022 to 231 in 2023.
As crypto prices lifted across the board this year, hackers have been back into action, with $1.48 billion stolen this year by June 24th, 2024, compared to $657 mln this time last year, as per TRM Labs. However, the top five exploits accounted for as much as 70% of the total stolen amount. The report stated:
“Private key and seed phrase compromises remain a top attack vector in 2024 alongside smart contract exploits and flash loan attacks.”
So, while crypto hacks are ongoing, the Indian government has failed to provide clear, established guidelines so that these exchanges do not operate with opacity.
India’s Unstable & Unregulated Crypto Industry
After the major incident, several exchanges cooperated with WazirX to help it trace the stolen funds and recover customer assets. To analyze the cyber attack more deeply, the company also collaborated with forensic experts and law enforcement agencies to identify and capture the perpetrators.
The exchange has further reported the incident to the Indian Computer Emergency Response Team (CERT-In), which is an agency responsible for computer-related security incidents. In the next step, a First Information Report (FIR) was filed, which was prepared by the police to begin an official investigation.
WazirX also sent the incident report to the Financial Integrity Unit (FIU)-India, which it is registered with and falls under the Finance Ministry. However, WazirX’s security breach does not fall under FIU’s scope as FIU monitors transactions under the country’s Prevention of Money Laundering Act (PMLA). According to Joanna Cheng, Associate General Counsel at Fireblocks:
“There is no crypto-specific regulation in India so far, and the industry would benefit from clear regulatory expectation on issues like security standards, risk management, and consumer protection. Regulatory intervention in this space would also mean that exchanges that service large numbers of retail customers are held accountable for their actions (or inaction).“
The cryptocurrency industry in India remains unregulated. The only major step taken all this time was a Supreme Court ruling in 2020 overturning the Reserve Bank of India’s ban in 2018, allowing banks to facilitate crypto transactions from users and exchanges.
Besides that, the regulatory development of crypto has been unmoving in the country. So far, no legislation has been passed to regulate the sector, and crypto remains primarily outside the authorities’ scope.
The only regulatory oversight present is from the Indian government’s FIU, which is tasked to supervise the trading of virtual digital assets. According to an Economic Times report from May this year, 47 regulated entities in the country are involved in trading or handling of crypto assets in India. This was after the government prohibited offshore crypto platforms from operating in India due to failure to comply with anti-money laundering (AML) guidelines.
While there is no regulatory protection for India’s crypto users, the government has levied taxes as high as 30% on profits from selling crypto, with no offsetting of losses allowed. In addition, a 1% tax is deducted at source for every transaction.
These policies have negatively affected the industry, with crypto users complaining about the lack of government support stifling the industry while taking a huge chunk of their profits in taxes since 2022.
India’s crypto industry has been suffering from regulatory clarity for a long time, which has led to a rise of bad actors. While WazirX has been subject to a cyber attack, users have also been complaining about exchanges such as BitBNS for scamming people.
The FIU-India registered entity, which advertises itself as compliant with FATF global standards for VASPs, also suffered a $7.5 million hack in 2022. Since then, BitBNS has been acting doggy, allowing users to deposit funds but not enabling withdrawals. Users speculate that its CEO, Gaurav Dahake, has already fled the country. Earlier this year, in an interview with The Economic Times, Dahake predicted BTC surpassing $100K. Victims are currently exploring a Class action lawsuit against the exchange.
But this is not all. Crypto exchanges in India, including CoinDCX, do not allow users to self-custody crypto, in complete contrast to the ethos of crypto. Indian crypto exchanges do not allow crypto transfers to outside exchanges or wallets if users make fiat deposits. This further exacerbates this problem because users can’t self-custody even if they want to, and that means they can’t protect themselves from events like the WazirX hack.
Things may finally change, though, with the world’s most populous country reportedly planning to publish a discussion paper outlining its policy stance on crypto before September. However, the government has tried to regulate crypto many times with no concrete steps taken so far, unlike the clear guidelines introduced by regulators around the world. Even the US has approved its first Bitcoin spot ETF, which has attracted millions of dollars in total inflows.
So, until the Indian government decides to give the crypto industry the attention and regulatory clarity it needs, local crypto users and the sector will continue to suffer.
Click here for a list of the five best crypto exchanges.