WazirX Hack And $235 Million loss Attributed To North Korea

On July 18, 2024, WazirX — India's largest cryptocurrency exchange — lost approximately $230 million from one of its main trading wallets in a breach that compromised roughly half of the platform's total assets under custody. The attack did not exploit a smart contract vulnerability or a protocol-level flaw. It succeeded by deceiving the parties responsible for authorizing transactions into approving a contract upgrade that transferred control of the wallet to the attacker.

How the Wallet Was Structured

WazirX managed the compromised wallet using Liminal's digital asset custody infrastructure under a multi-signature configuration requiring four of six approvals for any transaction to execute — three signatures from WazirX and one from Liminal. WazirX's keys were held on hardware devices not connected to the internet. This configuration was designed to require meaningful coordination across multiple independent parties before any funds could move, making a unilateral compromise of a single key insufficient to authorize a withdrawal.

The attacker did not break that model technically. They circumvented it socially.

How the Attack Was Executed

The attacker gained authorization for a smart contract upgrade that, once executed, transferred control of the wallet to an address they controlled. This required deceiving multiple current signatories — from both WazirX and Liminal — into approving a transaction whose true effect was not what the signing parties believed it to be. The exact mechanism by which signatories were convinced to approve the malicious upgrade was not conclusively established. A forensic investigation by Mandiant, conducted on the three laptops used by WazirX team members for transaction signing, found no evidence of device compromise. How the attacker obtained approval from three WazirX signatories and one Liminal signatory for a transaction designed to hand over wallet control remained unresolved in public disclosures.

Eight days before the attack, on July 10, the attacker's wallet was funded through Tornado Cash — consistent with preparation for a planned operation rather than opportunistic exploitation.

After securing control of the wallet on July 18, the attacker systematically drained its contents, converting the stolen tokens into ETH across multiple intermediary wallets. Attempts to route funds through ChangeNOW and Binance appear to have been blocked by those platforms. Some blockchain analysts attributed the attack to North Korea's Lazarus Group based on operational patterns, though no definitive technical evidence establishing attribution was publicly confirmed.

WazirX froze all trading and withdrawals on the platform following the breach. The freeze remained ongoing at the time of reporting.

What This Attack Illustrates

The WazirX breach is a case where a technically sound custody configuration — multi-party signing, hardware key storage, threshold authorization — was defeated not by breaking the cryptography but by compromising the human decision-making that sits above it. Four signatures were required. Four signatures were obtained. The system worked exactly as designed. The failure was that the signatories did not fully understand what they were signing.

This is the fundamental vulnerability of any multi-signature setup that relies on human reviewers to evaluate transaction intent. When the transaction being approved is a contract upgrade rather than a direct transfer, the gap between what is displayed in a signing interface and what the transaction actually executes is wide enough for an attacker to hide the real effect entirely. The security guarantee of a multisig is only as strong as the ability of each signer to correctly interpret what they are authorizing.