Indian cryptocurrency exchange WazirX suffered a catastrophic security breach on July 18, 2024, with at least $230 million in digital assets stolen from one of its multisignature wallets. Blockchain security firms quickly traced the attack to North Korean hacking syndicate Lazarus Group, marking one of the largest crypto heists of the year.
TL;DR
- WazirX lost over $230 million in a cyberattack targeting a multisig wallet
- Blockchain analysts Elliptic attributed the hack to North Korea’s Lazarus Group
- Stolen assets included ETH, stablecoins, and various tokens rapidly swapped through decentralized services
- WazirX halted all withdrawals and reported the breach to authorities
- The exchange held approximately $500 million in reserves as of June 2024
The Attack: How $230 Million Vanished
The breach was first detected on the evening of July 17 when blockchain security firms including Elliptic, Arkham, and BlockSec noticed millions of dollars in cryptocurrency flowing out of WazirX wallets at an unusual pace. By the time the company acknowledged the incident on July 18, the damage was already done.
WazirX confirmed that a cyberattack had compromised one of its multisignature wallets. In a public statement posted to social media, the company described the incident as a “force majeure event beyond our control” and emphasized that the team was “leaving no stone unturned to locate and recover the funds.”
Elliptic’s analysis put the total losses at approximately $235 million, slightly higher than WazirX’s own preliminary estimate of $230 million. The stolen assets spanned a range of cryptocurrencies, including Ether (ETH), U.S. dollar-pegged stablecoins, and various other tokens.
North Korea’s Lazarus Group Suspected
Multiple blockchain investigators quickly linked the attack to North Korean state-sponsored hackers. Elliptic attributed the incident to actors affiliated with North Korea based on blockchain data and additional intelligence. Prominent on-chain investigator ZachXBT noted that the attack carried “the potential markings of a Lazarus Group attack.”
The attackers demonstrated sophisticated operational tradecraft, immediately swapping stolen tokens for Ether using a variety of decentralized services in an apparent effort to obscure the trail of funds. This pattern is consistent with Lazarus Group’s well-documented laundering playbook, which typically involves converting stolen assets through decentralized exchanges and privacy tools before moving them to custodial wallets.
Scale of North Korean Crypto Theft
The WazirX hack fits into a broader pattern of North Korean cyber operations targeting cryptocurrency platforms. According to United Nations investigators, 58 cyberattacks on cryptocurrency firms have been allegedly conducted by North Korean hackers, netting approximately $3 billion in stolen digital assets over a six-year period.
The timing of the WazirX breach was particularly notable, coming just weeks after Japanese exchange DMM Bitcoin lost more than $300 million in Bitcoin, and days after another platform reported roughly $8 million stolen. The cryptocurrency sector continues to face persistent threats from both cybercriminals and nation-state actors exploiting vulnerabilities in platform security.
WazirX Response and Customer Impact
Following the breach, WazirX immediately shut down all withdrawals to protect remaining assets. The company stated it had already blocked some deposits and reached out to concerned wallet addresses in an effort to recover funds. WazirX had reported approximately $500 million in reserves as of June 2024, meaning the hack effectively wiped out nearly half of the platform’s total holdings.
Founded in 2017, WazirX is one of India’s largest cryptocurrency exchanges. The platform was reportedly acquired by Binance in 2019, though the two parties later clarified in 2022 that Binance had only intended to purchase “certain assets and intellectual property of WazirX,” leaving the ownership structure ambiguous.
Why This Matters
The WazirX hack underscores the persistent security vulnerabilities in centralized cryptocurrency exchanges, even those employing multisignature wallet infrastructure. As North Korean hacking groups continue to refine their attack methodologies, the incident serves as a stark reminder that platform security remains one of the crypto industry’s most critical challenges. For users, the event highlights the fundamental trade-off between the convenience of exchange-held assets and the security of self-custody solutions.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Readers should conduct their own research before making any investment decisions.
230 million from a multisig wallet and lazarus group again. north korea is running the most profitable cyber operation on earth
rekt_ledger_ they stole 235 million from one exchange while north koreas entire gdp is supposedly 28 billion. its like 1% of their economy from one hack
wazirx calling it a force majeure event is wild. you ran a half billion dollar exchange with inadequate multisig security
force majeure is what you say when your legal team has nothing else. take responsibility for your opsec failure
multisig setup with no timelock or social recovery on 500M in reserves is negligent in 2024. this was preventable not force majeure
haris exactly. a 3-of-5 multisig where 2 keys were apparently compromised. safe{wallet} swapped out for a fake signature. lazarus doesnt brute force they social engineer
force majeure is crypto exchange code for we messed up but please dont sue us. every hack since mt gox has used some version of this defense
230 million drained from a multisig wallet. people think multisig means safe but if the signing keys are compromised its just a more expensive way to lose everything
lazarus swapped everything through tornado cash and dexes within hours. the onchain forensics teams were basically watching it happen in real time
watching lazarus move funds through tornado in real time knowing nothing could be done about it was surreal. the chain is transparent but speed still wins
lazarus moved 230M through tornado cash within hours and we just watched it happen on Etherscan. transparency is great when you cannot actually stop the transaction
tornado_watch_ watching the wallets drain in real time knowing the multisig was already compromised was surreal. elliptic did good work tracing but the money was gone
500 million in reserves and 230 million stolen. nearly half the exchange gone in one night. people slept fine and woke up insolvent
WazirX held roughly 500M and lost 230M. almost half the reserves from one multisig. and they called it force majeure instead of admitting their setup was inadequate