On July 18, 2024, the cryptocurrency world watched in disbelief as WazirX, India’s largest domestic cryptocurrency exchange, fell victim to one of the most sophisticated attacks of the year. The breach resulted in the theft of over $230 million in digital assets, sending shockwaves through the South Asian crypto market and raising urgent questions about the adequacy of multi-signature wallet security.
The Exploit Mechanics
The attack unfolded at precisely 06:19 AM UTC on July 18, 2024, when an unknown threat actor drained a WazirX Ethereum hot wallet of all its tokens. The compromised wallet address, 0x27fD43BABfbe83a81d14665b1a6fB8030A60C9b4, had been managed using Liminal’s digital asset custody and wallet infrastructure.
The wallet was protected by a six-signature multi-signature scheme requiring four approvals: three from WazirX signatories and one from its custodian, Liminal. WazirX’s private keys were stored on hardware devices that were never connected to the internet, adding what should have been an impenetrable layer of security. However, the attackers bypassed these controls not by stealing keys, but by manipulating the authorization process itself.
According to WazirX’s public statements and subsequent blockchain analysis, the attackers deceived both WazirX and Liminal signatories into approving a modified smart contract that transferred wallet control to the threat actor. This was not a brute-force attack or a code vulnerability — it was a sophisticated social engineering campaign that exploited the human element in the multi-sig approval workflow.
Once the attackers gained control, they rapidly swapped stolen assets for Ether and began laundering funds through Tornado Cash, the Ethereum-based privacy mixer. Blockchain analytics firm Crystal Intelligence responded within 29 minutes, blocklisting the destination address at 06:48 AM UTC, but by then the damage was already done.
Affected Systems
The stolen assets spanned a wide range of cryptocurrencies, with Shiba Inu (SHIB) tokens constituting a significant portion of the losses. SHIB dropped 11 percent in the immediate aftermath of the attack as markets reacted to the news. Other affected tokens included Ethereum, Polygon’s MATIC, and various ERC-20 tokens held in the hot wallet.
WazirX immediately froze all trading and withdrawals on the platform as the scope of the breach became clear. The exchange’s remaining wallets on Liminal infrastructure were confirmed secure, but the incident effectively paralyzed one of India’s most important crypto trading platforms.
The attack was attributed with high confidence to North Korean state-sponsored actors, specifically groups affiliated with the Lazarus hacking collective. North Korea’s cyber warfare units have increasingly targeted cryptocurrency exchanges as a means of generating revenue to circumvent international sanctions, and the WazirX heist followed a well-established pattern of targeting centralized exchanges with sophisticated social engineering campaigns.
At the time of the attack, Bitcoin was trading at approximately $66,710 and Ethereum at $3,505, meaning the $230 million loss represented a substantial portion of WazirX’s total assets under custody.
The Mitigation Strategy
WazirX’s immediate response included a complete platform freeze, coordination with law enforcement agencies, and engagement with blockchain analytics firms to trace the stolen funds. The exchange also began working with Liminal to conduct a forensic investigation into how the multi-sig approval process was compromised.
However, the mitigation efforts faced significant challenges. The attackers demonstrated sophisticated laundering techniques, quickly converting stolen tokens to ETH and routing them through privacy infrastructure. By September 2024, blockchain investigators reported that the WazirX hacker had nearly finished laundering the $230 million through Tornado Cash, making fund recovery increasingly unlikely.
WazirX eventually disclosed that approximately 43 percent of customer funds affected by the breach were unlikely to be recovered, a devastating admission for the platform’s estimated 16 million registered users.
Lessons Learned
The WazirX hack exposed a critical vulnerability in the multi-signature security model that many exchanges rely upon. While multi-sig wallets protect against key theft, they remain susceptible to social engineering attacks that trick authorized signatories into approving malicious transactions.
The incident highlighted the need for additional verification layers beyond signature collection, including independent transaction simulation, real-time anomaly detection, and mandatory cooling-off periods for high-value transfers. Exchanges must also implement stricter separation between transaction initiation and approval workflows.
The speed at which the attackers converted and laundered stolen assets also underscored the importance of real-time monitoring and automated freezing mechanisms. Crystal’s 29-minute response time, while impressive, proved insufficient against attackers who began laundering funds within minutes of the initial theft.
User Action Required
For users of centralized exchanges, the WazirX incident serves as a stark reminder of the counterparty risk inherent in custodial platforms. Consider moving significant holdings to self-custody wallets, particularly hardware wallets that are never connected to the internet. Regularly audit exchange exposure and maintain only what is needed for active trading on any single platform. Enable all available security features including two-factor authentication, withdrawal whitelist restrictions, and anti-phishing codes. Stay informed about exchange security practices and prefer platforms that provide regular transparency reports and proof-of-reserves.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
6 signatures, 4 required, hardware keys never online, and they still got owned. the attack on the authorization process itself is next level
manipulating the authorization process without touching keys means they found a UI layer exploit in Liminal. probably injected a malicious transaction payload that looked legit to the signers
everyone focused on the multisig math but nobody asked about the middleware approving transactions. Liminals policy engine was the weak link not the keys
Liminal custody was supposed to be the secure layer. if the custodian gets bypassed what is even the point of using them
Aisha Bello nailed it. Liminal was supposed to be the security guarantee. when your custodian is the attack vector the entire multisig architecture becomes theater
the precision of the attack at 06:19 UTC suggests they knew the exact signing window. this was planned for weeks minimum
agree with the recon theory. you dont just stumble into manipulating a 4-of-6 multisig. state sponsored ops have patience and resources
India FPI users had zero recourse after this. WazirX socialized losses instead of covering from their own treasury. says everything about exchange priorities
socializing losses is just a fancy way of saying we lost your money but keeping our business. FPI users got pennies while the restructuring happened in singapore
4-of-6 multisig sounds safe until you realize the policy engine between the signers was the actual attack surface. $230M gone and the forensic report still hasnt been fully released