How WazirX Was Hacked by Lazarus Group? - Complete Case Study

How WazirX Was Hacked by Lazarus Group Due To Phishing Attack?

In one of the largest cryptocurrency hacks in India, WazirX, a prominent cryptocurrency exchange, faced a devastating security breach resulting in the theft of 50% of its user funds. On July 18, 2024, hackers infiltrated the exchange, making away with approximately $234 million worth of digital assets. This incident has sent shockwaves through the crypto community, highlighting significant vulnerabilities and the urgent need for enhanced security measures.

WazirX’s Proof of Reserve Report

In June, WazirX published its Proof of Reserve (PoR) report, showcasing a total holding of $503 million in various cryptocurrencies. The report aimed to reassure users about the exchange’s solvency and commitment to transparency. However, this recent hack has brought the adequacy and reliability of such reports into question, as nearly half of the reported reserves were compromised.

Specific Cryptocurrencies Affected

The hack predominantly targeted Ethereum (ETH) and Shiba Inu (SHIB) due to vulnerabilities in the associated smart contracts. These assets were quickly moved through decentralized finance (DeFi) protocols to avoid detection and seizure by centralized exchanges.

How the WazirX Hack Occurred

The hack unfolded over a period of 8-10 days, meticulously planned and executed by the attackers. They exploited a phishing contract during an upgrade to WazirX’s multi-sig wallet, which is designed to require multiple approvals for transactions, thereby providing an added layer of security. The attackers manipulated this system to bypass security checks and execute unauthorized transactions.

Initial Setup and Funding

Attacker’s Address: 0x6EeDF92Fb92Dd68a270c3205e96DCCc527728066
- Funded with 5 transactions of 0.1 ETH each from Tornado Cash on Jul-10-2024 06:28:59 AM UTC.
Proxy Address: 0xab7f74fEbC2E13a7636c305794E1C0dDd9E0D779
- Funded 16 minutes later with the same amount from Tornado Cash on Jul-10-2024 06:44:11 AM UTC.

Understanding Multi-Sig Wallets

Multi-signature (multi-sig) wallets are meant to enhance security by requiring multiple approvals for a transaction. WazirX’s wallet required six signatures, with three needed to approve any transaction, plus an additional final signature from Liminal services. This structure should theoretically prevent unauthorized access, yet it was compromised in this hack.

How Liminal Services Were Compromised

Liminal services, responsible for providing the final signature in WazirX’s multi-sig wallet, experienced a data mismatch. This discrepancy led to incorrect details being signed off, ultimately enabling the hack. The precise mechanism involved in this failure remains under investigation, but it underscores a critical lapse in the security protocol.

Execution of the Phishing Contract

The attackers utilized a phishing contract during the multi-sig wallet upgrade process. By sending small, seemingly innocuous transactions, they gathered legitimate signatures from WazirX and Liminal. This allowed them to change critical wallet data and execute large unauthorized transactions, siphoning off millions in cryptocurrency. Specifically, the attackers used the following methods:

execTransaction Method Exploit:
- Method Signature: execTransaction(address to, uint256 value, bytes data, uint8 operation, uint256 safeTxGas, uint256 baseGas, uint256 gasPrice, address gasToken, address refundReceiver, bytes signatures)
- Execution:
  
  0x804e1f0a 000000000000000000000000ef279c2ab14960aa319008cbea384b9f8ac35fc6 // operation
  
  0000000000000000000000000000000000000000000000000000000000000081 // uint8 14 (operation)
  
  0000000000000000000000000000000000000000000000000000000000000005 // safeTxGas uint256
  
  0000000000000000000000000000000000000000000000000000000000000006 // baseGas uint256
  
  0000000000000000000000000000000000000000000000000000000000000007 // gasPrice uint256
  
  0000000000000000000000000000000000000000 // gasToken address
  
  0000000000000000000000000000000000000000 // refundReceiver address
  
  0000000000000000000000000000000000000000000000000000000000000000 // signatures bytes
Second Transaction Execution:
- Method: 0x2d8a122e
- Input Data:
  
  0x2d8a122e00000000000000000000000095ad61b0a150d79219dcf64e1e6cc01f0b64c4ce0000000000000000000000006eedf92fb92dd68a270c3205e96dccc527728066ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

The North Korean Lazarus Group

The attack has been attributed to the North Korean Lazarus Group, a notorious hacking collective known for its involvement in numerous high-profile cyber heists. Their sophisticated methods and state-level protection make them a formidable adversary in the realm of cybersecurity.

Previous Hacks by the Lazarus Group

The Lazarus Group has a storied history of high-value cyber thefts, including:

Infinity Game Hack: $600 million stolen.
Harmony Horizon Hack: $100 million stolen.
Atomic Wallet Hack: $100 million stolen.

Their involvement in the WazirX hack adds another chapter to their extensive record of cybercrime.

Security Negligence by WazirX

WazirX’s failure to detect the breach for over a week points to significant security shortcomings. The exchange’s reliance on a single security service, inadequate monitoring, and insufficient contingency planning contributed to the success of the hack. Specific areas of negligence include:

Lack of Real-Time Monitoring: No real-time alerts for unusual transaction patterns.
Single Point of Failure: Reliance on Liminal for the final signature without adequate cross-checks.
Inadequate Audit Practices: Failure to conduct thorough security audits and stress tests on multi-sig wallets.

User Funds and Impact on Users

The immediate impact on users has been severe, with many losing significant portions of their crypto holdings. The emotional and financial toll on users cannot be overstated, as trust in the exchange has been fundamentally shaken.

Steps for Fund Recovery

Recovering the stolen funds poses a complex challenge. Potential measures include:

Blockchain Analysis: Tracking the movement of stolen assets through blockchain forensics.
Legal Action: Pursuing legal channels to hold the perpetrators accountable.
Collaborations with Other Exchanges: Freezing funds moved to other platforms to prevent further laundering.

WazirX’s Response to the Hack

WazirX has issued statements blaming the breach on Liminal’s security failure. However, the exchange must take responsibility for its own security lapses and provide clear communication and support to affected users. Key steps in their response include:

Strengthening Security Protocols: Implementing more robust multi-sig protocols and enhancing internal security measures.
User Compensation: Developing a plan to compensate users for their losses.
Transparent Communication: Keeping users informed about ongoing recovery efforts and security improvements.

Lessons for Other Exchanges

This incident serves as a stark reminder for all cryptocurrency exchanges about the critical importance of robust security measures. Regular audits, diversified security services, and prompt response protocols are essential to safeguard user funds. Exchanges should consider:

Diversified Security Services: Avoiding reliance on a single provider for critical security functions.
Enhanced Monitoring: Implementing real-time monitoring and anomaly detection systems.
Regular Audits: Conducting frequent, comprehensive security audits to identify and mitigate vulnerabilities.

Protecting Your Crypto Assets

Given the inherent risks associated with centralized exchanges, users are increasingly considering self-custody options. Hardware wallets, cold storage solutions, and personal multi-sig wallets offer higher security by reducing reliance on third-party services. Best practices for users include:

Using Hardware Wallets: Storing assets in hardware wallets to minimize online exposure.
Cold Storage Solutions: Keeping a significant portion of holdings in cold storage.
Personal Multi-Sig Wallets: Setting up personal multi-sig wallets to enhance security.

Future Security Measures for WazirX

In the wake of the hack, WazirX must implement comprehensive security enhancements, including:

Enhanced Multi-Sig Protocols: Strengthening multi-sig wallet security with additional verification steps.
Regular Security Audits: Conducting frequent, rigorous security reviews to ensure all systems are secure.
User Education: Providing users with information on best security practices and how to protect their assets.

FAQs

What exactly happened in the WazirX hack? The WazirX hack involved the theft of approximately $234 million worth of cryptocurrency through a compromised multi-sig wallet, exploited by the North Korean Lazarus Group.

How did the hackers manage to compromise WazirX’s multi-sig wallet? The hackers utilized a phishing contract during an upgrade to the multi-sig wallet, sending small transactions to gather legitimate signatures and eventually manipulate wallet data to execute unauthorized transactions.

Who is responsible for the hack? The hack has been attributed to the North Korean Lazarus Group. Both WazirX and Liminal services share responsibility due to security lapses and failure to detect the breach in a timely manner.

What are multi-sig wallets, and how do they work? Multi-sig wallets require multiple approvals for a transaction to be executed, providing an added layer of security. In the case of WazirX, six signatures were required, with three needed to approve any transaction and an additional final signature from Liminal services.

Can stolen funds be recovered? Recovering stolen funds is challenging but not impossible. Measures such as blockchain analysis, legal action, and collaboration with other exchanges may help in tracking and potentially recovering the assets.

What steps should users take to protect their crypto assets? Users should consider self-custody options, such as hardware wallets and cold storage, to reduce reliance on centralized exchanges. Regularly updating security practices and being vigilant against phishing attempts are also crucial.