Indian cryptocurrency exchange WazirX has confirmed that it was the target of a security breach that led to the theft of $230 million in cryptocurrency assets.
“A cyber attack occurred in one of our [multi-signature] wallets involving a loss of funds exceeding $230 million,” the company said in a statement. “This wallet was operated utilizing the services of Liminal’s digital asset custody and wallet infrastructure from February 2023.”
The Mumbai-based company said the attack stemmed from a mismatch between the information that was displayed on Liminal’s interface and what was actually signed. It said the payload was replaced to transfer wallet control to an attacker.
Crypto custody firm Liminal is one of the six signatories on the wallet and is responsible for transaction verifications.
“Our preliminary investigations show that one of the self custody multi-sig smart contract wallets created outside of the Liminal ecosystem has been compromised,” Liminal said in a series of posts shared on X.
“It is also pertinent to note that all WazirX wallets created on the Liminal platform continue to remain secure and protected. Meanwhile, all the malicious transactions to the attacker’s addresses have occurred from outside of the Liminal platform.”
Blockchain analytics firm Elliptic said the attack has all the hallmarks of North Korean threat actors, and the attackers have taken the step of swapping the crypto assets for Ether using various decentralized services.
This was also reiterated by crypto researcher ZachXBT on X, who said “the WazirX hack has the potential markings of a Lazarus Group attack (yet again).”
Threat actors affiliated with North Korea have a track record of staging cyber attacks targeting the cryptocurrency sector since at least 2017 as a way to get around international sanctions imposed against the country.
Earlier this year, the United Nations said it was probing 58 suspected intrusions carried out by nation-state actors between 2017 and 2023 that netted $3 billion in illegal revenues to help it advance its nuclear weapons program.
The disclosure comes against the backdrop of a coordinated law enforcement operation codenamed Spincaster that shut down scam networks making illicit profits off approval phishing, a popular tactic in which funds are stolen through fake crypto apps and romance scams (aka pig butchering). As much as $2.7 billion is estimated to have been stolen using this method since May 2021.
“With the approval phishing technique, the scammer tricks the user into signing a malicious blockchain transaction that gives the scammer’s address approval to spend specific tokens inside the victim’s wallet, allowing the scammer to then drain the victim’s address of those tokens at will,” Chainalysis said.