CoinDCX cofounder and CEO Sumit Gupta said that WazirX’s handling of the issue of stolen crypto assets would hurt the entire crypto ecosystem
Gupta’s main grouse is with WazirX’s plan to make its customers absorb 45% of the losses, which he called “utter nonsense”
After its crypto tokens worth $234.9 Mn were stolen, WazirX has proposed a socialised loss strategy to “distribute the impact across all users equitably”
The Indian crypto ecosystem has had a tough couple of years due to various factors like regulatory uncertainty, heavy taxation stance adopted by the central government, a raging funding winter, negative press on account of the collapse of industry bellwether FTX, among others.
Already under heavy scrutiny by users and authorities alike, the Indian crypto ecosystem was in for a rude shock when reports surfaced earlier this month that hackers, in a major breach at WazirX, decamped with $234.9 Mn worth of crypto tokens.
While the exchange’s many users were suddenly saddled with lost crypto tokens, a sharp criticism of WazirX’s handling of the entire episode came in from its competitor CoinDCX
cofounder and CEO Sumit Gupta.
In a post on X on July 29, Gupta said, “Hate to be saying this, but the way WazirXIndia is handling this entire situation isn’t community first and this IMO won’t go down well for them. This sadly is also hurting the other ecosystem participants”.
But, his grouse with WazirX was about a bigger issue – the latter’s plan to make its customers absorb 45% of the losses. Calling the proposal “utter nonsense”, Gupta emphasised that ideally WazirX should absorb the losses rather than throwing the burden on its customers.
Several social media users too chimed in on the debate and expressed displeasure with WazirX’s handling of the crypto heist. One user said that the exchange was prioritising profits while trying to escape answerability and accountability for the mishap.
The backlash came a week after WazirX suffered what was called the biggest cyberattack on any Indian crypto exchange till date as hackers stole funds equivalent to 45% of total user funds on WazirX.
As the news spread like wildfire, the crypto startup went on a damage control mode and said that the security breach impacted one of its wallets ‘Safe Multisig’ on the Ethereum network.
For the uninitiated, a multisig wallet is a type of cryptocurrency wallet that requires multiple private keys to authorise and complete transactions.
Following this, WazirX ‘temporarily’ suspended all trading activities on its platform as it looked to track the missing funds.
While the users were pinning their hopes on the exchange stepping up efforts to trace the funds, it was WazirX cofounder Niscal Shetty’s comments about a ‘socialised loss’ strategy that unleashed a volley of criticism online.
What Is The Socialised Loss Strategy?
Under fire and with no headway made in recovering funds, Shetty took to X to conduct a poll to outline two paths forward for the exchange following the breach. He cited two options – ‘legal recourse’ or ‘social loss’.
Then, in a blog post on July 27, WazirX said that in light of the recent cyberattack on the platform, it was implementing a “socialised loss strategy to distribute the impact across all users equitably”.
The company has proposed a 55-45 approach to facilitate management of the remaining user funds, where 55% of user crypto assets will be made available for trading or withdrawals depending upon the option selected by the user.
Meanwhile the remaining 45% will be converted to Tether-equivalent tokens and locked until WazirX recovers the stolen assets.
The exchange has provided two options to its customers:
- Option A: Under this, users can trade and hold their crypto assets with priority for recovery efforts, but won’t be able to withdraw funds. If they want to start withdrawing their assets later, they can switch to Option B. However, in this case, they will lose priority in the recovery process.
- Option B: This will let users trade and withdraw their assets, but recovery efforts will focus on those who chose Option A first. Customers choosing this can switch to Option A anytime before making any trades or withdrawals.
Explaining further, WazirX said that users with 100% of their tokens in the ‘not stolen category’ will only be able to trade or withdraw 55% of their crypto assets. The company said it would deduct the tokens to rebalance the portfolio of users who lost more than 45% of their crypto assets in the heist.
The value of the unlocked tokens (55%) will be calculated based on the average prices of CoinMarket and select global exchanges as of July 21, 8:30 PM, the day WazirX halted withdrawals on the platform.
Following the backlash, the exchange said that the poll is a preliminary step to understand the opinions of the users and is not “legally binding upon the users or the WazirX platform”.
While the poll is still open till August 3, it is important to trace the chronology of events that led up to the current fracas.
Tracing The Post-Hack Timeline
While the cybersecurity incident took place on July 18, WazirX, right afterwards, announced a bounty programme and offered a prize of $23 Mn to help recover the stolen $230 Mn funds.
While touting the company’s supposed commitment to “transparency and collaboration”, Shetty said that the three-month long bounty programme was open to further extension based on the progress of the recovery.
Additionally, the company also announced that it was willing to offer rewards of up to $10,000 worth of USDT (stablecoin) to white-hat hackers for providing actionable intelligence that leads to the freezing of the stolen funds.
Even as the crypto exchange called on blockchain forensics experts and cybersecurity professionals worldwide to join the mission, the story soon took a different turn altogether as it launched a preliminary probe into the cyber attack.
In its early probe, the company said that the attack likely originated from digital asset management platform Liminal’s infrastructure as the hackers bypassed the latter’s final verification step.
However, Liminal dismissed the findings, saying that the “incident originated from an external source”.
“… Our initial assessment indicates that Liminal’s platform, infrastructure, wallets, and assets remain secure… As a wallet infrastructure support platform, we emphasise that this incident originated from an external source, underscoring the crucial need for comprehensive security measures across platforms,” Liminal said at the time.
Just as the company was grappling with the fallout of the hack, a new angle emerged in the case. US’ Federal Bureau of Investigation (FBI) reportedly reached out to the cryptocurrency exchange to probe the nature of a cyberattack.
While the FBI reportedly hinted that the hack allegedly involved unnamed North Korean hackers, Shetty outright claimed that Lazarus Group was likely behind the incident.
Lazarus, alleged to be backed by the North Korean government, is known for carrying out some of the world’s largest crypto exchange attacks in the past.
Later on July 29, external threat landscape management platform CYFIRMA claimed that the North Korea-backed hacker group indeed was behind the security breach. It linked the attack to North Korean intelligence service Reconnaissance General Bureau (RGB).
According to CYFIRMA, close to $235 Mn were lost in crypto assets, including $96.7 Mn worth of Shiba Inu tokens, nearly $52.6 Mn of Ether coins, $11 Mn of Matic tokens and nearly $7.6 Mn of Pepe tokens.
“The threat actor has already swapped a number of these tokens for Ether using a variety of decentralised services, an expected initial step of a typical laundering process,” added CYFIRMA.
Amid all this, WazirX has sought help from its former partner Binance for bailing out the customers affected by the hack.
While it remains to be seen whether WazirX can emerge from this row successfully and recover back the funds, the cybersecurity incident has raised questions about the safeguards implemented by crypto exchanges.
Additionally, the incident could also have an adverse bearing on the larger crypto landscape.
