WazirX's $234 Mn crypto heist has unveiled serious security flaws and mismanagement, with several burning questions over founder Nischal Shetty's role and the platform's future
In this deep dive into the WazirX saga, we look at how the hack was orchestrated, the various players involved and why many former employees at the company lay the blame at the feet of the founders
Now, the startup is looking at multiple ways to salvage the situation, but users allege that the company is not being transparent about how it will remedy their losses
“The founders, particularly Nischal Shetty, made a grave mistake by ghosting WazirX for two years and doing other projects. And suddenly they appeared out of nowhere this year. The July 18 attack is just a culmination of many of their mistakes—this was a disaster waiting to happen,” a former WazirX employee.
On July 18, 2024, social media was abuzz with news of India’s largest crypto heist, as WazirX reported $234 Mn worth of cryptocurrencies stolen from one of its wallets hosted on Liminal, an institutional digital asset custody platform.
It’s now been more than 60 days since the heist, and a series of allegations have surfaced, with blame being shifted, and little groundwork being done. But this is what has happened in the interim:
- The company started a white hat bounty programme offering up to 10% of the stolen funds ($23 Mn)
- An FIR has been filed with the Special Cell of the Delhi Police against unknown persons
- Zettai Pte Ltd, the Singapore-based entity owned by WazirX cofounders Nischal Shetty and Sameer Mhatre, filed for a moratorium in Singapore High Court.
- WazirX claims to be in talks with 11 crypto exchanges for a possible acquisition
It’s important to note that Zettai is the holding company for the Indian entity Zanmai Labs which operates in INR-crypto transactions on WazirX
Now, the hack and heist have opened up a whole can of worms for WazirX. Even as Shetty looks for a white knight to come to rescue WazirX, things look bleak.
“Can you sell something that you claim not to own? Can someone invest in or buy a company whose ownership is disputed and being investigated by the ED for FEMA violations? Despite the lucrative data of 16 Mn users, nobody would want to poke their nose into this,” said a founder of another crypto exchange.
The heist, and the handling of it thereafter, has raised numerous questions concerning WazirX, its founders Shetty and Mhatre, as well as Binance which, despite denials, still is the real owner according to the WazirX affidavit.
Besides these entities, Liminal Custody, where WazirX’s wallet was hosted, is also coming under fire, and on its part, pointed fingers at WazirX.
Finally, there’s the Indian government, which collects a hefty 30% tax on crypto gains, its investigative agencies, which have not yet arrived at a conclusion on even their previous investigations into WazirX.
Where WazirX Fell Apart
Despite WazirX founders holding two town hall meetings in the last few weeks, many questions remain unanswered. And, there is a series of events and questionable decisions that led to this stage.
After Zebpay’s temporary downfall in 2018, followed by Koinex shutting down, WazirX rose to become one of the largest crypto exchanges in India, maintaining its dominance for a couple of years. At one point, Binance had seemingly acquired the company, however, WazirX’s relationship with Binance soured eventually, leading to a very public fallout on social media.
Despite the Binance tussle, WazirX remained one of India’s most popular crypto exchanges until July. The growing popularity of cryptocurrencies in 2021, fueled by Bitcoin’s meteoric rise, helped WazirX achieve a trading volume of $38 Bn, with 44% month-on-month growth.
Like the employee quoted at the beginning said though, things soured soon after that. The founders had essentially abandoned the ship between 2022 and 2023 to pursue other ventures. Shetty went on to cofound Shardeum and Pi42, while another cofounder Siddharth Menon founded Tegro, a marketplace for blockchain game assets.
By January 2022, both founders had shifted their base to Dubai and were no longer actively involved in running WazirX. And then came the heist.
After a series of blunders since August 2022, when the ED investigation began, this seems to be the end of the road for WazirX. Multiple founders who spoke to Inc42 believe whether it’s the moratorium or insolvency, WazirX might not see the light of day again.
Here’s the story of the $234 Mn heist that shook the Indian crypto industry and WazirX.
The Biggest Crypto Hack In Indian History
The attack on WazirX began on July 18 when one of its multi-signature or multisig wallets was breached and cybercriminals stole $234 Mn (or around INR 2000 Cr) in digital assets. According to various reports, North Korean actors were allegedly involved in this hack.
According to various accounts from Liminal and WazirX since then, the multisig wallet in question was controlled by five signatures from WazirX and one from Liminal. However, to initiate a transaction one needed three signatures from WazirX signatories and one from Liminal.
To steal cryptos from this wallet, the hackers first created a fake account on WazirX, deposited tokens into it, and began purchasing Gala (GALA) tokens. They started by emptying out the hot wallet and then gained access to the cold wallet before draining that too.
When WazirX signatories accessed the multisig wallet, the hacker was able to maliciously change the payload for the smart contract that controlled the wallet,
Once the smart contract was upgraded in their favour, the hackers had complete control. They required no further keys from WazirX, which allowed the attackers to completely drain all the funds.
At the time of the breach, WazirX had an estimated 16 Mn users and held $570 Mn in customer deposits. Approximately 4.3 Mn users suffered substantial losses due to the hack, with nearly half of their crypto balances wiped out.
As 45% of total user funds were lost, WazirX was left with no choice but to freeze all trading and withdrawals on the platform. Desperate to recover the stolen assets, on July 21, the hacked exchange announced two white hat bounty rewards.
Under the first bounty program, WazirX offered up to $10,000 worth of Tether (USDT) for actionable intelligence leading to the freezing of the stolen funds.
The platform also launched a recovery bounty, offering 10% ($23 Mn) of the recovered amount as a reward to anyone who helped retrieve the stolen assets.
Since then, the hackers or the entity behind the WazirX breach have already moved the stolen Ether (ETH) cryptocurrency worth over $64 Mn through TornadoCash.
Tornado Cash is an Ethereum coin mixer that utilizes zero-knowledge (ZK) proof cryptography to ensure the anonymity of user deposits and withdrawals.
This helped the attackers obscure their wallet addresses across blockchains, effectively masking their trail.
While the platform was banned by the US government in 2022, it remains operational in several jurisdictions, including North Korea.
Who’s To Blame? Liminal Or WazirX?
At the centre of the hack are two parties—WazirX and Liminal Custody—each conveniently blaming the other from day one, leaving users uncertain about the security of their funds.
WazirX is an online exchange that allows users to buy, sell, or trade cryptocurrencies. While the exchange is registered in Mumbai and has a Singapore holding company, founder Shetty resides in Dubai. On the other hand, Liminal Custody is a Singapore-based crypto wallet infrastructure provider, which hosted the compromised wallet in Wazir’s case.
On the day of the hack, WazirX claimed in a blog post that the attack resulted from a “discrepancy between the data displayed on Liminal’s interface and the transaction’s actual contents.”
One month later, on August 14, WazirX ended its relationship with Liminal and began transferring funds into new multisig wallets.
WazirX also enlisted Mandiant Solutions, a subsidiary of tech giant Google, to conduct a forensic analysis of the three laptops used for signing the transactions that depleted nearly half of its crypto reserves.
The hacked exchange later stated that it had received a clean bill from Mandiant, which found no evidence that its laptops or systems had been compromised during the hack. However, WazirX didn’t stop at clearing itself of responsibility. It further claimed that preliminary findings indicated the cyberattack likely originated from Liminal.
In response, Liminal brought in auditing giant Grant Thornton to perform its own forensic analysis, which cleared Liminal of any wrongdoing. The wallet infrastructure provider stated that no breach had occurred on its end.
It’s worth noting that neither Liminal nor WazirX has released the entire forensic report in public, but only parts of it.
Speaking to Inc42, a Liminal spokesperson said, “WazirX was using self-custodial software, not our custody service. The wallet was actually in the client’s custody, with the customer holding 5 out of the 6 keys required to control the wallet.”
Since the hack involved both entities, it would have been ideal to conduct a joint forensic analysis rather than separate investigations. However, Liminal clarified, “No, we were not approached by WazirX for any joint forensic audit.”
WazirX did not respond to Inc42’s queries till the time of publishing.
However, the Liminal spokesperson hinted at the company exploring legal options to safeguard its brand name after the accusations from WazirX.
WazirX’s Nischal Shetty In The Hot Seat
Even though on paper Shetty, Menon and Mhatre are the founders of WazirX, Menon left the company in February 2022, while Mhatre has stayed out of the media spotlight. Essentially, Shetty is the face of WazirX and he’s naturally taking a lot of the heat in this matter.
“Before the Binance acquisition, Nischal and other founders paid salaries out of their own pockets. They also went the extra mile to ensure that WazirX got acquired by Binance, but since 2022 they have let everyone down,” said a source close to the matter.
Post the acquisition by Binance in 2019, the global giant set up an internal team, including Binance US CEO Brian Schroder and Binance’s legal team, to work with WazirX. On WazirX’s end, Shetty and VP of finance Tushar Patel were the points of contact for Binance.
According to a CoinDesk report, the terms of the agreement allowed WazirX to continue “accessing and operating these accounts for the sole benefit of Binance,” which was designated as “the absolute owner of these accounts.”
On July 28, 2021, after Patel agreed to the purchase agreement, Schroder wrote: “Thank you, Tushar. We will start the transfer process and keep you posted.”
But less than a year later, trouble came knocking.
India’s Enforcement Directorate (ED) issued four summons on February 7, April 8, May 11 and June 7, 2022 against WazirX and its founders. Then on June 11, the ED for the first time publicly announced sending the show-cause notices to WazirX and its founders for crypto transactions worth INR 2,790.74 Cr being probed under the Foreign Exchange Management Act (FEMA), 1999.
Needless to say, Binance’s legal team was also facing the heat. After the first of the ED notices, Binance, which was already largely operating in ghost mode from tax havens like Malta, began distancing itself further from WazirX and the India business.
The final blow came on August 5, 2022, when the ED conducted search operations at Mhatre’s and the WazirX office. On the same day, Binance completely cut WazirX off, claiming the acquisition had never been completed and that WazirX’s founders still ran the company and were effectively its owners.
However, Shetty has evidence on his side, showing that Binance unilaterally withdrew $67 Mn in trading fees from the WazirX platform. Binance transferred these amounts to an internal account solely controlled by them, as Binance owned the WazirX wallets, according to Shetty.
Despite this, Shetty and WazirX cannot claim complete innocence.
According to sources close to the development, Binance invested approximately $100 Mn to acquire the platform, though Inc42 could not independently verify this.
As per the agreement, Binance was supposed to acquire the WazirX platform and take control of the peer-to-peer trading operations.
The KYC and INR-Crypto transactions, however, would continue to be executed by the Indian entity Zanmai Labs, owned by Zettai Pte Ltd in Singapore, jointly owned by Shetty, Menon and Mhatre.
“During the ED investigation, Shetty was doing everything to comply with the investigation while Binance was running away, ghosting us,” remarked a former WazirX employee.
However, this doesn’t absolve Shetty and WazirX from blame. On January 26, 2023, Binance threatened WazirX, demanding Shetty retract his claims about WazirX ownership or face the termination of its service agreement in a week’s time.
In response, Shetty migrated wallets from Binance to Liminal and continued operating the platform despite the ongoing dispute.
“At this point, Shetty did not fully disclose the situation to traders and investors. He did not reveal the heightened risk investors would face after the ownership dispute with Binance,” said another cofounder of a leading Indian exchange.
Many users continued to trade on WazirX, as nothing appeared unusual on the app except for changes to the user agreement, which only a few people read, if at all.
Another critical issue is using Binance’s name in the user agreement when Binance had already publicly detached itself from any association with WazirX.
Rashmi Deshpande, specialising in technology Laws and founder of Fountainhead Legal, told Inc42 that if the user agreement is with the Indian entity Zanmai and Binance is also mentioned as someone responsible for peer-to-peer trading which continued to be part of the user agreements, both the entities could be held responsible as per the Indian laws.
In response to Inc42’s queries, Binance stated that it did not acquire, nor does it own or operate, the WazirX platform, Zettai Pte Ltd, Zanmai Labs, or any of its affiliates. This includes operations related to P2P transactions on WazirX. Any claims suggesting that Binance controls or owns these transactions are incorrect, the spokesperson said.
Binance further claimed that Zanmai Labs’ reference to Binance in WazirX’s Terms of Use was false and misleading and that it was not authorised by the company.
The Binance spokesperson added, “We have been in communication with the WazirX team since July 18 to support their incident response efforts. We are deeply committed to the security and resilience of the entire cryptocurrency ecosystem. Our goal is to ensure the safety of the digital asset community by sharing best practices and advanced security measures. That said and for the avoidance of doubt, please be reminded that Binance does not manage or control any aspect of WazirX’s business or operations, including WazirX’s user funds.”
Those who invested through WazirX have questioned Shetty’s intention behind not releasing a copy of the FIR, the forensic report or other details pertaining to the ownership dispute with Binance.
As one user told us, even if WazirX had non-disclosure agreements with Binance, these were breached when the company was sharing details of the case with certain sections of the media to gain leverage over Binance.
“Technically, you have already breached the NDA in the past. You could at least share the nature of the lawsuit with Binance. We don’t even know the title of the lawsuit. That’s what is disturbing,” the WazirX user added.
Other WazirX insiders told Inc42 that Shetty had distanced himself from the company for an extended period while working on other projects. Most employees worked from home and there was a small setup at a WeWork property in Mumbai, but Shetty had minimal communication with the team.
Even in the two town hall meetings following the heist, Shetty has continued to fumble and deviate from what should have been the appropriate course of action. This includes the critical step of bringing more transparency to the process, especially considering the plight of over 4.4 Mn investors impacted in the heist.
While withdrawals were halted immediately, INR deposits remained open for a few days even after the hack.
Many investors, unaware of the situation, continued to deposit INR. However, these very investors are now unable to withdraw their funds in full and will only receive up to 66% of their money, with the rest potentially being lost.
Though Shetty claims to have lodged a complaint on July 19, the FIR was registered two weeks later, i.e. on August 5, 2024. A DCP from Karnataka confirmed to us that once an online cybercrime complaint is made, the FIR is registered immediately after the complaint copy is shared. Given the magnitude of the stolen amount, the FIR should have been registered instantly.
Inc42 spoke to Hemant Tiwari, DCP, IFSO, Delhi Police who is supervising the investigation. Tiwari said that the complaint was registered only a couple of days before August 5, 2024. Initially, the WazirX team had filed the complaint with Mumbai Police where the FIR was not registered and the complaint with Delhi Police came after this, and the FIR was registered thereafter.
To date, Shetty has not provided any evidence to support his claims regarding the timing of the complaint.
About the investigation, Tiwari hinted at onboarding a blockchain analysis firm. “The investigation is still in the initial stage, hence I won’t be able to disclose much in this regard,” he added.
Moreover, all proof-of-reserve reports published by WazirX consistently claimed a 1:1 reserve ratio, meaning that WazirX had more assets than liabilities. However, when asked for specific figures, WazirX failed to respond.
In its affidavit, WazirX provided details of the assets it has remaining.
However, this did not match the data shown by Coin Gabbar’s WazirX tracker. Multiple users have reported this.
The same issue extends to multiple tokens.
Investors that Inc42 spoke to raised a series of concerns, including why they were not consulted before onboarding Kroll.
“WazirX has set aside INR 100 Cr to cover legal expenses and bring Kroll on board for managing the moratorium process. This is investors’ money, not the company’s funds. Yet, investors were not taken into confidence for such major decisions,” said Ravi Kumar, a Noida-based investor who had invested over INR 2.5 Lakh on the WazirX platform.
Unocoin’s cofounder Sathvik Vishwanth also agreed that WazirX should not have kept INR 100 Cr set aside to fight the legal battle and said it should not have applied for a moratorium. “Once the business stops, everything stops. Instead, WazirX could have immediately returned the remaining amount to the users and could have continued the operation. This could have offered better chances to recover in the next 12 months.”
The Buck Needs To Stop With The Government
Can the Indian government and its investigative agencies continue to hide behind the claim that crypto is an unregulated territory? And what even happens to cases of crypto scams and frauds where investors have been waiting for years for resolutions or a verdict.
“Whose responsibility is it to regulate cryptos if taxation is allowed? The Indian government has been charging 30% tax on all profits, even when there are losses on other crypto transactions. For what? If they can’t step up and help investors in these unprecedented times?” asked Praveen Singh, an investor with the WazirX platform.
It’s worth noting that since last year, the Financial Intelligence Unit (FIU) under the Ministry of Finance has been tasked with keeping records of all crypto exchanges and entities operating in the Indian market. This essentially means that any crypto entity must have FIU clearance to operate in India.
Binance has alleged that since Zanmai Labs, and not Binance, applied for the FIU licence, Zanmai Labs should be held accountable for the WazirX fiasco.
However, the bigger question remains: Why have no investigative agencies like the CBI or others come forward to investigate a case that impacts the lives of 4 Mn Indians? Many of whom have invested precious life savings into crypto and are paying the requisite taxes for trading in cryptocurrencies.
Advocate Deshpande claims that the RBI and the Indian Government as well have time and again clearly mentioned the risk involved in cryptocurrencies. However, this warning sign is not enough to prevent investors from becoming victims of such attacks.
Now that India is home to one of the biggest crypto heists in history, it is high time that the Indian Government takes serious action on regulating the crypto space by introducing crypto-specific laws.
[Edited By Nikhil Subramaniam]