WazirX recently conducted an investigation following a sophisticated cyber attack on its multi-signature Ethereum wallet. The exchange found no evidence indicating that the machines of WazirX signers were compromised during the attack. Instead, they pointed to a potential breach of Liminal security, their custody service provider.
The attack, which occurred earlier this month, raised concerns within the crypto community. Initially, the exchange attributed the hack to an issue with Liminal’s user interface. However, Liminal refuted this claim in their own investigation report, stating that compromised hardware wallets were the likely cause.
WazirX’s forensic analysis did not reveal any signs of malware or tampering on their signers’ devices. The malicious transactions were signed using devices at different locations, accessing the legitimate Liminal website. Despite the security measures in place, the exchange believes that the legitimate signatures indicate a potential breach within Liminal’s system.
Two possible scenarios were outlined by WazirX to explain the breach: a breach within Liminal’s infrastructure or a compromise of WazirX signers’ devices. The exchange emphasized that the malicious transactions did not originate from WazirX servers, pointing to a potential breach of Liminal’s security.
The cyber attack on WazirX resulted in the theft of roughly 45% of the crypto it held, leading to a suspension of operations. However, the exchange assured users that their fiat currency deposits remained secure. WazirX is working with authorities to find a solution and is exploring partnerships to reimburse affected customers.
Cybersecurity experts have suggested the involvement of the North Korean Lazarus Group in the attack, known for advanced cyber attacks on financial institutions and crypto exchanges. This incident underscores the challenges of securing multi-signature wallets, especially the risks associated with blind signing.
WazirX stated that they had implemented industry-standard security practices, such as verifying website URLs, using reputable platforms, and employing multi-factor authentication. Despite the breach, the exchange is committed to enhancing security measures to prevent future attacks and protect user funds.