$235 Million Crypto Theft from WazirX Was ‘Perpetrated’ By North Korean Hackers, Report Reveals

Indian cryptocurrency exchange WazirX has reportedly lost approximately $235 million in digital assets due to a significant cybersecurity breach that occurred in the early hours of Thursday.

According to the post shared by the firm on X, the breach appeared to have targeted their multi-sig wallets, resulting in a substantial amount of funds being lost.

Following the hack, Blockchain analytics firm Elliptic, in its latest report, attributed the theft to hackers with links to North Korea. This was also echoed ZachXBT in his recent post on X, disclosing that the “WazirX hack has the potential markings of a Lazarus Group attack.”

This marks the event as one of the largest cryptocurrency thefts tied to the nation. In the report, Elliptic stressed that this is not a one-time event as it formed part of an ongoing pattern by North Korean groups directed at some of the biggest names in cryptocurrency.

Notably, the majority of the stolen funds comprised a variety of crypto assets, such as major tokens like Ethereum and other plays, including Shiba Inu, PEPE, MATIC, and Floki, highlighting the hackers’ broad targeting spectrum.

Stolen crypto assets from WazirX hack. | Source: Elliptic

Tracking the Digital Trail

 According to ZachXBT in its shared investigation on X, after the hack, the stolen assets were transferred to another address funded by the mixing service Tornado Cash – a platform often used to hide where crypto funds came from.

2/ The theft address I will start from is 0x6ee which was doing test transactions on July 10th from 0x09b multisig with SHIB and was funded with 6 X 0.1 ETH from Tornado.

0x6eedf92fb92dd68a270c3205e96dccc527728066

A technical breakdown of the attack by Mudit can be found below https://t.co/Q86k8o7oBg pic.twitter.com/JeU66hyOkI

— ZachXBT (@zachxbt) July 18, 2024

This pattern of moving stolen assets is a hallmark of the methods employed by these cybercriminals to launder their gains effectively. Elliptic has highlighted these in previous attacks orchestrated by North Korean hackers and indicates an ongoing playbook for hiding their digital fingerprints.

Decentralized exchanges (DEXs) were also used to swap the stolen crypto assets for Ethereum, which made it more difficult. This step in the laundering process helps the perpetrators avoid detection and enhances the difficulty of tracking the stolen funds.

Elliptic has updated its systems to flag any transactions involving the compromised addresses, thereby aiding its clients in avoiding inadvertently handling stolen funds.

Further Details Unveiled

Furthermore, in response to this incident, ZachXBT has identified a KYC-linked deposit address used by the exploiter to receive funds from the WazirX exploit. This move may be slightly helpful in tracking down the exploiter.

This bounty has been solved by ZachXBT@ZachXBT submitted definitive evidence of a KYC-linked deposit address used by the exploiter to receive funds from the WazirX exploit. This fulfills one of the criteria of the bounty – ‘Identifying a KYC centralized exchange deposit’.

This… https://t.co/6rerMi65zC

— Arkham (@ArkhamIntel) July 18, 2024

According to ZachXBT, in a scenario like this, “KYC means nothing as KYC verified accounts can be easily purchased online for [less than]$100.”

This means that unless the hacker used their real identity for the exchange used in depositing the stolen funds, the KYC-linked deposit address reported by ZachXBT may not be that useful.

The global digital currency market cap value on the 1-day chart. Source: Crypto TOTAL Market Cap on TradingView.com

Featured image created with DALL-E, Chart from TradingView