Cyber Incident Victim: WazirX

On July 18, 2024, WazirX disclosed a cyber attack targeting one of its multisig wallets, resulting in the theft of over $230 million in cryptocurrency assets. The compromised wallet had been operated using Liminal’s digital asset custody and wallet infrastructure since February 2023. The wallet’s security configuration involved six authorized signatories: five from WazirX’s internal team and one from Liminal. Standard transaction approvals required three separate verifications from WazirX signatories—all of whom utilized Ledger Hardware Wallets—followed by a final authorization from Liminal’s designated signatory. A whitelisting policy for destination addresses was enforced through Liminal’s interface, restricting transactions exclusively to pre-approved addresses configured by Liminal, with WazirX personnel only able to initiate transfers to these whitelisted destinations.

The attack exploited a critical discrepancy between the transaction data displayed on Liminal’s user interface and the actual payload executed on-chain. During the incident, malicious actors manipulated this interface to conceal the true nature of the transaction being signed, potentially substituting legitimate instructions with malicious ones that transferred control of the wallet to the attacker. Despite security measures including the Gnosis Safe multisig smart contract platform and Liminal’s whitelisting safeguards, the attackers bypassed these controls to execute the theft. WazirX characterized the breach as a force majeure event beyond its control but initiated immediate response actions, including blocking certain deposits and engaging with external wallets linked to the stolen funds in recovery efforts. The company pledged ongoing collaboration with specialized resources to trace and reclaim the assets while committing to further updates as its investigation progressed. The affected wallet address, 0x27fD43BABfbe83a81d14665b1a6fB8030A60C9b4, was publicly identified in the disclosure.