Open in app

Sign in

Write

Sign in

Analysis of WazirX Crypto Exchange $230 million hack Linked to North Korea’s Lazarus Group

Inderjeet Singh
8 min readAug 1, 2024

In July 2024, WazirX, one of India’s largest cryptocurrency exchanges, suffered a devastating hack resulting in the theft of approximately $230 million. The sophisticated attack involved compromising a multi-signature wallet through a combination of phishing tactics and a wallet upgrade to a malicious version, allowing the attackers to drain funds swiftly. This incident was attributed to the North Korean state-sponsored hacking group, Lazarus, known for their advanced persistent threat capabilities and a history of targeting financial institutions and cryptocurrency platforms globally. The Lazarus Group has been linked to several high-profile cryptocurrency heists, leveraging phishing, social engineering, and exploitation of system vulnerabilities to fund North Korea’s regime​ (International Business Times)​​ (The Hacker News)​​ (COINOTAG NEWS)​.

In this incident, the attackers compromised a multi-signature wallet and swiftly converted stolen tokens into Ether using various decentralized services, a common laundering tactic​ (International Business Times)​​ (COINOTAG NEWS)​.

Blockchain intelligence firms Elliptic and crypto researcher ZachXBT both identified the attack’s characteristics as consistent with those of the Lazarus Group​ (International Business Times)​​ (The Hacker News)​. The stolen assets included significant amounts of SHIB, ETH, and MATIC, among others. WazirX has since notified relevant authorities and is collaborating with cybersecurity experts to recover the funds​ (The Hacker News)​​ (COINOTAG NEWS)​.

The attack on WazirX employed several sophisticated methods typical of advanced cybercrime operations:

1. Compromise of Multi-Signature Wallet. The attackers targeted a multi-signature smart contract wallet used by WazirX. This wallet required multiple approvals for transactions, but the attackers managed to gain control of the necessary private keys to authorize the transactions. Two of these keys were compromised directly, while the other two were obtained through a UI/wallet compromise involving signature phishing​ (COINOTAG NEWS)​.

2. Exploitation of System Vulnerabilities. The attackers practiced their exploit on-chain nine days before the actual theft, indicating a high level of preparation and understanding of the system’s vulnerabilities. They upgraded the secure multi-signature wallet to a malicious version, which allowed them to drain the funds​ (COINOTAG NEWS)​.

3. Conversion and Laundering of Stolen Assets. After gaining control of the assets, the attackers quickly converted a portion of the stolen tokens into Ether using various decentralized services. This step is part of a typical laundering process, making the funds more difficult to trace and recover​ (International Business Times)​​ (The Hacker News)​.

4. Use of Decentralized Services. The stolen tokens were swapped for Ether through decentralized exchanges, which provide anonymity and are harder to regulate compared to centralized platforms. This method is consistent with previous tactics used by the Lazarus Group to obfuscate their tracks and launder the stolen assets​ (International Business Times)​​ (COINOTAG NEWS)​.

Breakdown of WazirX $230 million hack with timeline:

Timeline of Events

1. Pre-Attack Preparation (9 days before the attack).

o The attackers practiced their exploit on-chain, indicating advanced preparation and a deep understanding of the WazirX system’s vulnerabilities​ (COINOTAG NEWS)​.

2. Initial Compromise (Day of the attack).

o Multi-Signature Wallet Compromise. The attackers compromised a multi-signature wallet by upgrading it to a malicious version. Two private keys were directly compromised, while the other two were obtained through a UI/wallet compromise involving signature phishing​ (COINOTAG NEWS)​.

3. Asset Draining (Immediate aftermath of the compromise).

o The attackers initiated transactions to drain the funds from the compromised wallet. They swiftly transferred the assets to addresses under their control​ (International Business Times)​​ (The Hacker News)​.

4. Conversion and Laundering (Shortly after the theft).

o Token Swapping. The stolen assets were quickly converted into Ether and other cryptocurrencies using various decentralized services, which is a typical first step in laundering the stolen funds​ (The Hacker News)​​ (COINOTAG NEWS)​.

o Laundering Process. The attackers used decentralized exchanges to swap the tokens, leveraging the anonymity and less regulated nature of these platforms to obfuscate their tracks​ (International Business Times)​​ (COINOTAG NEWS)​.

5. Post-Attack Investigation and Response.

o Identification of Attackers. Blockchain intelligence firms like Elliptic and crypto researcher ZachXBT identified the attack as having the hallmarks of the Lazarus Group, a North Korean-linked hacking group​ (International Business Times)​​ (The Hacker News)​.

o Response Measures. WazirX notified relevant authorities, including the Financial Intelligence Unit-India (FIU-IND) and CERT-In, and collaborated with cybersecurity experts to investigate and recover the stolen funds. The exchange also paused trading temporarily and announced a bug bounty program to uncover actionable intelligence​ (The Hacker News)​​ (COINOTAG NEWS)​.

Key Points of the Attack:

  • Multi-Signature Wallet Exploit. The attackers exploited vulnerabilities in the multi-signature wallet system by upgrading it to a malicious version and obtaining the necessary private keys.
  • Advanced Preparation. The attackers practiced their exploit days before the actual theft, showing a high level of planning and sophistication.
  • Use of Decentralized Services for Laundering. By converting the stolen assets into Ether using decentralized services, the attackers made it more challenging to trace and recover the funds.

Technical Details of the Attack:

1. Pre-Attack Activities.

o On-Chain Practice. The attackers practiced their exploit on-chain nine days before the actual theft. This practice involved simulating the attack to ensure that the vulnerabilities could be effectively exploited when the real attack was launched​ (COINOTAG NEWS)​.

2. Compromise of Multi-Signature Wallet.

o Wallet Upgrade to Malicious Version: The attackers upgraded the secure multi-signature wallet to a malicious version. Multi-signature wallets require multiple signatures (private keys) to authorize transactions, providing an additional layer of security. However, the attackers managed to bypass this security by compromising the wallet itself​ (COINOTAG NEWS)​.

o Direct Key Compromise. Two of the four required private keys were directly compromised by the attackers. This likely involved phishing attacks or other social engineering techniques to gain access to these keys​ (COINOTAG NEWS)​.

o UI/Wallet Compromise. The other two private keys were obtained through a user interface (UI) or wallet compromise. This may have involved signature phishing, where users are tricked into signing malicious transactions that give the attackers control over their assets​ (COINOTAG NEWS)​.

3. Execution of the Attack.

o Draining of Funds. Once the attackers had control over the multi-signature wallet, they initiated transactions to drain the funds. The stolen assets included significant amounts of SHIB ($96 million), ETH ($52 million), and MATIC ($11 million), among others​ (COINOTAG NEWS)​.

o Token Swapping. Immediately after the theft, the attackers converted a portion of the stolen tokens into Ether using various decentralized services. This step is part of the laundering process to make the stolen funds harder to trace​ (International Business Times)​​ (The Hacker News)​.

4. Laundering Process.

o Use of Decentralized Exchanges. The attackers used decentralized exchanges to swap the stolen tokens. These platforms provide a level of anonymity that centralized exchanges do not, making it more challenging to track the stolen assets. This is a common tactic used by the Lazarus Group in previous attacks​ (International Business Times)​​ (COINOTAG NEWS)​.

5. Identification and Response.

o Attribution to Lazarus Group. Blockchain intelligence firms Elliptic and crypto researcher ZachXBT identified the attack’s characteristics as consistent with those of the Lazarus Group. The group is known for its sophisticated cyber-attacks on financial institutions and cryptocurrency exchanges​ (International Business Times)​​ (The Hacker News)​.

o Response Measures. WazirX notified the Financial Intelligence Unit-India (FIU-IND) and CERT-In, and paused trading temporarily. They also announced a bug bounty program to uncover actionable intelligence that could lead to the recovery of the stolen assets​ (The Hacker News)​​ (COINOTAG NEWS)​.

Additional Technical Aspects.

  • Signature Phishing. This technique involves tricking users into signing a transaction that they believe is legitimate, but which actually grants the attacker control over their assets. This was one of the methods used to compromise the private keys​ (COINOTAG NEWS)​.
  • Decentralized Service Utilization. The use of decentralized services for token swapping is a crucial step in the laundering process, as it makes it significantly harder to trace and recover the stolen funds due to the lack of centralized control and regulation​ (The Hacker News)​​ (COINOTAG NEWS)​.

By understanding these detailed technical aspects, one can better appreciate the sophistication and planning involved in such high-profile cyber-attacks, as well as the challenges faced in mitigating and responding to these threats.

The Lazarus Group

The Lazarus Group, a notorious North Korean hacking collective, has been involved in several significant cryptocurrency attacks in 2023 and 2024. These attacks often target exchanges and wallets to fund North Korea’s regime, including its weapons programs.

2023 Attacks

1. Atomic Wallet Heist (June 2023).

o Details. Lazarus hackers breached Atomic Wallet, stealing over $35 million worth of cryptocurrency.

o Method. The attack was attributed to compromised private keys and subsequent fund movements through mixers like Sinbad, which have been previously used by Lazarus​ (BleepingComputer)​​ (Enterprise Technology News and Analysis)​.

2. CoinsPaid and Alphapo Hacks (July 2023).

o Details. In a combined series of attacks, Lazarus stole approximately $60 million from Alphapo, a payment processing platform, and also targeted CoinsPaid.

o Method. The attacks involved phishing schemes to obtain credentials and private keys, allowing hackers to drain hot wallets. The stolen funds were subsequently laundered through various exchanges and mixers​ (Devdiscourse)​​ (BleepingComputer)​.

2024 Attacks

1. Huione Pay Incident (February 2024).

o Details. Huione Pay, a Cambodian payment firm, unknowingly received over $150,000 in cryptocurrency from a wallet linked to Lazarus. This wallet was used to launder funds stolen from multiple crypto companies.

o Method. The funds were funneled through phishing attacks on cryptocurrency companies, with the proceeds sent to various intermediaries and eventually converted into other cryptocurrencies​ (Devdiscourse)​.

Notable Techniques and Patterns

Lazarus Group employs a range of sophisticated techniques, including:

  • Phishing Attacks. These attacks often involve fake job offers or other social engineering tactics to trick employees into compromising their accounts.
  • Private Key Theft. By gaining access to private keys, hackers can directly control and transfer funds from targeted wallets.
  • Use of Mixers and Decentralized Exchanges. Lazarus frequently uses cryptocurrency mixers like Tornado Cash and decentralized exchanges like Uniswap to obscure the origin of stolen funds and launder them effectively​ (BleepingComputer)​​ (Enterprise Technology News and Analysis)​.

These attacks demonstrate Lazarus Group’s ongoing focus on exploiting vulnerabilities in the cryptocurrency ecosystem to support North Korea’s financial needs. The group’s activities continue to pose a significant threat to crypto exchanges and wallet providers worldwide.

Conclusion

The WazirX hack underscores the growing sophistication and persistence of cyber threats posed by the Lazarus Group. By exploiting vulnerabilities in multi-signature wallets and employing advanced phishing tactics, the group successfully executed one of the largest cryptocurrency heists in recent history, highlighting significant security challenges within the digital finance sector. This incident serves as a stark reminder of the need for robust cybersecurity measures and vigilant monitoring to protect against state-sponsored cyber adversaries. The Lazarus Group’s continued targeting of cryptocurrency platforms demonstrates their strategic intent to fund North Korea’s regime, emphasizing the broader geopolitical implications of such cybercrimes​ (International Business Times)​​ (The Hacker News)​​ (COINOTAG NEWS)​.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Cryptocurrency
Cryptocurrency News
Cyberattack
Cybersecurity
Lazarus Group
Inderjeet Singh
Inderjeet Singh

Written by Inderjeet Singh

100 Followers
5 Following

Chief Cyber Officer | TEDx Speaker | Cyberpreneur | Veteran I Innovative Leadership Award | Cyber Sec Leadership Award | India’s Top 30 Blockchain Influencer I

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams