Real-time tracking | India's largest trading platform WazirX was hacked, and hackers are selling stolen assets in large quantities

On July 18, the Indian cryptocurrency trading platform WazirX was hacked and its multi-signature wallet on the Ethereum network was stolen. A total of $234.9 million has been transferred to a new address, and the caller of each transaction was funded by Tornado Cash.

Subsequently, WazirX officials responded to the theft on X, saying: "We have noticed that one of our multi-signature wallets has suffered a security breach. Our team is actively investigating the incident. In order to ensure the safety of user assets, INR and cryptocurrency withdrawals will be temporarily suspended, and further updates will be provided in the future."

In addition, Arkham issued a reward of 1000ARKM for the $235 million theft of WazirX. Contributions including identifying KYC CEX deposits, uncovering the attacker’s identity, and successfully recovering funds will be rewarded, and any information submitted by participants will be shared with the WazirX team.

What assets were stolen?

Later, according to Lookonchain monitoring, about 230 million US dollars of assets were stolen from the Indian crypto trading platform WazirX, mainly involving:

5.43 trillion SHIB (about 102 million US dollars);

15,298 ETH (about 52.5 million US dollars);

20.5 million MATIC (about 11.24 million US dollars);

640.27 billion PEPE (about 7.6 million US dollars);

5.79 million USDT;

135 million GALA (about 3.5 million US dollars), etc.

Image source: Lookonchain

Fund flow tracking

Address detection

According to the on-chain analyst Yu Jin monitoring , these stolen assets are being sold for ETH through the 0x35f...5ca (WazirX Exploiter 2) and 0x90c...1fd (WazirX Exploiter 3) addresses, and then the ETH obtained is sold for ETH. Transfer to address 0x361...092 (WazirX Exploiter 4).

Address where stolen assets were stored (WazirX Exploiter 1):

https://debank.com/profile/0x04b21735e93fa3f8df70e2da89e6922616891a88/history

Address where assets were sold on the chain (WazirX Exploiter 2/3):

https://debank.com/profile/0x35febc10112302e0d69f35f42cce85816f8745ca
https://debank.com/profile/0x90ca792206ed7ee9bc9da0d0df981fc5619f91fd

Sell assets in exchange for ETH storage address (WazirX Exploiter 4):

https://debank.com/profile/0x361384e2761150170d349924a28d965f0dd3f092

The stolen assets transfer path, source: Embers

Assets Selling Tracking

2024-07-18 16:19

Maybe affected by the news that "WazirX stolen assets involve more than $100 million worth of SHIB", SHIB fell by more than 5% in a short period of time, temporarily reporting $0.00001758.

2024-07-18 16:41

WazirX attackers have started selling SHIB, and have sold $618,000 worth of SHIB, leaving $95.45 million worth of SHIB.

2024-07-18 18:53

WazirX hackers have sold $62.3 million worth of altcoins in exchange for 18,111 ETH.

Currently, the hacker still has $106.9 million worth of stolen altcoins waiting to be sold (mainly $80.33 million worth of SHIB). The ETH held has reached 33,409 ($115 million): including 15,298 ETH stolen from WazirX + 18,111 ETH sold from altcoins.

2024-07-18 20:36

Two minutes ago, the WazirX hacker address transferred all the remaining 3.6 trillion SHIBs to the shipping address 0x35fe... 745CA, worth up to $63.32 million.

Investigation progress

On July 18, according to Beosin Alert detection, the early warning found that the Indian trading platform WazirX was attacked. The attacker obtained the signature data of the multi-signature wallet administrator of the trading platform, modified the logical contract of the wallet, and made the wallet execute the wrong logic to steal assets.

Attacker address: 0x6eedf92fb92dd68a270c3205e96dccc527728066;

Attacked address: 0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4.

Based on the attacker’s attack behavior, it is speculated that the cause is the leakage of the administrator’s private key of the multi-signature wallet. Beosin briefly analyzes the cause of the attack as follows:

1. The attacker deployed the attack contract: 0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4. The function of this contract is to extract the token assets specified by this contract

2. The attacker obtained the signature data of the WazirX multi-signature wallet administrator and modified the wallet's logical contract to the deployed attack contract. The corresponding transaction is: https://etherscan.io/tx/0x48164d3adbab78c2cb9876f6e17f88e321097fcd14cadd57556866e4ef3e185d3. The attacker submits a token withdrawal transaction to the WazirX multi-signature wallet. Due to the proxy mode mechanism, the wallet contract uses delegatecall to call the relevant functions of the attack contract and transfer the wallet tokens.

Blockchain analysis provider Elliptic said that hacker groups associated with North Korea may be behind the "WAZIRX $235 million hacking incident". On-chain detective ZachXBT also said that through on-chain data analysis of hacker behavior, the WazirX hacking incident has the attack characteristics of the North Korean hacker group Lazarus Group. As early as July 10, the address conducted a test transaction from 0x09b multi-signature through SHIB, and Tornado transferred 6 GAS fees of 0.1 ETH.

ZachXBT said: "Hopefully the WazirX team will make their findings public. I solved the Arkham bounty issue and discovered a KYC exchange deposit made by the WazirX hacker, which unfortunately may not be very helpful because a KYC verified account can be easily purchased online for any transaction."

BlockBeats will keep a close eye on the dynamics on the chain and provide readers with timely information on the sale of stolen assets and subsequent feedback from the trading platform.

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群： https://t.me/theblockbeats

Telegram 交流群： https://t.me/BlockBeats_App

Twitter 官方账号： https://twitter.com/BlockBeatsAsia