WazirX blames wallet provider Liminal for $230 mn crypto heist

Four weeks after initiating a probe into a cyberattack in which digital assets worth $230 million (₹2,000 crore) were stolen from one of its Multisig wallets, crypto exchange WazirX has said a forensic analysis by Mandiant Solutions, a Google subsidiary, found no evidence of compromise on the part of three WazirX laptops used for signing transactions. A multisig or a shared wallet is a crypto wallet that mandates two or more signatures to confirm and send a transaction.

WazirX had engaged cybersecurity firm Mandiant to conduct a forensic analysis. As part of this investigation, one of their tasks was to determine if any of the three laptops used by WazirX team members for performing transactions had been compromised. The cryptocurrency exchange says the company has received a clean chit from Mandiant. It blamed wallet service provider Liminal Custody, a Singapore-based digital asset custody and wallet infrastructure provider. "The wallet that was attacked was managed using Liminal’s digital asset custody and wallet infrastructure," WazirX says. The company says Mandiant submitted its report into the case on August 14, saying: "We did not identify evidence of compromise on the three laptops that were used for signing transactions."

WazirX adds: “We have full faith in the investigating agency and shall cooperate with them to the fullest extent. We are actively working on recovering the stolen funds and are hopeful those responsible will be brought to justice.”

In response to WazirX's statement, Liminal Custody said it cannot comment on the statement put out by WazirX, due to the "lack of any information on the scope and methodology of the audit". "Having said that, if one were to go by the information they’ve shared, this raises serious questions on the security of their network infrastructure, operational custody controls and overall security posture, given that they were the custodians for 5 of the 6 keys," a Liminal statement alleges.

Regarding its front-end and UI, Liminal says its preliminary audit reports show no breach in "front-end or UI". "We have empanelled more than one reputed independent auditor to conduct forensic analysis and our detailed reports are expected to arrive within this week. We are confident that the Liminal front-end and UI were not compromised and the report and findings will be shared as soon as they are made available to us."

Terming the incident "unfortunate", Liminal says the matter is being made out into a "Liminal vs WazirX social media battle", while so many users continue to suffer. "In the interest of absolute transparency at our end, we have empanelled more than one reputed auditor and are open to empanelling additional auditors, including the likes of Mandiant to conduct the UI audit as well."

Liminal had earlier blamed WazirX laptops for the alleged security breach, saying the incident originated from an "external source" or "client’s end". On the latest development, WazirX founder and CEO Nischal Shetty said he's glad that there was "no compromise" on WazirX's side. "We’re yet to hear credible answers from Liminal on: 1. What led to the cyberattack? 2. What is the extent of the breach in their systems? 3. Were any insiders involved at their end? 4. Why/How did Liminal’s website show us a genuine transaction that was supposed to be signed and yet send incorrect payload for signing? 5. Why and how did their firewall end up allowing the transaction which was not to the whitelisted address? 6. Why and how did they end up signing and approving this malicious transaction?"

He adds the Mandiant report should put to rest "any fingers pointing at WazirX" for wrongdoing or maliciousness. "WazirX followed industry best practices and the report proves that there was no compromise on WazirX side," he says via X, adding that in parallel, the company is working on the resolution to INR and crypto assets on the platform. "We will provide clarity to everyone on these soon."

WazirX on August 14, 2024, announced to end custody partnership with Liminal, alleging the cyberattack had happened via the wallet provider's interface. "We are in the process of migrating the remaining assets held with Liminal to new multisig wallets. While we believe our interface and systems remain uncompromised, the same cannot be said for the custodian's interface post the July 18th incident, prompting this precaution.”