WazirX Hack: Inside Job or External Attack?

On July 18, 2024, India’s cryptocurrency community was shaken when WazirX, the country’s leading exchange, revealed that it had fallen victim to a massive hack. Around $235 million (₹2,000 crore) was siphoned from a single wallet, with early investigations pointing toward the notorious North Korean hacker group, Lazarus.

However, the narrative took an unexpected turn when, on November 26, a group of disgruntled WazirX users, rallying under the banner “Justice for WazirX Users,” took to social media to suggest that the hack may not have been an external attack. Instead, they raised the possibility of an inside job.

The Allegations Begin

The accusations came in the form of a viral Twitter thread, which paints a picture of a company struggling under financial pressure, regulatory challenges, and internal turmoil. The timeline provided by these users connects a series of events dating back to February 2022, when India imposed a 30% tax on cryptocurrency profits, which devastated WazirX’s trading volume and profitability.

The thread suggests that this was the beginning of WazirX’s financial woes. Just two months later, in April 2022, WazirX’s founders, Nischal Shetty and Siddharth Menon, relocated to Dubai. This move raised further suspicion, especially in the context of India's increasing scrutiny of the crypto space. Was this a tactical move to shield themselves from growing regulatory pressures, or simply a misunderstanding by the public?

Things escalated in August 2022 when India’s Enforcement Directorate froze $8 million in WazirX assets, alleging money laundering activities. While WazirX denied the charges, the move tarnished its reputation and put additional strain on the platform.

The problems deepened in early 2023 when Binance, WazirX’s former partner, severed ties with the platform due to governance disputes. By January 2024, India officially banned Binance, forcing many users to return their assets to WazirX, which then centralized $235 million (₹2,000 crore) in a single wallet — a risky move, given the potential vulnerability.

The Hack: Questions and Concerns

In July 2024, the inevitable happened — the $235 million was stolen from that centralized wallet. Critics immediately questioned why WazirX had consolidated such a vast amount of funds in one place. Was this a sign of negligence, or was it part of a more sinister, calculated plan? Could it have been a staged hack?

A Web of Financial Discrepancies

The drama surrounding the hack has only intensified as new financial discrepancies have come to light. In September, the YouTube channel Crypto India examined WazirX’s second affidavit and exposed significant flaws in the platform’s financial reporting. The revelations were damning, including discrepancies in the value of funds lost during the hack. Initially, WazirX reported that 42% of its funds were stolen, but later revised this to 45%.

Moreover, the platform’s financial statements were troubling. WazirX had spent $79 million (nearly 80% of its 2022 revenue) on sales and marketing, but with no clear breakdown of how those funds were used. Another $15 million was listed as administrative expenses, yet no details were provided. These issues raised further questions about the platform's internal controls and transparency.

WazirX’s moratorium application in Singapore also fueled suspicions. Of WazirX’s 4.2 million users, only 431 supported the moratorium, accounting for a mere 0.01% of the user base. Financially, these supporters represented just $9.2 million in liabilities, far below the $410 million threshold required for the moratorium’s approval.

Legal Battles and Rival Allegations

The fallout has extended to legal actions as well. Rival platform CoinSwitch filed a lawsuit in September to recover funds allegedly trapped on WazirX after the hack. CoinSwitch claims WazirX failed to clarify whether its tokens were stored in compromised wallets, further raising suspicions of potential misconduct.

Despite WazirX’s claims of maintaining a secure infrastructure, the lack of audit reports or detailed incident analyses left users with more questions than answers. The absence of transparency only added to the growing distrust.

WazirX’s Plan to Compensate Users

As the pressure mounts, WazirX has proposed a repayment plan for its users, promising eventual compensation, though it comes with conditions. Users are facing a 48% haircut on their funds, which WazirX says will be addressed gradually over time.

A "rebalancing calculator" has been introduced to calculate the exact amount each creditor is owed. However, this plan hinges on WazirX's ability to restart operations and generate revenue, with the exchange aiming to launch a decentralized platform, potentially India’s largest DEX, and ramp up trading volumes.

Ongoing Allegations and Unanswered Questions

The saga took another twist when in October, Delhi High Court reviewed a petition filed by investor Jaivir Bains. The petition alleged that WazirX had merged funds from hacked and unhacked accounts, which violated its user agreement and regulatory standards. The petition urged an investigation by India’s Financial Intelligence Unit (FIU) and Enforcement Directorate (ED).

While the court acknowledged the severity of the allegations, it found no prima facie evidence to support claims of a self-inflicted hack. The case was directed to civil courts, but the police also launched an investigation, which included the arrest of a suspect linked to the breach.

A Systemic Failure?

The WazirX hack remains surrounded by uncertainty, with no clear answers emerging yet. Whether it was the result of an external attack or an inside job disguised as one, the truth is still unclear.

However, this incident has exposed deep vulnerabilities within the crypto ecosystem and highlighted the shortcomings of India’s regulatory framework in addressing such issues. Millions of users are still waiting for compensation, with many facing financial devastation. The lack of decisive action by India’s regulatory bodies has only compounded the frustration.

WazirX’s restructuring process, which is under review by Singapore’s High Court, has shifted the focus abroad, leaving Indian users in limbo as their country’s legal system struggles to provide timely justice. The victims’ plight has sparked outrage, as many users face the harsh reality of losing their life savings.

Conclusion: Trust Eroded, Truth Elusive

The WazirX hack raises broader questions about the security of cryptocurrency platforms and the role of regulators in overseeing such incidents.

Whether the hack was truly an external breach or a cover-up, the damage to user trust has already been done. With millions of dollars on the line and users’ futures uncertain, the case is a sobering reminder of the risks in the crypto world — and the critical need for robust regulations and transparency.