Analysis Summary

The Indian cryptocurrency exchange WazirX has acknowledged that $230 million worth of crypto assets were stolen as a result of a security incident that affected it.

"A cyber attack occurred in one of our wallets involving a loss of funds exceeding $230 million. This wallet was operated utilizing the services of Liminal's digital asset custody and wallet infrastructure from February 2023,” said the company.

The Mumbai-based business said that an inconsistency between the data that Liminal's interface showed and the data that was signed was the cause of the assault. It claimed that the payload was changed such that an attacker could take control of the wallet. One of the six signatories on the wallet is the cryptocurrency custody company Liminal, which is in charge of transaction verifications.

According to the initial findings, one of the multi-sig smart contract wallets for self-custody that was developed outside of the Liminal ecosystem has been compromised. It's also important to remember that any WazirX wallet built on the Liminal platform is still safe and secure. All of the malicious transactions that have been made to the attacker's addresses, however, have come from sources other than the Liminal platform.

The attack has all the characteristics of North Korean threat actors, according to blockchain analytics, and the attackers have gone so far as to exchange cryptocurrency assets for Ether through a variety of decentralized platforms. Another researcher confirmed this, stating that the WazirX breach may be another Lazarus Group attack.

Since at least 2017, threat actors connected to North Korea have a history of launching cyberattacks against the cryptocurrency industry to evade international sanctions placed on the nation. The UN announced earlier this year that it was looking into 58 alleged intrusions that nation-state actors carried out between 2017 and 2023 and that brought in $3 billion in illicit proceeds to support the advancement of their nuclear weapons program.

The revelation coincides with the conclusion of a concerted law enforcement investigation known as Spincaster, which targeted scam networks profiting illegally from approved phishing—a common strategy in which money is pilfered through phony cryptocurrency apps and romantic scams. Since May 2021, an estimated $2.7 billion has been stolen using this technique.

By tricking the user into signing a malicious blockchain transaction, the scammer can utilize the approval phishing technique to drain the victim's address of tokens at will by granting the scammer's address permission to spend particular tokens inside the victim's wallet.

Impact

• Cryptocurrency Theft
• Financial Loss
• Unauthorized Access

Remediation

• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.