The WazirX exploiter has laundered over $64 million via Tornado Cash, as allegations of insider involvement have surfaced.

According to PeckShieldAlert, on Sep. 13 the WazirX hacker moved 5,000 ETH, roughly $11.8 million, to a new address before laundering the stolen loot via cryptocurrency mixer Tornado Cash in a bid to obscure the trail.

With this latest transaction, the attacker has laundered about 27,600 ETH, valued at approximately $64.97 million, over the past weeks.

As the attacker moved the funds, reports surfaced alleging possible insider involvement in the $230 million breach that crippled what was once India’s biggest cryptocurrency exchange.

What are the allegations? 

An X account named Justice for WazirX Users, citing unnamed sources and data from a First Information Report filed with the Delhi Police, pointed out some unusual activities at the exchange before the hack.

The allegations claim the attacker used fake KYC information to open a WazirX account and deposited cryptocurrency, which was traded for GALA tokens.

On July 18, the day of the breach, the hacker began withdrawing GALA tokens, which caused the depletion of WazirX’s hot wallet. This forced the exchange to transfer additional GALA tokens from cold storage, managed by its former custodian Liminal, to replenish the hot wallet.

During this process, the hacker allegedly injected malicious code, causing the transfer of tokens from cold to hot storage to fail. As subsequent attempts were made by cold storage signatories to move the funds the attacker managed to swipe their credentials in the process. 

Having obtained the necessary signatures, the attacker allegedly used the WazirX team’s login session to initiate a final transaction on Liminal’s platform that upgraded the WazirX cold wallet contract, which ultimately led to the breach.

“Once these 3 signatures were submitted to Liminal, they provided the final 4th signature, allowing the contract to be upgraded,” JfWU added.

An analysis by Crystal Intelligence confirmed that the laptops of key personnel used for signing transactions were not compromised. A separate audit of Liminal’s system by Grant Thornton also found no evidence of a custodial breach, leading to more confusion.

JfWU argued that modifying the cold wallet’s smart contract would have been difficult without insider cooperation, raising suspicions of internal involvement.

The allegations are yet to be confirmed, but both JfWU and several WazirX customers are urging the Central Bureau of Investigation and the Enforcement Directorate to conduct a thorough investigation into the case.

WazirX’s restructuring attempt faces hiccups

Amidst this chaos, WazirX’s restructuring process, announced on Aug. 28, is facing hurdles as the exchange seeks customer support for a moratorium application under Singapore’s insolvency laws to secure approval from the Singapore court. 

However, the process hit a stumbling block as users expressed frustration over a poll that initially offered only a “Yes” option to support the application. On Sept. 12, following the backlash, WazirX management expanded the poll to include “No” and “No Position” options, allowing users to voice their opposition or remain neutral on the matter.

A Sept. 10 affidavit obtained by crypto.news showed that just 441 of WazirX’s 4.4 million users had come out in support of the proposal. A subsequent affidavit confirmed that a hearing on the moratorium application is set for Sept. 25, 2024, in the Singapore High Court.

Funds stolen via the July 18 hack on Indian crypto exchange WazirX is being swapped for Ether (ETH).

Data from the on-chain tracker SpotOnChain indicates the attacker has converted over $200 million worth of the siphoned assets to ETH. At the time of publication, the blacklisted wallet held 59,097 ETH.

15,298 ETH was stolen directly from WazirX’s multisig wallet, alongside 200 different crypto assets, including $102 million worth of SHIB, $11.25 million worth of MATIC, $7.6 million worth of PEPE, $7.79 million worth of USDT, and $3.5 million worth of GALA.

Most of these assets have been swapped for ETH with the wallet currently holding just over $11 million worth of altcoins such as Chromia (CHR), Celer Network (CELR), Frontier (FRONT) and Ooki (OOKI) tokens.

Meanwhile, blockchain analytics firm Lookonchain highlighted that the hacker made a deposit of 7.7 million DENT tokens to a Binance address, adding that the wallet “has not been used before.”

Iakov Levin, co-founder Rivo, told crypto.news that the hacker likely swapped the ERC-20 tokens to Ether due its high liquidity. He also underlined that it is “not possible to block ETH like stablecoins.”

ERC-20 tokens have a contract function that allows contract owners to maintain a list of addresses that are prohibited from participating in token transactions. This is typically implemented using a mapping structure in the smart contract, which checks the blacklist before executing transfers, thus preventing any interaction with the blacklisted addresses.

In contrast, ETH lacks this feature since it operates on the core Ethereum protocol, which does not allow for the modification of address permissions.

Akhsay Nassa, co-founder of Chimp DEX, also had a similar opinion, explaining that the attacker wants to prevent the funds from being frozen by authorities.

“With a large, active market, ETH allows for quick and fair trades. Moreover, its numerous cross-chain bridges and exchanges enable easy movement between blockchains, further obscuring the trail,” he added.

The attack was the result of the exchange’s wallet management system being exploited. There were discrepencies in data displayed for Liminal, the digital asset custody and wallet infrastructure provider for the exchange.

“We suspect the payload was replaced to transfer wallet control to an attacker,” the WazirX team said in its post-mortem of the incident.

Meanwhile, crypto sleuth ZachXBT speculated that North Korea’s Lazarus group may have been involved. Blockchain analytics firm Elliptic also came to a similar conclusion.

WazirX halted withdrawals for both crypto and fiat and has vowed to recover the funds.