North Korean hacker group Lazarus Group identified as suspect in WazirX incident, preparations for the theft began eight days in advance

The recent breach of the WazirX cryptocurrency exchange, resulting in a loss of $235 million, has revealed alarming insights into the preparation and execution of the hack, with the North Korean hacking organization Lazarus Group being identified as the prime suspect.

According to Mudit Gupta, Chief Information Security Officer of Polygon Labs, the hackers had been laying the groundwork for the attack at least eight days before its execution on July 18.

Details of the Hack

Preparation Phase:

• Onchain Practice: The hackers began "practicing" the hack onchain over a week prior to the actual attack. This involved upgrading the multisig wallet to a malicious version that would eventually allow them to drain it.
• Multisig Upgrade: Instead of directly draining the wallet, the hackers upgraded the multisig to a compromised version. Gupta speculated that this was due to the complexity and time required for draining, as well as the potential difficulty in obtaining all necessary private keys through signature phishing multiple times without detection.

Execution Phase:

• Hacking the Multisig Wallet: On July 18, the hackers exploited the upgraded multisig wallet, draining it of hundreds of millions of dollars in various cryptocurrencies.
• Blame on Lazarus Group: The sophisticated nature of the attack led to suspicions that the Lazarus Group, a North Korean hacking organization known for high-profile cybercrimes, was behind the breach.

Aftermath and Response:

• Force Majeure Declaration: WazirX described the attack as a "force majeure event beyond our control" in a follow-up post on X (formerly Twitter).
• Immediate Actions: The exchange blocked several deposits and contacted affected wallets in an attempt to recover some of the stolen funds.
• Temporary Withdrawal Freeze: In response to the hack, WazirX temporarily froze withdrawals to prevent further losses and secure the remaining assets.

Industry Implications

The WazirX breach underscores several critical points for the cryptocurrency industry:

• Enhanced Security Measures: There is an urgent need for exchanges to adopt stronger security protocols, including rigorous multisig wallet management and regular security audits.
• Awareness of Sophisticated Threats: The involvement of advanced hacking groups like Lazarus Group highlights the importance of staying vigilant against highly sophisticated cyber threats.
• Regulatory and Community Response: The crypto community and regulators must work together to develop robust frameworks and collaborative efforts to prevent such incidents and mitigate their impact when they occur.

Conclusion

The WazirX hack serves as a stark reminder of the vulnerabilities within the cryptocurrency ecosystem. It emphasizes the need for heightened security measures, proactive threat detection, and a coordinated response to cyberattacks to protect investors and maintain trust in digital asset platforms.