In August, about over a month after the $234 million WazirX heist, the Intelligence Fusion and Strategic Operations (IFSO) of Delhi Police arrested one individual, a chargesheet filed on the initial findings viewed by YourStory shows.
In July, cryptocurrency exchange WazirX suffered a cyberattack resulting in hackers allegedly stealing more than $230 million worth of assets from the platform. A month later, the company said that it had filed a first information report (FIR) in New Delhi a day after the cyberattack.
The chargesheet details that suspicious activity, which appeared to be carried out by a WazirX user who joined the platform a week before the hack, was traced back to another individual from Medinipur, West Bengal.
In an interrogation, the accused disclosed that he came in contact with a buyer of crypto accounts through messaging service Telegram. He added that a buyer offered him “good amount on getting crypto accounts of WazirX with credentials,” the document notes.
Telegram allows users to create accounts without linking it to a SIM card. It also allows its users to turn on end-to-end encryption which makes it difficult for third parties to intercept conversations.
The accused then sought out an individual, under whose name and KYC, he would be able to open an account on WazirX. However, the individual would not be in control of the account. The accused then sold the account credentials to an alleged M Hasan through the Telegram app. In return for the exchange, the accused got 08 USDT (about Rs 677) as payment, which was wired to his Binance account.
The investigation verified the details and found a screenshot of the accused receiving payment from M Hasan. Following the chain of events, the accused was arrested.
Investigators have sent a notice to Telegram to obtain details of M Hasan’s ID.
On what comes next, an independent lawyer on the condition of anonymity says, “The Special Cell has given notices to different authorities such as whose IP addresses have come up in the investigation and the party whose VPN service was used. When these parties respond, police will file a supplementary chargesheet and as new names come up in the investigation, they will also be booked under the same crime.”
The chain of events
WazirX replenishes its hot wallets by transferring funds from its cold wallets when balances run low. Hot wallets are connected to the internet and enable quick transactions while cold wallets are stored offline and provide greater security.
The hacker exploited this system by withdrawing and draining large amounts of GALA tokens from the hot wallet. This led the company to top up its GALA balance—an Ethereum-based token—by leveraging funds from its cold wallets.
The cold wallet in question was a multisig wallet whose infrastructure was operated by a third party, Liminal Custody. The multisig wallets of the company had six signatories, five from the company and one from Liminal. Any transaction from its multisig wallet required approval from three of the company’s signatories followed by a final authorisation from Liminal.
According to the chargesheet, WazirX suspects that the payload was placed by the hackers to transfer wallet control to themselves.
Additionally, findings also suggest that WazirX has written to Indian as well as international cryptocurrency exchanges and service providers to block and freeze wallet addresses of the hackers in whose wallets the stolen funds are parked.
During the course of the investigation, the three laptops used by the authorised signatories of Zanmai Labs, which operates WazirX in India, to allow transactions from the multisig wallets were seized. Initial investigation of these devices showed that there was no unauthorised local or remote access to these devices. However, further forensic examination of these laptops is yet to be obtained.
WazirX declined to comment on YourStory’s queries as the matter is under judicial consideration.