In yet another twist in its woeful tale, WazirX – one of India’s leading cryptocurrency exchanges – has abandoned plans to distribute its financial losses equally among all of its over 16 million users, according to reports.
The decision came as the result of a week-long poll that ended on August 3rd, where WazirX asked its customers how they felt about socialising the losses suffered in the July 2024 cyberattack, where $230 million worth of financial loss would be divided equally across WazirX’s entire user base. It comes as no surprise that WazirX users have overwhelmingly voted against this move by the crypto exchange, and for the moment WazirX is back to square one, looking for a fresh approach to end this nightmare – both for itself and its millions of users.
The WazirX hack of July 2024 was a significant cyberattack that targeted one of the exchange’s multi-signature wallets (also shortened to multisig wallets). This type of wallet requires multiple private keys to authorise transactions, adding a layer of security. However, in this instance, attackers exploited a discrepancy between the data displayed on the wallet management interface and the actual transaction details. This allowed them to manipulate the system and gain control of the wallet, resulting in the theft of over $230 million worth of cryptocurrencies.
On July 18th, Cyvers, a Web3 security company that provides real-time detection and prevention of crypto attacks, detected suspicious transactions involving WazirX’s Safe Multisig wallet on Ethereum, moving approximately $234.9 million to a new address via Tornado Cash. Later that day, WazirX confirmed the breach on X (formerly Twitter), paused all INR and crypto withdrawals, and began an investigation.
On July 20th, after filing an FIR with the police, notifying CERT-In and Financial Investigations Unit, WazirX CEO Nischal Shetty outlined next steps: preparing a bounty program, tracing fund movements, and further collaboration with exchanges and security experts. WazirX launched a bounty program with rewards up to 10% (up to $23 million) and temporarily suspended trading on the platform.
Also read: WazirX NFT marketplace: Everything you need to know
On July 23rd, WazirX CEO Nischal Shetty informed users about ongoing work with partners and assured that INR funds were untouched. He claimed that the WazirX platform wasn’t breached, and the breached multi-sig wallet was hosted outside of WazirX infrastructure – on Liminal, a digital asset custody platform.
Only July 27th, WazirX introduced the controversial socialised loss strategy (55/45 approach) to divide damage across users, offering two options for managing remaining assets: Allowing customers to trade and HODL assets with priority recovery efforts, but not allowing any withdrawals. The second choice given was for users to trade and withdraw funds, but they won’t be recipients of any recovery benefits – recovery efforts benefits would prioritise compensation of customers who weren’t allowed to withdraw their crypto assets.
Of course, any exchange that attempts to distribute the financial burden of a hack onto its users through a socialised loss model is inviting a storm of investor anger, as vividly demonstrated by the public outcry against WazirX’s proposed 55/45 solution.
Crypto community influencers, not to mention the general public at large, has been calling out WazirX’s questionable strategy in the aftermath of the cyber breach. Aditya Singh, co-founder of CryptoIndia with 315K YouTube subscribers, pointed out how WazirX hasn’t been fully transparent with its users.
Similarly, Kashif Raza, founder of Bitinning with 52K YouTube subscribers, echoed sentiments of disgruntled WazirX users, asking for some very simple and very basic information from WazirX, which hasn’t been forthcoming.
Deepak Shenoy, founder of Capital Mind, thinks this “should be the end of WazirX.” The idea of a theft being used to “charge all their users” is nothing short of preposterous, in complete contrast to the correct legal way to go forward.
Even CoinDCX’s Sumit Gupta criticised this approach, urging WazirX to take financial responsibility from its reserves instead. “The first contribution to losses should ALWAYS come from the Company (i.e. WazirX in this case) and the treasury and assets the company holds. I have not seen any such commitment around this from the company side, instead making customers directly absorb the 45% losses is utter nonsense,” Gupta tweeted earlier last week.
As WazirX navigates this tumultuous period, it has its work cut-out to regain user trust, as it attempts to address the financial fallout of the cyber breach without placing undue burden of the hack on its users. Apart from bolstering its security measures and cyber defences, WazirX could also seek external funding to cover the losses – as reports mentioned of the company seeking the help of Binance, the world’s largest cryptocurrency exchange by trading volume, to cover for its losses. Let’s hope the company’s leadership is more transparent with its community, working on genuine customer feedback in re-starting operations soon.
This incident also raises significant questions about the regulatory framework governing cryptocurrency exchanges in India. The Securities and Exchange Board of India (SEBI) and the Reserve Bank of India (RBI) have so far maintained a cautious stance on digital currencies, but the scale of the WazirX hack might prompt a reevaluation of existing policies. Ensuring robust fiduciary responsibility and safeguarding public money in capital markets is paramount. As digital assets become more mainstream, there is a pressing need for comprehensive regulations to protect investors and maintain the integrity of the financial system for enhanced user trust.
Also read: WazirX CEO Nischal Shetty launches Shardeum Blockchain