WazirX Hack — July 2024 Post-Mortem (Aggregated)
Incident Overview
On July 18, 2024, WazirX, an Indian cryptocurrency exchange, suffered a cyberattack in which approximately $234.9 million in digital assets were stolen from a multi-signature wallet used under a third-party custody arrangement with Liminal Custody. Global analysis later linked the attack to the Lazarus Group.
Multisig Wallet Configuration
WazirX's multisig wallet was a Gnosis Safe multisig wallet using a 4-of-6 signature scheme. Five keys were held by WazirX, while the sixth was controlled by Liminal's digital asset custody and wallet infrastructure service. Three WazirX and one Liminal signature were required to initiate transactions.
Attack Vector
• The attackers changed WazirX's multisig wallet to a malicious smart contract deployed by the attacker eight days earlier.
• By doing so, they bypassed the multisig and the whitelist, allowing them to send the transaction wherever they wanted.
• The attacker took advantage of discrepancies between how a transaction appeared in the Liminal interface and the actual transaction data — a "blind signing" attack.
• The discrepancy allowed the attacker to submit a transaction that appeared benign — causing the four parties to sign it — while including a malicious payload that upgraded the implementation contract to attacker-controlled code.
Accountability and Response
According to a report by Mandiant dated August 14, the cyberattack originated from Liminal Custody (Singapore-based). However, Liminal Custody disputed aspects of the forensic methodology and commissioned Grant Thornton for a comprehensive review.
WazirX terminated its custody agreement with Liminal and began moving assets to other secure institutional partners.
Recovery Status
On October 13, 2025, the High Court of Singapore sanctioned a creditor-approved restructuring scheme submitted by Zettai Pte Ltd., WazirX's Singapore-based entity. WazirX restarted operations on October 24, 2025, and returned 85% funds to users.