On July 18th, the Indian cryptocurrency exchange platform WazirX was hacked, and its multi-signature wallet on the Ethereum network was stolen. A total of 234.9 million US dollars has been transferred to a new address, and the caller of each transaction is funded by Tornado Cash.

Later, WazirX officials responded to the theft incident on X, stating: "We have noticed a security vulnerability in one of our multi-signature wallets. Our team is actively investigating this incident. In order to ensure the safety of user assets, INR and cryptocurrency withdrawals will be temporarily suspended, and further updates will be provided in the future."

What are the stolen assets?

Later, according to Lookonchain monitoring, the Indian encryption trading platform WazirX was stolen assets of about 230 million US dollars, mainly involving:

543 trillion SHIB (about 1.02 billion US dollars);

15,298 ETH (about $52.5 million);

20.5 million MATIC (about 11.24 million US dollars);

64.027 billion PEPE coins (approximately $7.6 million);

579,000 USDT;

135 million GALA tokens (approx. $3.5 million).

Image source: Lookonchain

Fund Flow Tracking

Address detection

According to on-chain analyst Yu Jin's monitoring, these stolen assets are being sold for ETH through 0x35f...5ca (WazirX Exploiter 2) and 0x90c...1fd (WazirX Exploiter 3) Address, and then the exchanged ETH is transferred to 0x361...092 (WazirX Exploiter 4) Address.

Stolen assets stored Address (WazirX Exploiter 1):

on-chain出售资产Address (WazirX Exploiter 2/3):

Sell assets for ETH deposit Address (WazirX Exploiter 4):

Stolen asset transfer path, image source: residual embers

Asset Sale Tracking

Or affected by the news of 'WazirX being hacked with assets involving over $100 million SHIB', SHIB briefly dropped more than 5%, currently trading at $0.00001758.

The WazirX attacker has started selling SHIB, and has sold SHIB worth $618,000, with $95.45 million worth of SHIB remaining.

Progress of the investigation

On July 18, according to Beosin's detection, the early warning found that the Indian trading platform WazirX was attacked, and the attacker obtained the signature data of the long signing Wallet administrator of the trading platform, modified the logical contract of the Wallet, and made the Wallet execute incorrect logic to steal assets.

Attacker Address: 0x6eedf92fb92dd68a270c3205e96dccc527728066;

被攻击Address: 0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4.

Based on the attacker's attack behavior, it is speculated that the reason is the leakage of the administrator's Private Key of the long sign Wallet, Beosin briefly analyzes the attack reasons as follows:

1. Attacker deploys attack contract: 0x27fd43babfbe83a81d14665b1a6fb8030a60c9b4. The function of this contract is to withdraw the specified Token assets from this contract.

2. The attacker obtained the signature data of the wazirx long-sign Wallet administrator and modified the logic contract of the Wallet to the deployed attack contract. The corresponding transaction is: the attacker submits a Token withdrawal transaction to the wazirx long-sign Wallet, and due to the mechanism of the proxy mode, the Wallet contract will use deleGate.io call to invoke the relevant functions of the attack contract to transfer the Wallet Token.

BlockBeats will closely follow the on-chain dynamics, and provide readers with timely information on the sale of stolen assets and the subsequent feedback from trading platforms.