WazirX attacker converts $235 million theft into Ethereum, holds nearly 60K ETH
The exchange described the attack as a "force majeure" event beyond its control.
On-chain data shows that the WazirX exploiter has converted most of the stolen assets from the Indian crypto platform into Ethereum.
On July 18, WazirX was exploited for around $235 million in several digital assets, with blockchain investigators suggesting that the North Korea-backed Lazarus Group perpetrated the attack.
While the exchange quickly implemented measures to stop the theft, recovering the funds seems unlikely as the attacker actively converts the stolen assets into ETH, the second-largest digital asset by market capitalization.
WazirX exploiter holds nearly 60,000 ETH.
Blockchain analyst Lookonchain reported that the WazirX exploiter had converted most of the stolen assets to 43,800 ETH, worth $149.46 million. This brings the total ETH in the attacker holding to 59,097 ETH, valued at around $201.67 million.
Market observers suggested that the asset conversion was part of a sophisticated money laundering technique that also involves using crypto mixing services like Tornado Cash to obfuscate the transaction trails.
Despite this, the exploiter’s address still has up to $15 million worth of other relatively lesser-known digital assets left. This includes 1.66 billion DENT, worth $1.56 million, and 6.76 million CHR, worth $1.72 million, among others.
Meanwhile, on-chain data shows the exploiter sent 7.7 million DENT, worth $7,300, to a new Binance deposit address. Lookonchain said:
“It is worth noting that the WazirX exploiter deposited 7.7 million DENT ($7.3K) to a Binance deposit address that has not been used before.”
‘Force Majeure’
A post-mortem report from the exchange showed that the affected wallet used Liminal’s services, a digital asset custody and wallet infrastructure provider.
WazirX explained that the exploit resulted from discrepancies between the data on Liminal’s interface and the transaction’s content. It wrote:
“During the cyber attack, there was a mismatch between the information displayed on Liminal’s interface and what was actually signed. We suspect the payload was replaced to transfer wallet control to an attacker.”
The exchange also described the attack as a “force majeure” event beyond its control and assured it was actively working to recover the stolen funds.