WazirX Offers $23 Million Bounty to Hacker After $235 Million Breach

full version at beincrypto

WazirX, a prominent Indian cryptocurrency exchange, recently suffered a $235 million hack. In response, the platform has proposed a 10% bug bounty to the attacker.

This move is part of a broader bounty program aimed at recovering the stolen assets.

WazirX Reveals $23 Million Bug Bounty Initiative

On July 21, WazirX announced a bounty program offering $23 million to the hacker for returning the stolen funds. Additionally, the exchange is providing up to $10,000 in USDT to individuals who can provide actionable intelligence leading to the freezing of the stolen assets.

Initially, WazirX had offered a 5% reward, amounting to $11.5 million. However, on-chain investigator ZachXBT advised the firm to increase the offer because of the possible involvement of North Korea’s Lazarus group.

“[A] $10 million bounty means nothing if it is indeed Lazarus Group as they are not going to just hand over the funds or be located and held legally accountable. 5% is lower than 10%+ industry standard,” he stated.

WazirX co-founder Nischal Shetty emphasized that the bounty program seeks to unite the community and recover the stolen funds. He noted that while the exchange explores partial withdrawals, it needs additional time to determine the best approach.

“The world has more good people than bad and I genuinely believe that if the entire global community comes together, we can find the perpetrators and recover the stolen funds. We’ve all been working on growing the Web3 ecosystem and we cannot give up at this time. We’ve been attacked but we have to get back up and fight,” Shetty added.

The bounty initiative is part of WazirX’s effort to reclaim the $235 million lost in the July 18 breach, which the company described as a “force majeure event.” The breach was attributed to inconsistencies between Liminal’s interface data and the transaction details.

Shetty clarified that the hack was not the result of a phishing attack. He explained that the breach required four points of failure in the signing process. This included three signatures from separate devices, each using different hardware wallets located at various sites.

“Even if we assume that all 3 WazirX devices ended up going to a phished link (which is highly unlikely given their geographic separation and saved links), it would still fail on Liminal’s end since they’re the 4th signer and the signing occurs inside their systems and not on a browser (please don’t take this as a blame game, I’m detailing out the sequence of how things work and both parties are working hard to get to the root of this),” Shetty stated.

Since the incident, blockchain data indicates that the attackers have been liquidating the stolen assets for Ethereum. WazirX has suspended its platform operations, filed a police report, and notified the Financial Intelligence Unit (FIU) and CERT-In.