On 18 July, 2024, WazirX, an Indian cryptocurrency exchange, reported a cyberattack in which approximately US$234.9 million (around â¹2,000 crore) in digital assets were stolen from a multi-signature wallet used under a third-party custody arrangement with Liminal Custody. Global analysis later linked the attack to the Lazarus Group, a North KoreaâÂÂassociated threat actor targeting crypto infrastructures worldwide.
On 18 July 2024, $234.9 million worth of crypto assets have been taken out of the exchange and sent to a new address by North Korean hackers belonging to Lazarus Group.
WazirX's multisig wallet, controlled by five WazirX and one Liminal signature, required three WazirX and one Liminal signature to initiate transactions. Hackers created a fake WazirX account, deposited tokens, and began purchasing Gala (GALA) tokens. After draining the hot wallet, they accessed the cold wallet. When WazirX signatories accessed the multisig wallet, the hackers altered the smart contract controlling it. Once modified in their favor, the attackers gained full control, no longer needing WazirX's keys, and drained all the funds. Before the attack, the crypto exchange stated in its June 2024 proof-of-reserves disclosure that it had about $500 million in digital assets.
On 18 July 2024, the exchange suspended crypto trading by disclosing the incident. User balances were reset to 18 July 2024 (1:00 PM IST), reversing trades made after the hack. This followed user protests after WazirX froze some funds, halted withdrawals, and proposed spreading losses across all users. A First Information Report (FIR) was filed with the Special Cell in New Delhi. One individual, SK Masud Alam, was arrested for opening a "mule" account (under the alias Souvik Mondal) that facilitated the hack.
According to a report by Mandiant dated 14 August, WazirXâÂÂs cyberattack originated from Liminal Custody which was a Singapore-based security partner of the crypto exchange.As per the report, the attack did not affect the exchangeâÂÂs hot wallets or primary trading platform infrastructure and was confined to the externally managed multisig custody environment. Liminal Custody disputed aspects of the forensic methodology and conclusions and they commissioned Grant Thornton for a comprehensive review of their frontend, backend, UI, and transaction workflow. As per their report, of the 240,000 wallet addresses WazirX submitted to the Singapore court, only a handful were warm/cold wallets managed through Liminal and majority of them had zero balance; the vast majority were hot wallets controlled directly by WazirX. They drew a direct parallel to the Radiant Capital hack (same attack vector: compromised signer devices, Ledger, UI mismatch and malicious contract upgrade), noting that Radiant took full transparency and accountability while WazirX did not.
However, investigative developments in India added further scrutiny to the custody providerâÂÂs response. Reports related to the incident noted that the Delhi Police's Intelligence Fusion and Strategic Operations (IFSO) unit alleged that Liminal failed to provide critical logs and technical data associated with the date of the breach. While responses were submitted, authorities stated that the required technical information was not fully provided.
WazirX terminated its custody agreement with Liminal, and began moving assets to other secure institutional partners.
On 13 October 2025, the High Court of Singapore sanctioned (with modifications) a creditor-approved restructuring scheme submitted by Zettai Pte Ltd., WazirXâÂÂs Singapore-based entity, after the proposal was supported by about 95.7% of creditors by number and 94.6% by value. The scheme of arrangement was pursued under SingaporeâÂÂs Insolvency, Restructuring and Dissolution Act 2018 and included steps to restructure liabilities, pro-rata distribution of rebalanced assets (approx. 85 % of claim value), and issuance of Recovery Tokens (RTs) for potential future distributions. Following the court sanction, the endorsed scheme was filed with SingaporeâÂÂs Accounting and Corporate Regulatory Authority (ACRA).
During the restructuring process, WazirX continued court proceedings and creditor engagement, including a creditor vote reported as showing high participation and renewed support for the restructuring scheme after an earlier proposal was rejected by the Singapore court. The exchange later resumed operations under revised custody arrangements and implemented additional security measures, including the use of institutional custody providers such as BitGo.
After the restructuring scheme became legally effective, WazirX restarted operations within ten business days, 24 October 2025, and returned 85% funds to users. The platform introduced a temporary 0% trading-fee offer. Platform operations resumed with the exchange migrating custody to global crypto institutional custody providers such as BitGo.