WazirX Hack: A Critical Alert for Crypto Security
Overview:
WazirX is the platform for cryptocurrencies, based in India that has been hacked, and it made a loss of more than $230 million in cryptocurrency. This case concerned an unauthorized transaction with a multisignature or multisig, wallet controlled through Liminal’a digital asset management platform. These attacking incidents have thereafter raised more questions on the security of the Cryptocurrency exchanges and efficiency of the existing policies and laws.
Wallet Configuration and Security Measures
This wallet was breached and had a multisig setting meaning that more than one signature was needed to authorize a transaction. Specifically, it had six signatories: five are funded by WazirX and one is funded by Liminal. Every transaction needed the approval of at least three signatories of WazirX, all of whom had addressed security concerns by using Ledger’s hardware wallets; while the Liminal, too, had a signatory, for approval.
To further increase the level of security of the transactions, a whitelisting policy was introduced, only limited addresses were authorized to receive funds. This system was rather vulnerable, and the attackers managed to grasp the discrepancy between the information available through Liminal’s interface and the content of the transaction to seize unauthorized control over the wallet and implement the theft.
Modus Operandi: Attack Mechanics
The cyber attack appears to have been carefully carried out, with preliminary investigations suggesting the following tactics:
- Payload Manipulation: The attackers apparently substituted the transaction’s payload during signing; hence, they can reroute the collected funds into an unrelated wallet.
- Chain Hopping: To make it much harder to track their movements, the attackers split large amounts of money across multiple blockchains and broke tens of thousands of dollars into thousands of transactions involving different cryptocurrencies. This technique makes it difficult to trace people and things.
- Zero Balance Transactions: There were also some instances where it ended up with no Ethereum (ETH) in the balance and such wallets also in use for the purpose of further anonymization of the transactions.
- Analysis of the blockchain data suggested the enemy might have been making the preparations for this attack for several days prior to their attack and involved a high amount of planning.
Actions taken by WazirX:
Following the attack, WazirX implemented a series of immediate actions:
- User Notifications: The users were immediately notified of the occurrence of the breach and the possible risk it posed to them.
- Law Enforcement Engagement: The matters were reported to the National Cyber Crime Reporting Portal and specific authorities of which the Financial Intelligence Unit (FIU) and the Computer Emergency Response Team (CERT-In).
- Service Suspension: WazirX had suspended all its trading operations and user deposits’ and withdrawals’ to minimize further cases and investigate.
- Global Outreach: The exchange contacted more than 500 cryptocurrency exchanges and requested to blacklist the wallet’s addresses linked to the theft.
- Bounty Program: A bounty program was announced to encourage people to share information that can enable the authorities to retrieve the stolen money. A maximum of 23 million dollars was placed on the bounty.
Further Investigations
WazirX stated that it has contracted the services of cybersecurity professionals to help in the prosecution process of identifying and compensating for the losses. The exchange is still investigating the forensic data and working with the police for tracking the stolen assets. Nevertheless, the prospects of full recovery may be quite questionable primarily because of complexity of the attack and the methods used by the attackers.
Precautionary measures:
The WazirX cyber attack clearly implies that there is the necessity to improve the security and the regulation of the cryptocurrency industry. As exchanges become increasingly targeted by hackers, there is a pressing need for:
- Stricter Security Protocols: The commitment to technical innovations, such as integration of MFA, as well as constant monitoring of the users’ wallets’ activities.
- Regulatory Oversight: Formalization of the laws that require proper security for the cryptocurrency exchange platforms to safeguard their users as well as their investments.
- Community Awareness: To bypass such predicaments, there is a need to study on emergent techniques in spreading awareness, particularly in cases of scams or phishing attempts that are likely to follow such breaches.
Conclusion:
The cyber attack on WazirX in the field of cryptocurrency market, shows weaknesses and provides valuable lessons for enhancing the security. This attack highlights critical vulnerabilities in cryptocurrency exchanges, even though employing advanced security measures like multisignature wallets and whitelisting policies. The attack's complexity, involving payload manipulation, chain hopping, and zero balance transactions, underscores the attackers' meticulous planning and the challenges in tracing stolen assets. This case brings a strong message regarding the necessity of solid security measures, and constant attention to security in the rapidly growing world of digital assets. Furthermore, the incident highlights the importance of community awareness and education on emerging threats like scams and phishing attempts, which usually follow such breaches. By fostering a culture of vigilance and knowledge, the cryptocurrency community can better defend against future attacks.
Reference:
https://wazirx.com/blog/important-update-cyber-attack-incident-and-measures-to-protect-your-assets/
https://www.linkedin.com/pulse/wazirx-cyberattack-in-depth-analysis-jyqxf
Related Blogs
Introduction
Ministry of Electronics and Information Technology released draft plans for advancing indigenous research and development in cyber forensics, quantum computing technologies, mobile security, cryptography, and Internet of Things (IoT) security. These roadmaps, crafted by the Centre for Development of Advanced Computing, outline strategic approaches to address various challenges over different timeframes leading up to 2047, marking the centenary of Indian independence. These roadmaps provide valuable insights into the nation's commitment to achieving technical autonomy and bolstering resilience in critical areas of cybersecurity and emerging technologies.
Cybersecurity Roadmap
The cybersecurity strategy serves as a lighthouse for strengthening India's digital defenses. With an eye on the immediate future, the plan seeks to create "Social Media Analytics" by 2026, reflecting the rising relevance of extracting insights from the immense ocean of social media data. Furthermore, the emphasis on "Dark Web Forensics" by 2030 demonstrates an understanding of the shifting danger scenario. Ongoing attempts to detect child abuse and human trafficking reflect a dedication to using technology to address social concerns. The timescale beyond 2047 underscores the lasting nature of these difficulties and the necessity for ongoing innovation. Furthermore, the roadmap highlights plans for GPS and car forensics by 2027 and 2029, respectively, demonstrating a comprehensive approach to cybersecurity that spans numerous technologies.
India's quantum computing strategy outlines considerable research and development plans till 2034. Quantum computing represents the boundary of processing power, and India intends to make major progress in this area. The extended time scale reflects the inherent complexity and limitations of applying quantum physics to practical applications.
The Mobile Security Roadmap prioritises "enterprise-grade" security measures to protect critical business and government data. Furthermore, the plan emphasises the importance of an "indigenous system for secure [operating systems] and mobile device hardware," allowing India to lessen its reliance on foreign technology in the mobile ecosystem.
Cryptography Roadmap
Cryptography is the foundation of secure digital communication, and India's strategy for this sector outlines specific and time-bound objectives. The focus on 'asymmetric cryptography' and safeguarding IoT devices by 2028-33 is consistent with worldwide initiatives to improve digital security. The emphasis on "quantum-resistant cryptography," which indicates a forward-thinking approach to encryption technologies that may endure the arrival of quantum computing, which poses a possible danger to current cryptographic systems, is particularly noteworthy.
Challenges and opportunities
While these roadmaps set a visionary route for India's technologically advanced future, such ambitious undertakings bring both problems and possibilities. The intricacy of quantum computing, as well as the ever-changing nature of cyber threats, needs ongoing adaptation and engagement with the international academic community. Furthermore, establishing self-sufficiency in vital technologies necessitates significant research, development, and talent acquisition investments.
Collaboration and Global Perspectives
In an interconnected society, the success of these roadmaps is dependent on collaboration with the global community. The sharing of information, best practices, and joint research efforts can help India advance and strengthen its capacities in these transformational technologies. Building strong international collaborations would not only boost India's position but also help to progress science and technology throughout the world.
Conclusion
India's proposed roadmaps for cybersecurity, quantum computing, mobile security, encryption, and IoT security offer a strategic and forward-thinking outlook on the country's technological future. These roadmaps, which continue well beyond 2047, the centennial of Indian independence, demonstrate India's commitment to long-term resilience and innovation in the face of growing digital problems. The effective implementation of these roadmaps would safeguard India's digital environment and position the country as a worldwide leader in cutting-edge technology, helping to improve society and expand human understanding.
Reference:
Introduction
Mr Rajeev Chanderashekhar, MoS, Ministry of Electronics and Information Technology, on 09 March 2023, held a stakeholder consultation on the Digital India Bill. This bill will be the successor to the Information technology Act 2000 and provide a set of regulations and laws which will govern cyberspace in times to come. The consultation was held in Bangalore and was the first of many such consultations where the Digital India bill is to be discussed. These public stakeholder consultations will provide direct public feedback to the ministry, and this will help create a safe and secure ecosystem of Indian Cyber Laws.
What is the Digital India Act?
Cyberspace has evolved the fastest as compared to any other industry, and the evolution of the growth cannot be presumed to be stagnant or stuck as we see new technologies and gadgets being invented all across the globe. The ease created by using technology has changed how we live and function. However, bad actors often use these advantages or fruits of technology to wreak havoc upon the nation’s cyberspace. The use of technology is always governed by the application of usage and safeguard policies and laws. As technology is growing exponentially, it is pertinent that we have laws which are in congruence with today’s time and technology. This is keenly addressed by the Digital India Act, which will be the legislation governing Indian Cyberspace in times to come. This was the need of the hour in order to have the judiciary, legislature and law enforcement agencies ahead of the curve when it comes to cyber crimes and laws.
What is the Digital India Bill’s primary goal?
The Digital India Bill’s goal is to guarantee an institutional structure for accountability and that the internet in India is accessible, unhindered by user harm or criminal activity. The law will apply to new technologies, algorithmic social media platforms, artificial intelligence, user risks, the diversity of the internet, and the regulation of intermediaries. The diversity of the internet, user hazards, artificial intelligence, social media platforms, and intermediary regulation are all discussed.
Why is the Digital India Bill necessary?
The number of internet users in the country currently exceeds 760 million; in the upcoming years, this number will reach 1.2 billion. Despite the fact that the internet is useful and promotes connectivity, there are a number of user damages nearby. Thus, it is crucial to enact legislation to set forth new guidelines for individuals’ rights and responsibilities and mention the requirement to gather data.
Major Elements of the Digital India Act
Major Elements of the Digital India Bill, which will eventually become an Act, which will contribute massively towards a safe cyber-ecosystem, some of these elements aim towards the following-
- The legislation attempts to establish an internet regulator.
- Women and Child safety.
- Safe harbour for intermediaries.
- The right of the individual to secure his information and the requirement to utilise personal data for legal purposes provide the main obstacles to data protection or regulation. The law tries to deal with this difficulty.
- A limit will be placed on how far a person’s personal information can be accessed for legal reasons.
- The majority of the bill’s characteristics are contrasted with the EU’s General Data Protection Regulation.
The Way Ahead
As we ride the wave of developments in cyberspace regarding emerging technologies and automated gadgets, it becomes pertinent that the state takes due note of such technologies and the courts take cognisance of offences committed by using technology. Law enforcement agencies must also train police personnel who can effectively and efficiently investigate cybercrime cases. The ministry also released a few bills last year, such as – the Telecommunication Bill, 2022, Intermediary Rules and the Digital Personal Data Protection Bill, 2022, to better address the shortcomings and the issues in cyberspace and how to safeguard the netizens. The Digital India Act will essentially create a synergy between the current bills and the new ones to come in order to create a wholesome, safe and secure Indian cyber ecosystem.
Conclusion
Digital India Bill is necessary to address the challenges of cyberspace, like personal data and privacy, and policies related to online child and women safety to create a and create a modern and comprehensive legal framework that aligns with global standards of cyber laws. The draft of the bill is expected to come out by July. The ministry looks forward to maximising the impact of the bill through such continuous and effective public consultation to understand and fulfil the expectations and requirements of the Indian netizen, thus empowering him/her equivalent to the netizen of a developed country.
Introduction
Ministry of Electronics and Information Technology (MeitY) Announces to Centre Government to Plan to Certify Permissible Online Games.
In a recent update to the notification released by the Ministry of Electronics and Information Technology (MeitY) on April 6, MeitY has requested gaming entities to establish self-regulatory organisations (SROs) within a timeframe of 30 days or a maximum of 90 days from the date of the notification, which is April 6, 2023. The Ministry of Electronics and Information Technology (MeitY) has further announced that the central government will certify which online games are permissible until the SROs are officially established. The intention behind establishing SROs is to assist intermediaries, such as Apple or Google, in determining what constitutes a permitted online game, but the SRO will take 2-3 months to complete. In the meanwhile, the Central government will step in and determine what is a permissible online game.
Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 & Intermediary Guidelines and Digital Media Ethics Code Amendment Rules, 2023
By enacting these rules, the Indian government has taken decisive action to protect Indian gamers and their financial resources against scams and fraud. The rules also serve to promote responsible gaming while preventing young and vulnerable users from being exposed to indecent or abusive content.
Amendment Rules developed the concept of a “Permissible online real money game.” This designation is reserved for games that have passed a review process conducted by a self-regulatory body (SRB). Amendment rules indicate that Online Gaming Intermediaries must ensure that they do not permit any third party to host non-permissible online real money games on their platforms. This development is important because it empowers us to distinguish between legitimate and illicit real money games.
The Amendment Rules define an online gaming provider as an “intermediary” under the Information Technology Act of 2000, creating a separate classification called ‘Online Gaming Intermediary’.
Central government to certify what is an ‘Online Permissible Game’
The industry has been wondering what games come under wagering and will be banned. So, until the SROs are officially established, the government, in the interim, will certify what is a permissible game, what is wagering, and what is not wagering. Games that involve elements of wagering are going to be barred. The new regulations prohibit wagering on any outcome, whether in skill-based or chance-based games. Hence gaming applications involving wagering and betting apps will be barred.
Self-Regulatory Organizations (SROs)
According to the new regulations by the Ministry of Electronics and Information Technology (MeitY), online gaming intermediaries must establish a Self-Regulatory Body (SRO) to approve games offered to users over the Internet. The SRO must be registered with the Ministry and develop a framework to ensure compliance with the IT Rules 2021 objectives. An ‘online game’ can be registered by the SRO if it meets specific criteria, which include that the game is offered by an online gaming intermediary that is a member of the self-regulatory body, the game is not containing any content harmful to India’s interests, and complying with all relevant Indian regulations. If these requirements are met, the intermediary can display a visible registration mark indicating its registration with the self-regulatory authority.
Conclusion
MeitY found that with the rapid growth of the gaming industry, the real money gaming (RMG) sector had to be regulated properly. Rules framed must be properly implemented to stop gambling, betting, and wagering apps.
The IT Rules 2021, along with the Amendment Rules 2023, are created to take concrete action to curb the proliferation of gambling, betting, and wagering apps in India. These rules empower to issue of directives to ban specific apps that facilitate or promote such activities. The app ban directive allows the government to take decisive action by blocking access to these apps, making them unavailable for download or use within the country. This measure is aimed at curbing the negative impact of gambling, betting, and wagering on individuals and society, including issues related to addiction, financial loss, and illegal activities. Rules aim to actively combat the spread and influence of such apps and provide a safer online environment for gaming users.
The self-regulatory body in the context of online gaming will have the authority to grant membership to gaming intermediaries, register online games, develop a framework for regulation, interact with the Central Government, address user complaints, report instances of non-compliance, and take necessary actions to safeguard online gaming users.
