The Indian cryptocurrency exchange WazirX has now transferred $175 million USD crypto into 2,40,000 wallets and many of those wallets are said to be of a Chinese Wallet provider that is not registered with FIU (Financial Intelligence Unit) in India. Experts have raised questions over the safety of the investments with the said Chinese wallets. Questions were raised regarding this by Coinswitch CEO Ashish Singhal and Liminal Custody. In July, WazirX faced a Cyber attack which led to the loss of crypto assets worth $230 million. WazirX also filed a police case regarding the attack with the Delhi Police IFSO Branch.
Liminal Custody has issued an official statement clarifying the situation and their involvement.
The company clarified its role in a controversy involving WazirX, which submitted the 2,40,000 wallet addresses to a Singapore court. Liminal states that its involvement was limited to providing software for managing certain wallets, and it had no control over WazirX's funds. Despite WazirX publicly saying they ended their contract with Liminal after the hack, they continued using Liminal's services for months. Liminal also criticized WazirX for lacking transparency compared to how another company, Radiant Capital, handled a similar incident.
Read the entire statement by Liminal below:
As the Web3 community grapples with the affected exchange’s submission of 2,40,000 wallet addresses to the Singapore court, there is a noticeable confusion about Liminal's role in the matter. The exchange's exhaustive submission spanning 1,100 odd pages has sparked intense debate and concern within the cryptocurrency ecosystem. While this extensive data disclosure has been widely criticised as a potential disinformation campaign designed to confuse both users and legal authorities, we have also been approached to clarify information and our role in this matter. Given the gravity of the situation and our commitment to transparency, we believe it's crucial to address these misconceptions head-on and provide verified, factual information about our involvement." We urge the community to critically evaluate the information provided by all parties involved and to rely on verified sources. Our goal is to maintain the integrity of the Web3 ecosystem and to ensure that users have access to accurate and reliable information. The 240,000 wallet addresses Like most in the industry, we too have combed through the list of the 2,40,000 wallet addresses shared by WazirX. As stated by several other notable individuals as well, a majority of these addresses are hot wallets, while a handful are the warm/cold wallets that were managed through Liminal’s infrastructure. These handfuls of wallets held all the balance funds of nearly $300 million for several months after the incident. Liminal’s contractual relationship with WazirX was for a software subscription service for Liminal’s Self-Custody infrastructure platform. Within this service, Liminal was providing WazirX with cold/warm wallets (barring one low-balance hot wallet), totaling a handful of wallets that held a variety of assets. WazirX was not using several Liminal infrastructure offerings including, hot wallets, which would have created thousands of wallets within Liminal's infrastructure and smart refill transactions feature, which could have prevented usage of cold wallets and eventually the cold wallet signatures from getting leaked. WazirX’s ongoing use of Liminal’s infrastructure As an immediate response to the breach, WazirX blamed Liminal Custody and made media announcements on August 14, 2024, stating that it had ‘terminated’ its contract with Liminal. However, far from this posturing, WazirX continued to use Liminal’s infrastructure to access and manage their remaining user funds. Even 75 days after the hack, WazirX was still holding over $175 Million in assets on Liminal’s platform. In fact, as of today, USD 50 Million of their assets continue to remain on wallets accessed via Liminal Infrastructure. Again, as a Self-Custody holder, Liminal cannot transfer nor initiate any transaction pertaining to WazirX funds and only the WazirX team can initiate transactions on their wallets. As a responsible company we have clarified this position and situation to incoming media requests and authorities as asked for.
Radiant Capital hack comparison The Radiant Capital incident has the exact same modus operandi as the WazirX incident. Both cases share exactly similar attack vectors of UI discrepancies, three signers using ledger devices, multi-sig smart contract wallets, signature mismatches, transaction rejection errors and smart contract wallet upgrades to seize control. However, the Radiant Capital hack also serves as a stark study in contrasting organizational responses to security breaches.
Radiant Capital demonstrated exemplary transparency by promptly acknowledging that their signatories were using a UI interface as well as a transaction simulator to ensure accurate instructions were provided at their end, however, the transaction information was maliciously updated by a malware injection on their devices which were compromised. While their signers also (technically) saw discrepancies in the UI and the actual transaction, their thorough disclosure revealed that the breach was nowhere related to front-end or UI vulnerabilities but from compromised device infrastructure used for hardware wallet connections, allowing attackers to intercept and manipulate legitimate transactions at the point of signing via cold wallets.
Click here to read their detailed post-mortem report In marked contrast, rather than sharing a detailed post mortem, WazirX instead chose to eschew responsibility by publicly attributing blame to Liminal through a social media post mere hours after the breach - a post they later retracted. This impulsive finger-pointing, combined with their persistent lack of transparency and accountability, continues to not only muddy the waters but has also inflicted lasting damage to industry trust and security protocols.
In summary
Throughout this challenging period, Liminal Custody has maintained a measured approach, choosing careful evidence-based communication over hasty responses. However, after 90 days of witnessing WazirX's persistent disinformation campaign, we feel compelled to take a firmer stance. While we have historically preferred to let our work speak for itself, we cannot allow misleading narratives to go unchallenged when they threaten the integrity of our industry and the trust of our stakeholders.