$230M WazirX Exploit in India

Every week, Information Security Media Group rounds up cybersecurity incidents in digital assets. This week, WazirX, LI.FI, Dough Finance and CoinStats were breached; Satoshi Nakamoto impersonator’s was charged; FTX and CFTC reached a settlement; a man was convicted of fraud; new details emerged in the Tornado Cash and SEC cases; and Taiwan set new AML rules.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Indian cryptocurrency exchange WazirX fell victim to a wallet exploit that resulted in the unauthorized transfer of over $230 million worth of crypto assets. The breach targeted the exchange’s multisig wallet on the Ethereum network, likely using a compromised private key. WazirX said it is investigating the outflows while pausing all withdrawals.

On-chain data shows the hacker stole over $100 million in Shiba Inu, $52 million in ETH and $11 million in MATIC. The hacker moved the compromised funds to an address that has begun to convert the stolen assets into ether.

Crypto sleuth ZackXBT said the hack has the “potential markings of a Lazarus Group attack (yet again).”

Australian computer scientist Craig Wright, who falsely claimed to be Bitcoin creator Satoshi Nakamoto, is facing potential perjury and forgery charges, and United Kingdom Crown Prosecution Service is considering his prosecution. Judge Justice Mellor said there was overwhelming evidence against Wright, including extensive fabrications and document forgeries.

Wright had initiated lawsuits globally based on his claims but in April 2021, the Crypto Open Patent Alliance sued to prevent him from asserting copyright claims over the Bitcoin Whitepaper. The Bitcoin Whitepaper is the original thesis paper written under the pseudonym Satoshi Nakamoto on Oct. 31, 2008, that set the basic structure of the Bitcoin network.

In May, Mellor delivered his judgement that Wright was not Satoshi Nakamoto and ordered him to pay over million pounds – $7.6 million – in costs for the COPA claim and 115,000 pounds -$149,000 – for the Bitcoin Core claim, with an interim payment of about 5.1 million pounds – $6.6 million.

Mellor also ordered Wright to post on his website, Slack and X account, formerly Twitter, that he is not the founder of Bitcoin.

Wright’s whereabouts are currently unknown, but he is believed to have left the U.K.

Bankrupt crypto exchange FTX and the U.S. Commodity Futures Trading Commission reached a tentative $12.7 billion settlement, pending approval from a Delaware judge. The settlement, filed on July 12 in the U.S. Bankruptcy Court for the District of Delaware, aims to resolve ongoing litigation and disputes and avoid further legal costs and delays.

The CFTC lodged a complaint in 2022 against FTX, former CEO Sam Bankman-Fried and affiliated Alameda for fraud that caused customers to lose $8 billion. Initially, the CFTC sought a $52.2 billion claim. Under the settlement, the CFTC will forgo its claim if FTX complies with its reorganization plan, allowing FTX to pay up to $12.7 billion to creditors, contingent on available funds.

The agreement allocates $8.7 billion in restitution and $4 billion in disgorgement. The $ billion is subordinated to other creditor claims.

A jury convicted Bankman-Fried in November 2023 of seven criminal counts, including wire fraud and conspiracy, and sentenced him to nearly 25 years in prison. The SEC has charged him with fraud. The settlement hearing is set for Aug. 6.

A U.S. jury convicted exiled Chinese billionaire Guo Wengui, also known as Miles Guo, on charges including racketeering conspiracy and wire fraud. He faces an undisclosed number of “decades in prison” after being found guilty of nine of 12 counts.

Guo was arrested in March 2023 for allegedly orchestrating a fraud conspiracy exceeding $1 billion, including cryptocurrency schemes. He deceived thousands of followers and led a life of luxury with their money, including a 50,000-square-foot mansion, a $1 million Lamborghini and a $37 million yacht.

The Department of Justice said that Guo obtained over $262 million through the Himalaya Exchange and seized approximately $634 million from 21 bank accounts linked to the fraud. The SEC in March 2023 charged Guo for raising hundreds of millions via a crypto asset called H-Coin or Himalaya Coin, falsely claiming it was backed by gold and promising personal compensation for potential losses.

Guo’s lawyer portrayed him as a political exile using cryptocurrency to move money from an oppressive regime. Exiled from China in 2014, Guo criticized China’s Communist Party, gaining a large overseas following. He is a close ally of Steve Bannon, with whom he launched the New Federal State of China initiative in 2020 to overthrow the Chinese government.

Decentralized finance platform LI.FI protocol suffered an $11 million exploit following suspicious withdrawals. LI.FI advised users on X to avoid interacting with its applications during the investigation and said that only those with infinite approval settings were at risk. It updated its instructions on Wednesday to say that the protocol was fully operational again.

LI.FI, which enables trading across blockchains, had a similar bug in 2022, resulting in a $600,000 loss.

The recent exploit was initially estimated at $8 million, but it is now pegged at approximately $11 million. The exploit involved the LI.FI bridge, and the root cause traced to a vulnerability in a function deployed five days prior to the attack, said Decurity.

PeckShield said the two bugs were “basically the same.”

Decentralized finance protocol Dough Finance lost $1.8 million in digital assets after hackers executed a flash loan attack. Web3 security firm Cyvers said the attacker was funded through the zero-knowledge protocol Railgun and converted the stolen USDC into ETH worth about $1.8 million. Web3 security provider Olympix identified the exploit’s cause as unvalidated call data within a smart contract, allowing the attacker to manipulate data and steal funds.

Cryptocurrency tracking app CoinStats said it suspects that the Lazarus Group or a “sophisticated nation-state affiliated attacker” accessed private keys to steal about $2.2 million in June. CoinStats at the time advised users to transfer funds out of wallets created on the platform after the attacker sent fraudulent notifications to mobile users through the service. The breach affected 1,590 wallets, or 1.3% of all CoinStats wallets. The company said it contracted new infrastructure auditors and restored the platform to full operation, but it did not specify a reimbursement timeline for the victims, who have been asked to identify themselves by Aug. 15 to be eligible for “any future support from the CoinStats team.”

Tornado Cash co-founder Roman Storm’s request to delay his upcoming trial was reportedly granted by District Judge Katherine Polk Failla at a court hearing in lower Manhattan. Storm’s defense attorneys requested the delay because of the case’s complexity and the extensive discovery involved, saying that they needed time to analyze millions of pages of documents, many of which were in Russian and required translation.

The Department of Justice prosecutors reportedly argued that the defense had sufficient time to review the documents and said that other cases with more extensive discovery had proceeded to trial more quickly. The prosecutors said that the Sept. 23 trial date had been set for seven months and that the defense failed to specify particular discovery issues impeding trial preparation.

Failla sided with the defense and postponed the trial to Dec. 2. She has yet to rule on Storm’s motion to dismiss the charges.

Tornado Cash developer Alexey Pertsev will reportedly will remain in jail in the Netherlands for the duration of his appeal after being denied bail by a Dutch court. The court said that Pertsev’s detention would not impede his ability to prepare his defense and that granting computer access would breach safety protocols. Pertsev’s lawyer, Judith de Boer, criticized the court’s decision, arguing that pretrial detention was “unacceptable” over the case’s unprecedented nature, questioning the criminal liability of software developers for third-party misuse.

Pertsev, convicted of money laundering in the Netherlands in May, received a sentence of five years and four months for laundering $1.2 billion in illicit assets via sanctioned mixer Tornado Cash.

The July 13 decision marks the third denial of Pertsev’s bail request. In November, a Dutch court denied his plea to be released under surveillance, citing the prosecution’s claim that he was a flight risk and central to Tornado Cash’s operations. A second bail request was denied in February.

Taiwan’s Parliament has passed amendments to anti-money laundering laws, requiring crypto firms to register for AML compliance and criminalizing unqualified crypto service providers, according to the government-linked Central News Agency.

Businesses or individuals that provide crypto services in Taiwan must complete AML procedures and register their service capacity, and noncompliance can result in imprisonment for up to two years or a fine of up to $153,800. Overseas crypto platforms must establish local entities and apply for AML registration to avoid criminal penalties, it said.

Since July 2021, Taiwan has mandated AML compliance for crypto service providers under rules introduced by the Financial Supervisory Commission, but the industry has remained largely unregulated.

A key issue in the crypto industry’s lack of regulatory clarity is whether stablecoins, typically digital assets pegged to the U.S. dollar, should be classified as securities. A recent decision by the Securities and Exchange Commission to end a probe into New York stablecoin issuer Paxos suggests that, in most cases, they may not be treated as securities.

The SEC not recommending enforcement action against Paxos comes over a year after the agency sent the company a Wells notice regarding the dollar-backed BUSD stablecoin issued in partnership with Binance in September 2019. Though BUSD didn’t surpass competitors Tether and USDC, it became a leader in the stablecoin sector within the Binance ecosystem. The SEC argued that BUSD was a security because it generated profits through reserves, partially passed on to Binance users as yields. Paxos disagreed, stating BUSD was backed 1:1 with dollar reserves.

The SEC’s retreat follows a partial defeat in a lawsuit against Binance. While Congress continues to delay legislation on regulating crypto, the SEC’s decision is a win for the stablecoin sector.

While stablecoins remain in a regulatory gray area, many argue that the lack of an expectation of profit separates them from other crypto assets. The SEC’s investigation, ongoing as of early July, appears to have shifted after a federal judge ruled in June that BUSD sales did not constitute a securities offering, leading to the charge being dropped.