The $230 million WazirX hack: How safe are your cryptocurrencies

Bitcoin's return on investment has been the highest in the shortest period in human history, but it's also quite volatile.
Bitcoin's return on investment has been the highest in the shortest period in human history, but it's also quite volatile.

Summary

  • Even cryptocurrency exchanges with robust safety mechanisms have fallen prey to hackers. Some exchanges have been able to fully reimburse their customers, while others have left them stranded. Despite this, cryptocurrencies remain a strong attraction for investors.

On 24 July, WazirX, an Indian cryptocurrency exchange with about 16 million users, faced an alarming crisis as hackers swindled about $230 million worth of digital assets from one of its crypto wallets. The company has now offered a $23 million bounty to anyone who can help it recover the money.

To understand the implications of the WazirX hack, let’s dig into some basics on cryptocurrencies, exchanges and wallets, as well as what options are available to affected investors.

Why do cryptocurrencies like bitcoin capture investor attention?

To understand this, let’s take the example of bitcoin, the most widely traded cryptocurrency. Its price appreciation or return on investment has been the highest in the shortest period in human history. It went from $0.01 in 2009 to $69,000 in 2021 and to an all-time high of $73,084 on 13 March, 2024. But by 6 August, it had fallen to $55,000.

But the long-term graph, which is what matters to people who invest and never sell, presents a hockey stick, an ever-increasing profile. This amazing volatility is what traders live for and they use crypto exchanges to trade cryptocurrencies.

All is well in the long term.
View Full Image
All is well in the long term.

The Indian reality

In India, cryptocurrencies are not regulated officially. But the Indian government and the Reserve Bank of India have overtly and covertly hampered the growth of local firms in this space.

In 2018, RBI issued a circular directing all entities regulated by it to stop providing services to individuals and platforms dealing with cryptocurrencies. In March 2020, the Supreme Court of India struck down RBI’s 2018 circular, stating that it was disproportionate and violated the right to trade.

This ruling allowed crypto exchanges to regain banking services.

But despite the Supreme Court ruling, the Indian government has continued to express skepticism about cryptocurrencies. RBI has continued to caution users, holders, and traders about the potential risks. Even after more than a decade, the Indian government is still formulating a comprehensive regulatory framework for cryptocurrencies.

Since this is the reality, it’s pertinent for investors to understand how the system works.

The world of cryptos

Cryptocurrencies like bitcoin or ethereum can be classified as a monetary asset. The difference between this type of currency and currencies like the rupee or the dollar is that a cryptocurrency can be sent over the wire without depending on a single trusted intermediary.

An asset that has demand will command a price in the market. Any asset must have a sanctuary for safekeeping and a stage upon which it can be traded.

Fiat paper money such as the rupee or the dollar can be stored in a physical wallet or in a bank. It can be exchanged in person or transferred across distances using payment gateways. Your cash is a bearer asset. You can exchange it physically with another person, and the transaction is complete. If you lose your cash and someone else holds it or finds it, they are the owner of that cash. That is what a bearer asset means.

Stocks can be traded on exchanges like the New York Stock Exchange or BSE. In the United States, stock certificates are stored at a custodian like the Depository Trust and Clearing Corporation, which maintains a ledger or database in which the rightful owner of a stock is always reflected.

Cryptocurrencies are stored in a crypto wallet. A crypto wallet functions more like a digital bank account than a physical wallet that you use to store cash. We can use it to store our cryptocurrencies and check our balance. We can also use this wallet to transfer or send our cryptocurrencies to someone located nearby or halfway across the globe.

The wallet does not store your cryptocurrency. Instead, it is a container for private keys. Your private keys can access your cryptocurrency on the blockchain database. This blockchain is a distributed database spread across multiple servers across the globe.

To understand this concept, consider the email you access via Gmail. The emails are stored on Google’s server in another location. Gmail is the browser client software for accessing emails, such as reading or replying. Your email does not reside on your browser. It is rendered on the browser by the client software so that you can read it or send a reply. The email is information stored as 1s and 0s.

Similarly, a crypto wallet is a client software located on your browser or as an app on your phone. It contains a private key located on your machine. The keys are used to access your crypto balance or transfer crypto ownership to a receiver using this private key. Cryptocurrency is a bunch of 1s and 0s, like emails, stored on multiple computers across the globe.

The security factor

Imagine writing a check or sending money via a digital bank account. We need the account number or name of the receiver to whom we are sending the money, fill in the amount, and put our signature on the check.

In the digital world, the login ID, password, and two-factor authentication codes are equivalent to a physical signature on a check.

To send cryptocurrency to a receiver using your wallet, you will need the equivalent of a receiver’s account number. This number or text is called the receiver’s public address. The public address is generated from the public key, which is generated from the receiver’s private key in the receiver’s wallet.

If you know a receiver’s public address, you cannot generate a private key in their wallet. This inability to figure out private keys from public addresses is the security feature of the public-private key algorithm.

Private keys are generated from a large random number set when you create a wallet. The public address of your wallet is made from the public key. The public key is generated from the private key using complex mathematical functions.

Hackers and keys

Cryptos are traded on centralized exchanges like Coinbase and Binance and on decentralized exchanges like Uniswap. For this article, we will only focus on crypto trading and storage on centralized exchanges.  

Crypto exchanges like Binance or Coinbase differ from exchanges like the New York Stock Exchange even though they are both centralized.

We can transfer cryptocurrency from a crypto exchange to our wallet, which resides outside the exchange.

We cannot ever take possession of our stock certificate from NYSE. It will always be with the custodian, DTCC. When we sell our stock to someone else, the custodian changes the stock ownership title in their database.

The risk of any centralized exchange is that there is a single point of failure. If you can take down the servers of a centralized organization, their platform will cease to run. A centralized organization can decide to censor you from using their platform. Multiple companies have banned people on their platforms for various reasons. Similarly, a centralized exchange can choose to cut you off from trading on their platform at any time for any reason.

If a fraudulent third party attacks the NYSE, they cannot run away with your stock certificates because the certificates are not physically or digitally present on the exchange. However, a hacker can manipulate the ownership of your stocks to someone else’s name in the custodian’s database.

You own your Bitcoin with private keys. When you transfer your Bitcoin to a centralized crypto exchange like Coinbase, Coinbase will possess the crypto keys. If a scammer can hack the Coinbase wallet, the scammer can transfer those bitcoins from Coinbase to their wallets. Once a hacker gets possession of the keys, the hacker becomes the owner of the crypto, giving them the ability to transfer the crypto anywhere they want.

Generally, exchanges store their crypto in multiple wallets. They use hot wallets, which are wallets that are connected to the internet, and cold wallets, which are not easily accessible online. Good exchanges use multiple security measures on their wallets such that to get access to cryptocurrencies, multiple signatures held by different parties will be needed as safety measures. These wallets are called multi-sig wallets.

A brief history of crypto hacks

Crypto exchanges are honeypots that attract hackers worldwide. If hackers can penetrate an exchange or its wallets, they stand to strike it rich. Throughout the history of crypto, hackers have attacked crypto exchanges.

Mt.Gox was one of the earliest crypto exchanges and, at one time, accounted for 70% of all crypto transactions. It was hacked in 2011 and 2014. It became insolvent after losing 744,000 bitcoins, worth $615 million over the years. The exchange went into bankruptcy proceedings. As of 2024 the bankruptcy proceedings are not yet over.

Customers were to be compensated not for their original bitcoin but for the value of bitcoin at that time, as per bankruptcy laws. Bitcoin’s price has gone from $150 in 2014 to about $60,000 as of 2024. Lawyers and regulators made more money from this hack than the customers, who should have been compensated.

The breaches were possible due to inadequate security measures by the company.

Bitfinex was another popular exchange that was hacked in 2016. Hackers stole 120,000 bitcoins worth $72 million. There was a security breach, and hackers were able to bypass the multi-sig security features. The Bitfinex exchange stopped all trading. They acknowledged the hack and were transparent to the public and users.

To address the financial impact, Bitfinex decided to socialize the losses among all users. In exchange for the losses, Bitfinex issued tokens to affected users. Each token represented a dollar of loss and could be traded on the Bitfinex platform. The plan was to redeem these tokens for cash or equity in iFinex Inc., the parent company of Bitfinex. Over time, Bitfinex repurchased and redeemed these tokens, eventually paying back the users.

In April 2017, Bitfinex announced it had redeemed all outstanding tokens, effectively repaying its customers.

The Bitfinex hack was a significant event in the history of cryptocurrency. It illustrated the vulnerabilities of even the most secure systems and the importance of robust security measures and crisis management strategies.

There were various other hacks on multiple exchanges, and many of the exchanges went insolvent right after. Some acknowledged the hack, some did not even identify it when it happened, and some were able to track hackers and recover most of the money, like the KuCoin exchange attack of 2020, where they recovered $204 million of the $280 million that had been stolen.

What next for WazirX customers?

Let us return to the WazirX situation. WazirX has been hacked and customer funds have been lost.

Now, what is the option for customers?

Do they go through judicial proceedings that could take years, as it happened with Mt.Gox, or do they use the Bitfiniex socializing losses strategy, trade 55% of their funds, and hopefully recover their money over time?

How will the regulators and the government of India investigate the issue? So far, there’s been almost complete silence.

WazirX’s founders have announced that they are trying to work with their trading partners, investors, investigators, and other exchanges to keep its exchange open and recover the stolen assets.

WazirX’s founders have conducted a poll among its customers, giving them two options: access 55% of the funds without withdrawals and be first in line for recovery proceeds, or get 55% of the funds with withdrawal but be second in line in case of recovery of funds.

Many customers and industry colleagues from rival crypto exchanges have criticized the plan. We will have to see how this unravels.

Meanwhile, one thing is clear: Unless you take measures to protect the cryptocurrencies you own, there’s always a chance you could lose them to a hacker. Beware.

 

Note: The purpose of this article is only to share an opinion. It is not a recommendation. If you wish to consider an investment, you are strongly advised to consult your adviser. This article is strictly for educational purposes only.

 

Nithin Eapen is a seasoned technologist and entrepreneur with a deep passion for finance, cryptocurrencies and technology. With a computer science and finance background, Nithin has spent over two decades in the tech and financial industry, working with cutting-edge technologies and innovative startups.

Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
more

topics

MINT SPECIALS