A $234 million heist at an Indian cryptocurrency exchange. Four million customers out of pocket. A North Korean hacker group. A solitary arrest.
Despite an international effort to trace the criminals and tentative signs of progress, investigators so far don’t look close to cracking the case of July’s WazirX heist, one of the biggest crypto frauds of the year.
But on Tuesday there was a glimmer of hope for the 4.3 million victims of the hack. WazirX’s parent company, Zettai Pte Ltd, announced its plans to roll out a recovery scheme to repay customers their missing funds, by capitalizing on the recent bull run on crypto.
The company said in a statement that it believed that, amid the ongoing crypto surge, its creditors were “well-positioned to not only recover their capital but also gain from the potential upside in token distributions.”
The proposal would need both signoff by a court in Singapore, where the company is registered, and a vote of approval by a majority of creditors.
“The restructuring scheme reflects our unwavering commitment to creditors during this challenging time,” WazirX founder Nischal Shetty said in a statement, adding that the exchange hoped to close out the process in a matter of months.
But even if the plan works out, victims have lamented not being able to access any of their funds during one of the best times to be a crypto trader.
MONIIFY spoke to ten individuals and entities directly or indirectly involved in investigations into the WazirX hack. The heist, targeting one of India’s biggest exchanges, has sent shockwaves through the industry, and shone a harsh light on the country’s laissez-faire approach to crypto regulation.
India’s government has often warned of the risks associated with crypto, but chose to keep the industry unregulated, saying it would only impose rules when a global alignment on policing the space takes shape.
While Indian police did eventually launch an investigation into the WazirX hack, which has resulted in a single arrest so far, observers say it’s highly unlikely to lead to the real culprits behind the heist.
Read more: Bitcoin could go to $1 million… because Trump’s son says so
In fact, it’s a parallel investigation involving informal collaboration and intelligence-sharing between volunteer crypto experts, blockchain forensics companies and government agencies like the FBI that may be more likely to crack the case.
That’s an approach that’s common in the crypto world in response to major heists, and which will likely see any useful leads shared with Indian police investigators.
One person familiar with both investigations, who requested anonymity, tells MONIIFY it would take “a long and tortuous” effort for the stolen crypto to be returned. The money, he and many other experts believe, has been taken by a notorious North Korean hacker group, Lazarus. But more on that later.
The mule
When Delhi police revealed last month that they had arrested SK Masud Alam, a 32-year-old from a remote part of eastern India back in August, it fueled optimism that this could be a lead to the missing loot.
But that quickly dissipated as details of the arrest, as laid out in a 900-page police document, became known.
According to police, Alam had created a fake account on WazirX and then sold it on Telegram. Alam was “a non-crypto savvy/mule kind of client,” and it was other “unknown persons” who operated his account from Mumbai, according to police documents.
A person familiar with the Delhi police investigation, but who requested anonymity because they were not authorized to speak to the media, tells MONIIFY that Alam knew what he was doing, but perhaps didn’t know the extent of the operation.
A false breakthrough
With Alam appearing to be at best a bit-player, rather than any kind of criminal mastermind, experts said that hopes of a breakthrough were misplaced.
Cyber threat intelligence group CYFIRMA said in a statement to MONIIFY that Alam was not the hacker responsible for the breach, nor was he directly involved with the hacking, while John Parsaie, CEO of cybersecurity firm Blackwater International, said the arrest would have “no impact” in recovering the stolen funds.
Blockchain Intelligence Group President Lance Morginn agrees, saying it was extremely unlikely that the stolen funds will be recovered.
Match Systems CEO Andrei Kutin believes the arrest could potentially open the door to the recovery of some of the stolen crypto, “if the funds can be traced to centralized platforms willing to cooperate with law enforcement.”
But so far, it looks like the funds have been kept away from centralized platforms. According to CoinDesk, by September, the hacker had almost laundered all of the $234 million in tokens using a decentralized platform Tornado Cash, which is commonly used by criminals.
It’s unlikely that Alam had any link to the funds at all, according to the police report.
But there are other leads in addition to Alam, the person familiar with the police investigation insisted. “There’s much to be done, and when it is clear, a supplementary document will be submitted to the court.”
Read more: What can 1 Bitcoin buy you?
Window dressing
But crypto experts who have taken an interest in the heist are skeptical of the Indian authorities’ prospects of cracking the case. India doesn’t regulate crypto, and its institutions have warned investors not to risk their money in the sector. The police investigation was only launched after WazirX made a request for police to look into the matter.
One crypto security sleuth, who goes by the online pseudonym Tayvano, tells MONIIFY that they saw the arrest as more or less window-dressing on the part of police, rather than a significant breakthrough in the case.
“That’s fine, as long as they don’t undermine the [other] investigation being done — the investigation that will actually result in better outcomes for the … people who have lost their money.”
Tayvano, who has worked on similar collaborative investigations into crypto heists in the past, says that she believes that the opportunity to recover the stolen funds had been missed.
Read more: Code, not criminals: Tornado Cash just won a historic fight for crypto
The North Korean connection
Tayvano, along with many other researchers who have looked into the case, believes that the theft is the work of an infamous North Korean hacker group, Lazarus.
She says the hack had the group’s fingerprints all over it. That includes how the stolen money, once it was taken, was mixed with the takings of previous Lazarus thefts, and how the source of the funds used to initiate the hack appeared to come from earlier crimes linked to the group.
Blockchain Intelligence’s Morginn says the hack was clearly “the work of an experienced group.”
So far, though, there’s no reference to Lazarus anywhere in the Delhi police document.
That’s got to be some relief to the North Korean hacking group if they are involved — although they’ve got more than one team of investigators to worry about.
