From decrypt by Vismaya V

Delhi Police’s Intelligence Fusion and Strategic Operations (IFSO) division has arrested a man from West Bengal, in connection with a massive cyberattack on WazirX.

In July, the crypto industry witnessed the hack of India’s largest crypto exchange, WazirX. The exploit resulted in losses of approximately $235 million, with hackers targeting the platform’s hot and cold wallets.

The accused SK Mausad Alam is under custody for allegedly facilitating the WazirX heist by opening a fraudulent account on the exchange and selling it to a third party, which led to unauthorized access to the platform.

According to the chargesheet reviewed by Decrypt, Alam opened an account under the alias of Souvik Mondal and sold the credentials to someone called “M Hasan” via Telegram.

Delhi police disclosed how Alam was in contact with a "buyer of crypto accounts" who "offered him a good amount on getting crypto accounts of WazirX with credentials."

In return for selling his credentials, Alam reportedly received "08 USDT in his Binance account," per the chargesheet.

Police wrote in the chargesheet that during their investigation they found evidence that Alam had received crypto deposits worth $107,000 in the WazirX account created using his credentials.

The hackers’ modus operandi involved draining WazirX's hot wallet of GALA tokens to force the exchange to transfer additional assets from its cold wallet.

This tactic ultimately granted the perpetrators access to WazirX’s multisignature wallet, police said, leading to the siphoning of crypto worth millions.

The attack on WazirX was initially attributed to North Korea-based hacker group Lazarus by cybersecurity firm Elliptic.

In the course of the probe, authorities seized three laptops they say were used by WazirX’s authorized signatories to approve transactions. However, initial forensic analysis did not reveal any unauthorized access to these devices.

Despite the severity of the breach, investigators found no evidence of unauthorized access to WazirX's internal systems, confirming that the attack was carried out through external means.

The police stated WazirX cooperated fully with the authorities throughout the investigation, providing critical data such as KYC records and transaction logs.

Investigators said they faced challenges obtaining critical data from Liminal Custody, a third-party service provider responsible for securing the exchange’s cold wallets.

Following the hack, WazirX’s investigative report claimed the firm had “the malicious transaction was not sent to any of the destination addresses in the whitelisted addresses, which should have been prevented by Liminal.”

  Liminal told Decrypt at that time the multi-signature smart contract wallet used in the attack was allegedly “created independently and further imported on the Liminal platform.”

The investigation is ongoing, with authorities expected to file a supplementary chargesheet once additional information from entities like Telegram and Liminal Custody is obtained.

Liminal Custody did not immediately respond to a request for comment from Decrypt.