Wednesday, December 25

In the wake of a massive breach of WazirX, an Indian crypto exchange, resulting in a loss of $234.9 million, reports have suggested the involvement of a ‘’Lazarus Group” with connections to North Korea.

ZachXBT, a crypto investigator, claimed on X to have uncovered the mystery behind the massive security breach at the WazirX platform. In a thread posted on their official account, ZachXBT identified the Lazarus Group as responsible for the attack, claiming their association with North Korean hackers.

According to the analysis in the above-mentioned thread, the alleged hackers initiated the attack on July 10th. During this time, they conducted test transactions from their wallet ‘0x6ee’ to the ‘0x09b’ multisig address using SHIB coin. The operation was funded through six transactions of 0.1 ETH each from Tornado Cash, a currency mixer app.

ZachXBT further claimed that recently, six 0.1 ETH withdrawals from Tornado Cash on July 10th were traced back to matching deposits made the previous day. This was conducted by analyzing transactions from address ‘0xc6873ce725229099caf5ac6078f30f48ec6c7e2e’.

The accuracy of this tracing was confirmed through related tests with SHIB tokens involving a ‘0x304’ multisig wallet on July 9th.

Technical breakdown of WazirX Hack
Technical Breakdown of WazirX Hack: ZachXBT

On July 8th, address ‘0xc68’ received 1 ETH from Tornado Cash at 3:03 PM UTC. This matched a deposit made nine hours earlier from the address ‘0xe3b4cf64e0fc25fafb10d226984b18addc038879ed77f730abbed4737db6a5fc’. 

On July 9th, addresses ‘0xc687’ and ‘0xc891’ transferred funds between each other. This undermines Tornado Cash’s privacy features by creating identifiable links between transactions.

Tracing back from address ‘0xc891’ reveals it was funded with 0.36 ETH and 0.66 ETH through two transactions on July 8th from an exchange. The transactions were linked to the following addresses: 
0xc2fdc27f98cf02c2da2a180fa35824dc365c63795e7a7ce12ba88c1e06edd4f7
0xa62685d8a8b39920e957e0aaf56d527aec6d65bc9323d3d219e11f44e150e224

Timing analysis reflects that these were funded from Bitcoin addresses ‘53795dd1629026c2f92a87d5cd2447736f1afc9cae71262f3af9e62a4ac83b92’ and ‘ddfd189125ce88c622ec2453b2e9f2dbe5c5c0931f16e3389eac4976c757e5b9’. 

This exposes a deeper transactional connection across currencies. ZachXBT affirms that the source of the Bitcoin funds seems to stem from an unknown service, which is hard to trace. However, he is quite confident that the WazirX hack shows potential signs of a Lazarus Group operation, citing previous incidents. 

Although ZachXBT uncovered a KYC exchange deposit linked to the WazirX hacker, it may not be “super helpful” to WazirX founders as it is easily purchasable online for any exchange. It remains to be seen how investors will get back their money as they await the next announcement from WazirX. 

Also Read: Shiba Inu Price Tanks 10% After WazirX Hack Implicates $100M in SHIB



Share.