Skip to content

240,000 WazirX wallets hit by inconstencies, unauthorised transfers

  • by
  • 5 min read

WazirX’s extensive affidavit, spanning more than 1,100 pages, to the Singapore Court, lists over 240,000 wallet addresses, which the exchange says hold 55% of user funds after the July 18 cyber hack. The affidavit has several inaccuracies, including still-active wallets, repeated addresses, and inactive wallets. Furthermore, the exchange moved $73.63 million and $1.5 million transfers to Bybit and Kucoin, respectively, without notifying the users.

A few days ago, WazirX released the details of approximately 240,000 wallets with balances as the crypto exchange undergoes restructuring. WazirX also said that once the consolidation process is done, it plans to work with third-party custodians to manage all token assets.

The company also stated the wallet address that was hacked: 0x27fD43BABfbe83a81d14665b1a6fB8030A60C9b4. This revelation prompted many users to indicate that it is not natural for a cryptocurrency exchange to store $234 million, 45% of user funds, in a single wallet while distributing the rest into 240,000 wallets.


WazirX wallets: A comedy of errors and inconsistencies

However, the wallets showed some inconsistencies, with researchers finding at least 16 wallet addresses appearing to be repeated, reports The Crypto Times. This repetition casts doubt on the integrity of WazirX’s claim that 55% of user funds are distributed across these 240,000 wallets, prompting fears that the total number of unique wallets may be far lower than reported.

Among the most concerning revelations is that certain wallets remain active despite WazirX suspending all trading operations following the attack. A notable example is a wallet identified on the Tron blockchain: TXe3EibZP9jFogwyqLPd3APdwxZbiQBUqi, which still holds approximately $26 million.

The latest activity for wallet TXe3EibZP9jFogwyqLPd3APdwxZbiQBUqi happened 5 days ago, that is, on 16 October.

This wallet, listed as the seventh address on the Tron chain, continues to show on-chain activity as recently as October 16, 2024. The Tron transaction scanner has revealed that this wallet received a substantial transfer of over 235 billion HTX tokens (235,511,683,421.73961001HTX), raising suspicions about ongoing transactions despite the platform freeze.

The investigation also unearthed discrepancies in how WazirX documented multichain wallets. In some instances, addresses appeared to repeat across different blockchain networks, possibly due to clerical errors or incorrect labelling. For example, a Bitcoin address appears in the list but with the wrong chain information attached, potentially contributing to confusion and misrepresentation.

The wallet 0xdbcc6f2f49b35f8fa3290f2a4dd6204a580dd4b1 was active 651 days ago.

Additionally, a wallet address found on page 312 of the affidavit, identified as 0xdbcc6f2f49b35f8fa3290f2a4dd6204a580dd4b1, was shown to have been inactive for two years. This address had previously interacted with a Binance-controlled WazirX account, contradicting WazirX’s public stance that it had severed all ties with Binance following their fallout.


WazirX’s shady asset transfers

WazirX’s deceit and lies did not stop there. In a significant blow to user confidence, it has been alleged that WazirX is transferring $75 million to global exchanges Bybit and KuCoin without notifying its users.

According to Ashish Singhal, founder and CEO of CoinSwitch, WazirX allegedly funnelled $72.13 million to Bybit and another $1.5 million to KuCoin. These undisclosed transfers have left many users in India reeling and confused.

“By scanning through these wallets, we have observed a large chunk of WazirX crypto has been moved to exchanges such as Bybit and Kucoin post the incident. As of now, we have identified the movement of $ 72.13 mn worth of crypto to Bybit and $ 1.5 mn funds to Kucoin,” Singhal stated.

Here are the addresses moved to Bybit:

  • XRP: rJn2zAPdF193sixJwuFixRkYDUtx3apQh:5006468183
  • TRX: TSW5magE3F5eZaPAj8fL6E5vuJz9rDRmBc
  • BTC: 1MNMJbuWvyp4inVXUHNh7Bve6o8SgwrgYA
  • DOGE: DJ5kTVVWUebZTMAN6kmSbD2ouEhttVvh1hq
  • SOL: BAtK9hfrYt1XTy9jXHk2pbKrFqtAEzKssN5W9kjvyxB

Meanwhile, only one wallet address, ETH: 0xfc6f1aded9966868734bd265de0544a8ee56137a, was used to transfer $1.5 million to Kucoin.

CoinSwitch also found that of the 200K wallets they checked, approximately 100K addresses had less than $10 while approximately 18K addresses had zero balance.

Furthermore, Singhal also said that CoinSwitch deposited some INR and Virtual Digital Assets (VDAs) with WazirX and had to use their treasury to fill the assets once WazirX stopped the withdrawals. Currently, CoinSwitch has taken legal action against WazirX to recover funds.

To bring transparency to the issue, CoinSwitch has also developed a data analysis dashboard to track WazirX wallet leaks. After further analysis of the dashboard, we found that the top 10 wallet addresses amount to about $142 million, while the top ERC20 addresses comprise about five million dollars.


WazirX: A tale of lies and deceit?

Right after the attack, users criticised WazirX’s approach. First, they criticized its decision to block withdrawals, and then its decision to implement the ‘socialised loss strategy, which essentially means that the company will share the assets among all users “instead of placing the burden of the loss on a single individual.”

Furthermore, a new dispute arose regarding WazirX’s ownership dispute in a town hall. Meanwhile, hackers were moving millions of stolen assets through Tornado Cash to obscure their tracks.

In September, a few months after the attack, Cyvers, a cyber security firm, claimed that upon detecting the breach, the firm notified WazirX. However, the crypto exchange didn’t take the warning seriously.

After releasing the wallet addresses, WazirX hoped to allay some fears. However, due to inconsistencies and shady asset transfers, WazirX’s reputation has taken a big fall. Meanwhile, the Delhi High Court opened the way to file a civil lawsuit against the crypto exchange.

In the News: WP Engine seeks court intervention over WordPress.org ban

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>