Research & Opinion
From WazirX Hack to Crypto Security: What Experts Say About the $230 Million Theft
NEW DELHI: India’s leading cryptocurrency exchange, WazirX, faced a massive security breach on Thursday, resulting in the theft of approximately $230 million (around Rs 2000 crores). The attackers targeted the exchange’s Safe Multisig wallet on the Ethereum network, demonstrating the complexity and precision of a highly organized criminal operation. This sophisticated hack has sparked speculation about the involvement of the notorious North Korean cybercrime group, Lazarus Group, which has a history of targeting the crypto sphere.
Prominent blockchain experts shared their insights on the incident and the measures needed to enhance the security of cryptocurrency exchanges.
Regulatory Clarity and Immediate Action
Sanjeev Shahi, Director-Sales, South Asia & Pacific at Crystal Blockchain highlighted the urgent need for regulatory clarity in India, especially in light of the evolving relationship between cryptocurrency exchanges and the government. “This is a critical moment for regulatory clarity, with stringent requirements for information security alongside AML and fiscal risks,” he stated. Shahi is confident that Indian authorities are working closely with WazirX to freeze and recover the stolen funds. Furthermore, he believes the government is likely verifying the custody procedures of other exchanges to ensure that their assets are not overly centralized and that proper measures are in place to prevent similar attacks.
Gaurav Mehta, Co-founder & CEO, Catax concurred, emphasizing the need for stringent regulations and regular audits for cryptocurrency exchanges. “Governments and authorities should enforce secure custody protocols similar to those in the stock market to safeguard assets, mandate insurance policies to cover losses from hacks, and promote robust cybersecurity frameworks and standards,” he suggested. Mehta underscored the importance of these interventions to ensure the safer custody of billions held by Indians on these platforms.
ALSO READ: Join FCRF’s Webcast: Decoding the Union Budget 2024 Allocation for Cybersecurity, Cyber Forensics, and Police on July 23
Advice to Clients and Other Exchanges
To the clients of WazirX and other cryptocurrency exchanges, Shahi advised against panic. “Clients should not believe that WazirX is dreadful at security,” he emphasized, suggesting that the issue is likely contained. He recommended that clients temporarily withdraw their funds to self-custody but cautioned about the associated risks. “If you’re using a hardware wallet like Trezor or Ledger, make sure it hasn’t been tampered with once you buy it from the store,” he advised.
Mehta added that clients should immediately collaborate with international exchanges, forensic experts, and industry partners to track and recover stolen funds, ensuring they are not liquidated.
Shahi underscored the relentless and clever nature of cyber attackers. “These attackers are persistent and always shifting tactics to beat the defenders. Sometimes, they just get through—and these disasters happen,” he explained.
Mandatory Security Protocols
Shahi pointed to the Cryptocurrency Security Standard (CCSS), an open standard developed for cryptocurrency businesses, as a crucial guideline. “The most important considerations are having multi-signature requirements for key wallets and distributing funds into smaller amounts to minimize losses if one wallet is compromised,” he explained. He also stressed the importance of minimizing damage if attackers gain access to systems, which often occurs through phishing attacks on social media or email.
Mehta emphasized the need for clear custody guidelines and mandatory third-party auditing to ensure better protection for users’ funds on cryptocurrency platforms. “This approach addresses the lack of standardized treasury management practices across exchanges, providing a more consistent and secure framework for safeguarding user assets,” he said.
Picking a Safe Exchange
When asked about how to choose a safe exchange, Shahi acknowledged that no solution is 100% foolproof. He suggested that users consider their level of exposure and look for external audit standards like ISO 27001 and PCI DSS. “You can also look for evidence of on-chain tech audits if it’s a DeFi protocol or token,” he advised. Shahi recommended checking if exchanges use high-quality custodial services and effective AML monitoring tools like Crystal, which can help detect and respond to hacks swiftly.
Improving Internal Security Measures
Addressing how services can improve their internal security measures, Sanjeev Shahi emphasized that security requires a cultural shift rather than just financial investment. “You need a culture of it—from the office to the home,” he said. He suggested making small security practices routine, such as using a password manager for both work and personal use. Shahi also proposed offering security-related perks to staff, like free antivirus subscriptions and password managers for their families, to integrate security into their daily lives.
ALSO READ: SIT Files Chargesheet Against Former DGP BS Sidhu in Dehradun Land Scam
Gaurav Mehta added that cryptocurrency exchanges can improve their internal security measures by implementing real-time monitoring and anomaly detection systems, conducting regular third-party security audits and penetration tests, and enforcing strict access controls for transactions. He stressed that while multi-signature protocols are important, the overall system security is crucial. “Exchanges should ensure the security of the entire system, not just the multi-signature components,” he explained.
Transparency and Communication
Mehta highlighted the importance of transparency from cryptocurrency exchanges in the event of a security breach. “Exchanges should provide clear and timely information to their clients about the breach, the steps being taken to address it, and any measures clients should take to protect their assets,” he advised. This transparency helps build trust and ensures that clients are well-informed.
Comprehensive Steps to Enhance Security
Sanjeev Shahi elaborated on several comprehensive steps to enhance security in the cryptocurrency sector. First, he highlighted the importance of having stringent regulatory frameworks that mandate robust information security practices. “Regulatory clarity will ensure that exchanges adhere to best practices in information security, AML, and fiscal risk management,” he stated.
He also stressed the necessity of multi-signature wallets for key funds. “Multi-signature wallets prevent a single person from withdrawing funds, adding an extra layer of security,” Shahi explained. Additionally, he recommended that exchanges distribute funds into smaller amounts across multiple wallets to minimize potential losses if one wallet is compromised.
Shahi emphasized the importance of regular security audits and third-party assessments. “Exchanges should undergo regular security audits and adhere to standards like ISO 27001 and PCI DSS. These audits provide an external validation of the exchange’s security measures,” he advised.
Educating and Empowering Users
Educating users about the security measures they can take is also critical. Shahi suggested that exchanges should provide comprehensive guides on how to securely store and manage cryptocurrencies. “Users should be informed about the risks and best practices for securing their assets. This includes using hardware wallets, keeping seed phrases secret, and downloading applications only from trusted sources,” he explained.
Building a Culture of Security
Building a culture of security within the organization is equally important. Shahi recommended integrating security practices into daily routines for all employees. “If employees are required to use a password manager for work, they should use one at home too. This consistency helps reinforce secure habits,” he stated. Offering security-related perks, such as free antivirus subscriptions and password managers for employees’ families, can further promote a culture of security.
Lessons for the Industry
Gaurav Mehta concluded with a crucial lesson for the industry: custody and exchange mechanisms should be managed by separate entities. “VDA asset custodians should be handled by specialized entities that are insured, regulated, and compliant with local laws,” he advised. This separation can help mitigate risks and ensure that assets are better protected.
The breach at WazirX highlights the ever-present threats in the cryptocurrency sector. While regulatory clarity and robust security protocols are crucial, fostering a culture of security among both staff and users is equally important. As the industry navigates these challenges, expert insights from professionals like Sanjeev Shahi and Gaurav Mehta will be invaluable in shaping a safer future for cryptocurrency exchanges. By implementing comprehensive security measures and educating users, the industry can better defend against sophisticated cyber threats and build trust among cryptocurrency investors.
Follow The420.in on
Telegram, Facebook, Twitter, LinkedIn, Instagram and YouTube