WazirX
WazirX is a major cryptocurrency exchange based in India. In this OSINT challenge, participants investigate its digital footprint to uncover publicly available information related to its operations, incidents, and online presence using open-source intelligence techniques.
In 2022, WazirX faced a major cryptocurrency scandal involving approximately $235 million (₹1,960 crore) allegedly laundered through fake accounts and untraceable wallets.The attackers are believed to have gained initial access via a phishing email, exploiting internal infrastructure through broken access control, specifically via IDOR vulnerabilities in backend APIs. Once inside, they escalated privileges to admin panels.
To hide their tracks, they used Tornado Cash and chain hopping, converting Ethereum to privacy coins like Monero. Multiple fake accounts were created using synthetic identities and fake documents, bypassing KYC checks through automated systems. Transfers were split using transaction smurfing and sent during high-traffic hours, avoiding AML detection.
On the cloud side, misconfigured public S3 buckets and over-permissive IAM roles may have leaked wallet data. To maintain access, a RAT trojan was deployed through macro enabled crypto spreadsheets. At the smart contract level, they abused flaws in the application layer for automated fund movements. The attack bore similarities to the Bitfinex hack, both in method and laundering style.
Additionally, API key leakage without proper IP whitelisting allowed unauthorized withdrawals. For cold wallet access, the attacker used vishing techniques, pretending to be regulatory officials. Their trace was lost due to VPN chains, SIM swapping, and mixer loops. Despite this, KYC bypass and the lack of robust AML enforcement allowed the incident to go undetected for long.
