WazirX Multi-Sig Drain

On July 18, 2024, WazirX — at the time India's largest cryptocurrency exchange — lost approximately $234.9 million in tokens from a 4-of-6 Gnosis Safe held under a third-party custody arrangement with Liminal Custody.

What happened

The Safe held the exchange's customer reserves on Ethereum. Five signing keys belonged to WazirX; the sixth belonged to Liminal. By policy, every withdrawal required Liminal's signature plus at least three WazirX signatures.

The attackers exploited a discrepancy between what the Liminal custody interface displayed and the calldata actually being signed. When three WazirX signers and the Liminal co-signer approved what they saw as a routine transfer, the underlying transaction was something else entirely: a malicious upgrade of the Safe's implementation that transferred control of the wallet to the attacker.

The malicious smart contract used in the attack had been deployed eight days earlier — strong evidence of a planned operation that took time to reconnaissance Liminal's signing flow.

Aftermath

• WazirX paused withdrawals immediately and initiated a restructuring under Singapore court supervision.
• After more than a year of legal proceedings, the restructuring scheme took effect in October 2025, and WazirX returned approximately 85% of customer funds.
• Several security firms attributed the operation to the Lazarus Group based on TTPs (eight-day pre-positioned contract, UI-deception pattern, post-incident laundering routes), though attribution was never officially confirmed.

Why it matters

WazirX was the first major incident in which the custodial UI itself — not the keys, not the contracts — was the trust failure. The same class of vulnerability was used six months later in the Radiant Capital hack and at unprecedented scale in the Bybit heist. Multiple custody platforms have since added second-channel calldata verification and out-of-band signing prompts.