North Korea Stole $234.9 Million From 4.4 Million Indian Users. They Got Back 85% of a Reduced Portfolio and 15% in Tokens Nobody Can Sell.
On July 18, 2024, a hacker funded via Tornado Cash rewrote the smart contract on WazirX’s multi-signature wallet and drained $234.9 million — 45% of the exchange’s total reserves — in a single attack.
462 days later, users got back 85% of a rebalanced portfolio valued at post-crash prices. The remaining 15% was issued as “Recovery Tokens” — non-tradable IOUs with no guaranteed redemption timeline.
WazirX calls this “the fastest recovery in crypto history, outpacing FTX and Mt. Gox.” Users call it a 35-45% effective loss dressed up as 85% recovery.
Here is exactly what happened, what users actually got back, and what the 15% Recovery Tokens are really worth.
What Was Stolen — Token-Level Breakdown
| Token | Amount Stolen | Value at Time of Hack |
|---|---|---|
| SHIB (Shiba Inu) | 5.43 trillion tokens | $96.7 million |
| ETH (Ethereum) | 15,298 ETH | $52.5 million |
| MATIC (Polygon) | 20.5 million tokens | $11.24 million |
| PEPE | 640.27 billion tokens | $7.6 million |
| USDT | 5.79 million | $5.79 million |
| FLOKI | undisclosed | $4.7 million |
| GALA | 135 million tokens | $3.5 million |
| FTM (Fantom) | undisclosed | $3.2 million |
| LINK (Chainlink) | undisclosed | $2.8 million |
| FET (Fetch.ai) | undisclosed | $2.3 million |
| 200+ other tokens | — | ~$48 million |
| Total | — | $234.9 million |
One memecoin — SHIB — represented 41% of the total stolen value. The hacker converted everything into ETH, accumulating 59,097 ETH across intermediary wallets.
How the Hack Worked — The Technical Failure
WazirX used a Safe (formerly Gnosis Safe) multi-signature wallet requiring 4 signatures to authorize transactions: 3 from WazirX + 1 from Liminal Custody (third-party custodian).
The attacker did not collect the signatures. They rewrote the smart contract controlling the wallet itself, gaining full control without needing any keys.
The attack sequence:
- July 10, 2024: Hacker funded via Tornado Cash (8 days before the attack)
- Pre-hack: Created a fake WazirX account, deposited tokens, began purchasing GALA tokens to drain the hot wallet
- July 18, 2024: Altered the multisig smart contract, gained full cold wallet access, drained 200+ tokens in rapid succession
- Immediately after: WazirX suspended all crypto trading
Two competing forensic reports exist — and they blame opposite parties:
| Report | Hired By | Conclusion |
|---|---|---|
| Mandiant (Aug 14, 2024) | WazirX | Attack originated from Liminal Custody’s infrastructure |
| Grant Thornton | Liminal Custody | Liminal’s systems were clean |
No independent, neutral forensic audit has been published. Indian agencies have not confirmed wrongdoing by either party.
The “Socialization of Losses” — Why Users With Unstolen Tokens Lost Money
On July 27, 2024, WazirX announced a plan that made the hack look fair by comparison: distribute the $234.9 million loss across ALL users, including those whose tokens were never stolen.
The original proposal:
- Lock 45% of every user’s crypto wallet
- Allow trading with remaining 55%
- Two options via non-binding poll (deadline August 3, 2024):
- Option A: Access 55% for trading with withdrawal restrictions, higher recovery priority
- Option B: Withdraw 55% in staggered manner, lower recovery priority
The backlash was immediate:
- CoinDCX co-founder Sumit Gupta: “Utter nonsense” — corporate treasury should absorb losses first
- Researcher Kashif Raza identified critical flaws:
- Asset snapshot taken July 21 (3 days post-hack), not July 18 — tokens had already crashed 30-50%
- WRX Foundation held 30% of WRX token supply — this should compensate victims before socializing losses
- Users holding unstolen tokens were penalized for the exchange’s custody failure
- Users demanded CBI inquiry to determine if the hack was external or an inside job
The plan was shelved after massive backlash. But the underlying logic — spreading the loss across all users — survived into the final restructuring scheme.
The Singapore Court Process — 15 Months to a Scheme
WazirX’s Singapore entity, Zettai Pte Ltd, filed for moratorium protection under Singapore’s Insolvency, Restructuring and Dissolution Act.
| Date | Event |
|---|---|
| August 27, 2024 | Zettai files moratorium application |
| September 26, 2024 | Singapore HC grants 4-month moratorium |
| January 24, 2025 | Court approves creditors’ meeting convocation |
| April 7, 2025 | 93.1% of creditors (94.6% of claim value) approve Scheme of Arrangement |
| June 4, 2025 | Court REJECTS the scheme — inadequate creditor safeguards |
| July 16, 2025 | Court orders revote on revised scheme, extends moratorium |
| August 18, 2025 | Revote: 95.7% of creditors back amended plan |
| October 13, 2025 | Singapore HC sanctions revised Scheme of Arrangement |
| October 15, 2025 | Scheme filed with ACRA, becomes effective |
Total liabilities declared: $545.3 million — significantly more than the $234.9 million stolen, suggesting operational losses, frozen assets, and other liabilities.
The same restructuring firm — Kroll — handled both WazirX and the earlier Vauld collapse. Creditors explicitly raised concerns, noting that Vauld’s restructuring was widely criticized as unfair and deceitful.
What Users Actually Got Back — The Math Nobody Is Showing
The “85% Recovery” — In Name Only
WazirX claims 85% recovery. Here is what that actually means:
Step 1 — Rebalancing (February 2025): WazirX recalculated every user’s portfolio as a proportion of total claims ($545.3 million in liabilities). Asset valuation used the July 21, 2024 snapshot — 3 days after the hack, when many tokens had already crashed.
Step 2 — First Distribution (October 2025): ~85.5% of the rebalanced portfolio distributed within 10 business days of exchange restart.
Step 3 — Recovery Tokens (January 9, 2026): Remaining 15% issued as non-tradable Recovery Tokens.
Real Recovery for Different User Profiles
| User Scenario | What WazirX Says | What Actually Happened |
|---|---|---|
| Held only ETH | 85% recovered | ~70-80% in INR terms (ETH price fluctuation + rebalancing) |
| Held SHIB/memecoins | 85% recovered | ~50-60% (rebalanced at post-crash values, not pre-hack) |
| Held tokens that were NOT stolen | 85% recovered | ~55-65% (penalized via socialization despite tokens being untouched) |
| Made trades post-hack | Trades reversed | 0% of post-hack gains (balances reset to July 18, 1:00 PM IST) |
| Funds frozen by ED | Frozen separately | 0% access (Rs 2,500 crore frozen under FEMA probes) |
The core deception: 85% of a rebalanced (already reduced) portfolio is not 85% of what users originally had. For most users, the effective recovery in rupee terms is 55-65%.
Recovery Tokens — The 15% You Will Probably Never See
Recovery Tokens (RTs) were allocated on January 9, 2026. Here is exactly how they work:
| Feature | Detail |
|---|---|
| Tradable? | No — cannot be sold, transferred, or listed on any exchange |
| Guaranteed redemption? | No — dependent entirely on WazirX generating surplus cash |
| Redemption frequency | Quarterly evaluation cycles only |
| Minimum threshold | WazirX must realize at least $10 million in recoverable value per quarter |
| If threshold not met? | Rolls forward to next quarter — indefinitely |
| Redeemable for | Crypto, INR credits, or trading-fee offsets |
| Oversight | Anonymous 10-member creditor committee (selection criteria undisclosed) |
The Math Problem
For WazirX to buy back all Recovery Tokens, it needs to generate enough surplus revenue to cover 15% of $545.3 million = approximately $81.8 million.
At current trading volumes and fee structures, generating $10 million quarterly surplus is optimistic. At $5 million surplus per quarter — a more realistic estimate — full Recovery Token redemption would take 16+ quarters (4+ years).
If WazirX trading volumes continue declining (as they have post-hack), the $10 million quarterly threshold may never be met. In that scenario, Recovery Tokens are effectively worth zero.
The Lazarus Group — North Korea’s $6.75 Billion Crypto Theft Machine
The WazirX hack was not a random exploit. It was a state-sponsored operation by North Korea’s Lazarus Group (also known as TraderTraitor).
Confirmed Attribution
A joint statement by the United States, South Korea, and Japan (January 14, 2025) formally attributed the WazirX hack to Lazarus Group. Blockchain forensics firm Elliptic and independent researcher ZachXBT had previously identified the attack patterns.
Lazarus Group’s Track Record
| Year | Target | Amount Stolen |
|---|---|---|
| 2016 | Bangladesh Bank (SWIFT) | $81 million |
| 2022 | Ronin Network (Axie Infinity) | $620 million |
| 2023 | Atomic Wallet | $100 million |
| 2024 | DMM Bitcoin | $308 million |
| 2024 | WazirX | $234.9 million |
| 2024 | Upbit | $50 million |
| 2025 | Bybit | $1.5 billion |
| Cumulative | — | $6.75 billion |
Stolen funds directly finance North Korea’s weapons of mass destruction and ballistic missile programs. In 2025 alone, Lazarus stole $2.02 billion — representing approximately 60% of all global crypto theft.
How the WazirX Funds Were Laundered
- September 3, 2024: Laundering via Tornado Cash begins
- First wave: ~15,000 ETH ($40 million) moved
- Method: 5,000 ETH batches to intermediary addresses → 100 ETH chunks to Tornado Cash
- Full laundering cycle: ~45 days
- Only $3 million in USDT has been frozen via international cooperation
The $23 million white-hat bounty (10% of stolen amount) has produced no significant recovery.
The Binance-WazirX Ownership War
This dispute is critical because it determines who bears financial responsibility for the hack.
The Timeline of Contradictions
| Date | Event |
|---|---|
| November 2019 | Binance publicly announces WazirX acquisition |
| February 2020 | WRX token launched via Binance Launchpad (8x first-day gain) |
| 2020-2022 | WazirX operates as Binance’s India arm; Binance controls crypto wallets |
| January 2022 | Nischal Shetty and co-founder Sameer Mhatre relocate to Dubai |
| 2022 | Binance CEO CZ disowns acquisition — claims deal never closed |
| January 2023 | Binance threatens WazirX with service termination unless Shetty retracts ownership claims |
| Early 2023 | Shetty migrates wallets from Binance to Liminal Custody (the custodian later hacked) |
| July 2024 | Hack occurs on Liminal-custodied wallet |
| Post-hack | Binance: “Never owned or operated WazirX, does not hold any user funds” |
The $67 Million Question
Nischal Shetty possesses evidence showing Binance withdrew $67 million in trading fees from WazirX to accounts under Binance’s sole control. If Binance extracted revenue from WazirX operations while denying ownership, users may have a legal claim against Binance.
The ownership dispute is now in active litigation.
Indian Regulatory and Legal Actions
Enforcement Actions
| Agency | Action | Amount/Scope |
|---|---|---|
| ED | Initial asset freeze (2021) | Rs 64.67 crore |
| GST Department | Tax evasion raid (Dec 2021) | Rs 40.5 crore |
| ED | Additional freeze | Rs 370 crore |
| ED | Total frozen user funds | Rs 2,500 crore |
| Delhi Police | Arrested SK Masud Alam (mule account operator) | October 2024 |
| FIU/IB/CERT-In | Interrogated WazirX executives, examined server logs | October 2024 |
Court Proceedings in India
Supreme Court (April 16, 2025): Dismissed petition by 54 hack victims seeking CBI investigation against WazirX, Shetty, Binance, and Liminal. Reason: “lack of regulatory clarity around cryptocurrencies.” Told petitioners to approach the government instead.
Madras High Court (October 26, 2025): Landmark ruling — barred WazirX from using customer-held XRP to offset losses. Declared crypto qualifies as “property” under Indian law: “assets capable of being owned, possessed, and held in trust.” This precedent may enable other users across India to challenge the rebalancing scheme.
Delhi High Court: Issued notices to WazirX. Rejected police status report. Ordered fresh probe.
The Protection Gap
India taxes crypto at among the world’s highest rates — 30% flat + 1% TDS + no loss offset — but offers zero investor protection:
- No SEBI-like investor protection fund
- No deposit insurance
- No settlement guarantee
- No circuit breakers
- FIU registration covers AML compliance only, not fund safety
India leads global crypto adoption (Chainalysis 2023 ranking) while maintaining a contradictory policy: aggressive taxation with zero protection.
The Tax Nightmare — Paying Tax on Money You Cannot Access
The WazirX hack created a uniquely cruel tax situation under Section 115BBH:
-
Users who booked gains before the hack already paid 30% tax on those profits. After the hack, the principal is locked or lost. There is no mechanism to recover the taxes already paid.
-
1% TDS was already deducted on every transaction via Section 194S. That capital is gone — locked in a refund cycle.
-
No loss offset exists. The hack loss cannot be claimed against any income — salary, capital gains, business income, or even other crypto gains.
-
No carry-forward. The loss cannot be used in future years.
A user who made Rs 10 lakh in crypto gains in FY 2024-25 (paying Rs 3.12 lakh in tax) and then lost everything in the WazirX hack has no recourse. The Rs 3.12 lakh paid to the government on gains that no longer exist is a permanent loss.
WazirX vs Vauld vs FTX — Who Actually Got Their Money Back?
| Parameter | WazirX | Vauld | FTX |
|---|---|---|---|
| Year of collapse | 2024 | 2022 | 2022 |
| Cause | External hack (Lazarus Group) | TerraUSD exposure + market crash | Fraud (misuse of customer funds) |
| Amount lost | $234.9M (45% of reserves) | $70M deficit | $8.7 billion |
| Entity jurisdiction | Singapore | Singapore | Bahamas |
| Restructuring firm | Kroll | Kroll | Sullivan & Cromwell |
| Recovery % claimed | 85% | Pending | 119% (at filing-date prices) |
| Recovery % in real terms | 55-65% (rebalanced portfolio) | Minimal to date | ~119% (USD, not crypto) |
| Time to first distribution | 462 days | 3+ years (ongoing) | ~2 years |
| Indian regulatory action | ED freeze Rs 2,500 crore | ED freeze Rs 370 crore | No direct India exposure |
| User protection | None | None | US bankruptcy protections |
FTX users — victims of outright fraud — got better recoveries than WazirX users — victims of an external hack. The difference: US bankruptcy courts with established creditor protections vs. Singapore moratorium with no equivalent framework for Indian retail investors.
Complete Timeline — July 2024 to January 2026
| Date | Event |
|---|---|
| July 10, 2024 | Hacker funded via Tornado Cash |
| July 18, 2024 | $234.9M stolen from multisig wallet; all trading suspended |
| July 19, 2024 | FIR complaint filed by WazirX |
| July 21, 2024 | Bounty program launched ($23M white-hat reward); asset snapshot taken at this date (not July 18) |
| July 27, 2024 | ”Socialization of losses” plan announced; massive backlash |
| August 5, 2024 | FIR registered (17-day delay from complaint); ED search at WazirX office |
| August 14, 2024 | Mandiant forensic report: attack originated from Liminal side |
| August 2024 | 66% INR withdrawals resume; NCLT petitions filed |
| August 27, 2024 | Zettai files moratorium application in Singapore |
| September 3, 2024 | Hacker begins laundering funds via Tornado Cash |
| September 26, 2024 | Singapore HC grants 4-month moratorium |
| October 2024 | Delhi HC issues notices; SK Masud Alam arrested; FIU/IB/CERT-In interrogate executives |
| December 2024 | Chargesheet filed; CZ warns WazirX users; auto-subscription controversy |
| January 14, 2025 | US-South Korea-Japan joint statement confirms Lazarus Group attribution |
| January 24, 2025 | Singapore court approves creditors’ meeting |
| February 2025 | Portfolio rebalancing completed |
| April 7, 2025 | 93.1% creditors approve Scheme of Arrangement |
| April 16, 2025 | India Supreme Court dismisses 54-victim petition |
| June 4, 2025 | Singapore court rejects initial restructuring plan |
| July 16, 2025 | Court orders revote on amended scheme |
| August 18, 2025 | Revote: 95.7% back revised plan |
| October 13, 2025 | Singapore HC sanctions revised Scheme |
| October 23-24, 2025 | Exchange reopens; 85% First Distribution begins |
| October 26, 2025 | Madras HC declares crypto as “property”; blocks XRP rebalancing |
| November 2025 | Fund Recovery Portal live; WazirX Zero trading model launched |
| January 9, 2026 | Recovery Token allocation completed for remaining 15% |
What This Means for Indian Crypto Investors
The WazirX hack is not a story about one exchange failing. It is a structural exposure report on what happens when you hold assets in a system with:
- No insurance: Unlike bank deposits (DICGC covers Rs 5 lakh) or demat accounts (investor protection fund), crypto on exchanges has zero safety net
- No regulator with teeth: SEBI protects stock investors. RBI protects depositors. Nobody protects crypto holders
- Maximum taxation with zero protection: India charges 30% + 1% TDS — among the world’s highest crypto tax rates — while offering no loss offset, no carry-forward, and no investor compensation
- Singapore jurisdiction for Indian users: 4.4 million Indian users had their fate decided in a Singapore court under Singapore insolvency law
If you hold crypto on any Indian exchange, the WazirX hack is the best-case scenario for what happens when things go wrong. The exchange survived, the courts cooperated, and users got 55-65% back in real terms. In many other cases — Vauld, Bitbns — users got nothing.
The only protection that works: self-custody. Hardware wallets are not convenient. They are also not vulnerable to exchange hacks, socialization of losses, or Singapore moratorium applications.
Sources and Verification
Data in this article is sourced from: Singapore High Court filings (Zettai Pte Ltd moratorium proceedings), WazirX official blog disclosures, Elliptic blockchain forensics reports, joint US-South Korea-Japan statement (January 14, 2025), Mandiant investigation report (August 14, 2024), Madras High Court order (Justice N. Anand Venkatesh, October 2025), Supreme Court of India order (April 16, 2025), ED press releases, Delhi Police chargesheet (December 2024), and ACRA filings.
All figures verified across minimum two independent sources. Token-level theft data from on-chain analysis by Elliptic and ZachXBT. Recovery Token mechanics from WazirX Scheme of Arrangement documentation filed with Singapore courts.