There has been a lot of learning from the cyberattack for us: WazirX’s Nischal Shetty

Cryptocurrency exchange WazirX is preparing to resume its operations. However, its return rests in the hands of its creditors. Between March 19 and 28, about four million WazirX users will be eligible to vote on a third-party platform, Kroll Issuer Services (KIS), for the recovery scheme as the crypto exchange looks to make a comeback after a cyberattack. 

Independent assessor, Alvarez & Marsal will evaluate the results. 

The cyberattack, which happened on July 18, 2024, saw assets worth $234.9 stolen from the platform. This January, the US, South Korea, and Japan agencies made a joint statement, pointing to North Korea’s Lazarus Group as perpetrators of the cyberattack. 

Meanwhile, in India, a man was arrested in relation to his involvement in the case, YourStory had exclusively reported. 

WazirX’s Co-founder and CEO Nischal Shetty is fighting many fires at once. “The early days of the cyberattack were really tough for us as a company,” Shetty tells YourStory. “We were attacked from everywhere for a variety of reasons but there have been people who’ve been helpful to us during the process.”

Shetty delves into the next steps WazirX is taking, educating their creditors on voting for the recovery scheme, and how the company managed to track down and freeze 3 million USDT worth of assets in January. 

Edited excerpts:

YourStory (YS): What are the latest developments at WazirX, and how are you preparing for the recovery scheme voting?

Nischal Shetty (NS): We’re now at an important stage in the recovery scheme, with the vote coming up soon. Right now, we're wrapping up the final legal requirements before moving forward.

One crucial step we just completed was allowing users to review their claims and raise disputes if needed. The next step—scheduled for March 5—lets people request to view others’ claims for legitimate reasons. Once that’s done, we’ll move to the voting phase.

If the majority votes in favour, we can restart the platform and resume trading.

YS: Regarding your meeting with creditors, could you provide any insights into why someone might choose to vote no?

NS: Most people we've spoken to understand that voting ‘yes’ is the fastest way to get access and offers higher returns. A ‘no’ vote, on the other hand, means a longer process, lower recoveries, and higher costs. We’ve shared detailed projections in our scheme so people can see the difference for themselves.

That said, some might vote no simply because they don’t fully understand the pros and cons. That’s exactly why we’re focused on being as clear and transparent as possible. With four million people eligible to participate in the vote—across different regions, languages, and preferences—we’re using every channel to get the message across. Whether it’s Twitter, videos, long-form content, FAQs, or direct support, we’re making sure people have the information they need to make an informed choice.

YS: In January, the company successfully froze the first tranche of stolen assets worth 3 million USDT. Are there any further developments on asset recovery?

NS: There’s nothing we can publicly share at the moment, but it’s an ongoing effort. The most likely way to recover funds is when they move—but they haven’t for a while. That said, our team is actively tracking and blocking whatever we can.

Beyond that, we’re also exploring legal options against entities that may have aided in laundering the funds. It’s a process, and it’ll take time, but we have dedicated teams working on it in parallel.

YS: Could you help us understand how you went about tracking the stolen assets and freezing them?

NS: There's a company called ZeroShadow—one of the most competent teams in the industry when it comes to handling cyberattacks, freezing stolen funds, and working with law enforcement.

We got connected with them early, probably within the first week, and started working with them right away. Speed is critical in cases like this—the first few weeks are when fund movement is most trackable. Once the money is laundered, recovery becomes much harder.

Engaging them early was key, and they’ve been incredibly helpful throughout this process. 

Also Read

WazirX freezes first tranche of stolen funds worth $3M USDT

YS: Last year, you mentioned that WazirX was working on developing a decentralised exchange. Has there been any progress on that front and have you earmarked any investments toward its development?

NS: It’s part of the restructuring proposal as well. But for now, our entire focus is on getting the platform back up and running—that’s the biggest challenge. Once we’re past that, we’ll move on to the next phase, which includes restructuring deliverables.

That said, this recent attack has sparked conversations about alternatives to centralised custody. Many users are now asking: What’s a safer way to hold assets? That’s where self-custody and a decentralised exchange come into play. We want to give people the option—if they don’t want to store assets on a centralized exchange, they should still have a way to trade securely.

Having said that, both centralised and decentralised exchanges have their own set of pros and cons. There have been a lot of people asking us about the steps we are taking to ensure security so they can continue using the centralised exchange because DEX can be too technical and may appear risky to some. 

But first, reopening. That’s priority number one. DEX will follow in step two.

YS: If and once the platform reopens, what new measures are you implementing to ensure that the funds stores are kept securely?

NS: The attack wasn’t on the WazirX platform itself—it targeted the custody provider that held the assets. Our servers weren’t compromised, and WazirX’s infrastructure wasn’t directly involved. The breach happened at the cold wallet level, where the majority of funds are typically stored.

Right now, we’re still navigating some challenges, including a lack of cooperation on certain fronts. But the key question is: How do we make sure this never happens again?

That’s where our focus is. We’ve taken a lot of learnings from this and are in the final stages of selecting a new custody provider—one that meets our improved security requirements. We’re almost at the finish line with this, and once it’s finalised, we’ll announce the details. 

YS: In September, your third-party custody provider, Liminal, issued a statement denying responsibility and also claimed that WazirX still holds over $175 million in assets on their infrastructure. Does that still hold true?

NS: After the attack, we didn’t want to immediately move the assets—it’s standard procedure. When something like this happens, you don’t know if there’s another exploit waiting. So, for a while, we deliberately didn’t touch the funds to minimise risk.

Eventually, we had to figure out the best alternative—where to move the assets and how to do it securely. And that process isn’t as simple as clicking a button. There were multiple assets involved, and after the incident, we took an extra cautious approach. We moved funds gradually, in smaller amounts, to ensure safety at every step.

It wasn’t about endorsing or continuing with the same platform—it was purely about minimising risk. And now, everything has been moved out.

YS: Are you concerned that once users recover their assets—no matter how long that takes—they might withdraw their funds from WazirX, leading to a decline in users over time?

NS:  Right now, the only thing on my mind is getting people access to their funds as quickly as possible. What they choose to do after that is entirely up to them.

Of course, some users will want to withdraw their assets—and they’re absolutely free to do so. At the same time, others will see this for what it is: a cyber attack in a rapidly evolving industry. These things happen, but what matters is how we respond and learn from them.

We’re bringing in stronger custody providers—ones with better security, licenses, and even insurance. The industry itself is shifting toward more robust custody solutions. So, in the end, it’ll come down to individual choices. Right now, though, our focus isn’t on user retention—it’s on reopening and making sure people can access their portfolios as soon as possible.

YS: Since the cyberattack, what has the support or the response from your competitors been like?

NS: The early days were really tough for us as a company. We were attacked from all sides for different reasons and we were at our lowest point. Even now, we’re still working our way back up.

But through it all, there have been people who’ve stepped up to help—especially behind the scenes. I won’t take names, but some folks went out of their way to connect us with the right people. When we talked about ZeroShadow, for instance, there were people who immediately helped us get in touch with them. Others shared their own experiences, guiding us on the best way forward.

Of course, it’s been a mixed bag. Some people will always try to take advantage when you’re down. But there are also those who genuinely want to help. That’s just how it is—there’s been good, bad, and ugly. No surprises.

Also Read

One’s loss, another’s gain: Indian crypto exchanges race to woo WazirX users as market shakes up

YS: When Bitcoin prices rose in the past few months, users on X criticised that WazirX was unable to let the users take advantage of the rally. How do you respond to this?

NS: With crypto, it is what it is. When the market goes up, people are frustrated because they can’t sell and take profits. When it goes down, they’re upset because they can’t buy more or they missed the chance to sell earlier. Either way, not having access to your portfolio is frustrating, and we completely understand that.

Whether prices are rising or falling, there will always be frustration when users feel stuck. That’s exactly why our main priority is reopening the platform as soon as possible. That’s the only real solution here—no one wants to be in this situation any longer than necessary.

YS: Could you also give some insight into the kind of regulatory conversations you are having within India post the attack?

NS: We’ve been staying in constant communication with the relevant agencies, keeping them updated on everything—from compliance matters to the theft incident. Anytime there’s new information or changes, we make sure they’re informed.

Even though the platform isn’t operational right now, we still have customers, and we continue to receive compliance queries and law enforcement requests. We’ve been actively responding to all of them, ensuring that every channel remains open and that we’re addressing concerns in a timely manner.

YS: Your plan mentions white knight collaborations in the recovery timeline. Can you share any updates on who these white knights are or the nature of your discussions with them?

NS: Though we cannot go into the specifics, it’s mostly exchanges because that’s the best fit right now. We’re in talks with a few, but these negotiations take time. Initially, we thought we’d finalise everything and then include it in the restructuring plan. But we quickly realised that users were pushing for one thing above all—reopening the platform as soon as possible, especially with the ongoing bull market.

That’s why we decided to run these discussions in parallel rather than making them a blocker to the restructuring. Talks are still ongoing, and as we’ve outlined in our plan, we’ll share updates when things materialise.

Realistically, though, everything hinges on the approval of the restructuring plan. If it’s passed, negotiations become much smoother, and we can bring real value from these partnerships. If it’s not, there’s not much for these potential white knights to step in and support.