Pelorus Technology and Crystal Intelligence help us understand how the theft of this scale was executed from wallets that are secured with multi-level authentication.
In what has been the biggest crypto theft in India so far, cryptocurrencies worth nearly ₹ 2,000 crore, or $230 million, were stolen from a wallet linked to the WazirX exchange last month. As thousands of people lost crores, WazirX reported the incident to the central cybercrime portal, Financial Intelligence Unit, and the Indian Computer Emergency Response Team. A police case was also registered in Delhi.
Pelorus Technology and Crystal Intelligence, digital forensics firms that help in probing major cyber and crypto irregularities, help us understand how the theft of this scale was executed from wallets that are secured with multi-level authentication.
Crystal Intelligence, a blockchain intelligence firm, uses a security tool to monitor crypto money trails on the blockchain in real-time.
Wazir X had provided the wallet identity that was compromised in a statement. When cyber investigators across the globe used the Crystal tool to examine the money trail, it showed about 200 transactions from the recipient’s wallets on July 18.
The probe also revealed the plan had been in the making since July 10.
“When we started investigating, we saw a parallel story. First, the wallet was compromised and from there, the thief transferred 230 million dollars to his wallet. This was in different cryptocurrencies. At the same time, when we saw its back trail, a transaction was seen funding that wallet from Tornado Cash for a few days. The dates show he (thief) had been preparing from July 10,” said Sanjeev Shahi, Country Manager, Crystal Intelligence.
Exchanges charge a fee called ‘gas fee’ for crypto transactions.
Experts suggest the cyber thief used Tornado Cash wallet to deposit crypto worth about $1,080 in his wallet to pay for it. In doing so, he managed to keep his identity hidden; Tornado Cash acts as a hawala.
“Tornado Cash is a mixing service just like Hawala operators who transfer money, but it is not known who is behind it. It is a mixing service in the world of crypto,” explained Mr Shahi.
The routing process did not end here.
The same day the cryptos were stolen, they were converted into other cryptocurrencies and transferred in smaller amounts to multiple wallets linked to two different exchanges. As many as 2,000 transactions were made.
Between July 18 and 22, the biggest chunk – as much as 95% – was parked in three such wallets that do not appear to be linked to any exchange currently.
The accused, however, cannot use those funds.
“Today, even though the funds are on the blockchain, he cannot use them. To use them, he has to come to the real world and convert it into fiat. As soon as he comes to the real world, his identity will be revealed,” said Mr Shahi.
Fiat refers to a currency backed by a bank as a legal tender. For example, dollar, rupees, et al.
“To convert it into rupees, he must go to the exchange and if the exchange remits the money to a bank, his identity will be revealed,” the official said.
Explaining the current status of their investigation, he pointed out that the accused has parked 61,000 Ethereum in three wallets (one Ethereum is valued at over ₹ 2 lakh as of August 10).
“There has been no movement in it for many days. We have kept it on the watchlist,” said Mr Shahi.
Pelorus Technologies, another digital forensics and surveillance firm, is also monitoring the three wallets. The company’s director Kaushal Bheda explained that the identity of the accused is not known yet, they will be informed if there’s any movement in the funds.