Business Standard

WazirX major security breach: Calls for legal recourse grow louder

Legal experts tracking the sector believe that users who have lost their funds can look at the country's consumer protection laws as one recourse

Indian crypto exchange WazirX registers $36 bn of trading in a year

Ajinkya Kawale Mumbai
Calls for stronger regulations and legal recourse for users to get back their funds have intensified after India’s leading cryptocurrency exchange WazirX suffered a data security breach, leading to theft of digital assets worth $230 million.
Last week, the crypto exchange confirmed the security breach on its platform which led to a theft of about 50 per cent of its total assets. While WazirX has called it a ‘force majeure event’ beyond its control, the company has said it is trying to locate and recover the lost funds. 
 
Recovering the amount from a sophisticated cyber attack on its platform may not be an easy feat, crypto executives and those close to the development have said.
 
 
“Recovering stolen crypto is hard as a lot of them are converted to other tokens, and since crypto is dealt with internationally, it can go to any exchange in any country. The silver lining is that transactions can be tracked and in a few past cases it has been recovered too,” said Ashish Singhal, co-founder, CoinSwitch; a crypto exchange platform.
 
He noted that recovery of funds following a cyber attack of this scale was a tedious process as the stolen quantum can remain in a wallet for many years at a stretch.
 
In the backdrop of a lack of regulatory environment for crypto in India, it becomes a challenge to terminate transactions that involve stolen tokens. “Although it is trackable, you still cannot stop its usage everywhere. That becomes the real problem as there will always be a decentralised platform where these tokens can be converted from one to another, or one wallet to another one,” said Edul Patel, CEO, Mudrex, a crypto platform.
 
Legal experts tracking the sector believe that users who have lost their funds can look at the country’s consumer protection laws for recourse. 
 
“In terms of consumers, there is no specific law which you can go to and refer to in this instant cyberattack. But in any case, consumer laws would be applicable if there is any negligence found on the part of WazirX, claiming that there was a deficiency in their services, further depending on the remedies sought by the customers relief under the Information Technology Act, 2002 or Arbitration and Conciliation Act, 1996” said Navodaya Singh Rajpurohit, Legal Partner, Coinque Consulting and founder, Pravadati Legal.
 
On Sunday, WazirX announced a bounty programme to track and freeze the stolen amount. The company has promised that it will reward those assisting in recovery with a bounty pegged at 5 per cent of the recovered amount as part of the programme.
"In response to the cyber attack, we have filed an online police complaint and are processing a physical complaint. We have reported the incident to the Financial Intelligence Unit (FIU) and CERT-In. We are reaching out to over 500 exchanges to block the identified addresses," WazirX said in a statement.  
 
Meanwhile, with the Union Budget around the corner, calls for better regulatory clarity for the sector have grown stronger. “What should now come out of this is that there should be conversations around active regulations, making self-custody a real possibility for people, allowing decentralised exchanges to conduct transactions, which is one of the ways to secure a user’s money,” Patel from Mudrex said.
 
Home-grown cryptocurrency firms had earlier suggested that regulating the sector may necessitate the involvement of multiple agencies, given the approaching deadline to develop a unified framework, Business Standard reported this month. Industry participants said that creating comprehensive legislation through a single regulator could be complex and time-intensive ahead of the 2025 timeline.
 
“This incident could potentially prompt regulatory changes in India. To date, no regulatory body has taken the initiative to regulate crypto in the country. While the Financial Intelligence Unit (FIU) exists, its primary mandate is the prevention of money laundering, not addressing cyber attacks, which may limit its jurisdiction in this matter, unless it is found in the investigation that the money has been laundered through this cyberattack,” legal expert Rajpurohit said.


The $230 mn heist

WazirX suffers security breach on its platform leading to a theft of about 50 per cent of its total assets
The crypto exchange announces bounty programme to track, trace and recover funds
Experts feel it is difficult to claw back lost funds as txns are complex

Don't miss the most important news and views of the day. Get them on our Telegram channel

First Published: Jul 21 2024 | 5:59 PM IST

Explore News