Victims of the $233-million WazirX hack are preparing to sue the cryptocurrency exchange for damages in the national consumer forum after the firm’s Singapore-based parent won a four-month moratorium against legal proceedings in the city-state.
Two petitions have already been filed against the exchange at the Delhi high court—one by CoinSwitch co-founder Ashish Singhal on 28 August alleging security lapses on the part of WazirX, and another by investor Jaivir Bains on 18 October seeking an investigation into the hack.
WazirX, among India’s largest cryptocurrency exchanges, reported a $233-million hack on 18 July that saw all of its Ether tokens stolen, leaving about 4 million of its users stranded.
The new suit is expected to be filed with the National Consumer Disputes Redressal Commission (NCDRC), according to a group of victims and lawyers Mint spoke with.
“We are filing a class-action lawsuit with the national consumer forum under the rationale that the agreement between the exchange’s users and WazirX was with Zanmai Labs Pvt. Ltd—which is based in India,” said Supreme Court lawyer Aman Rehaan Khan, who is appearing for the class-action lawsuit at the NCDRC.
“It cannot, therefore, be justifiable in law that WazirX went and filed for a legal resolution and restructuring of its assets in Singapore through Zettai Pte Ltd (WazirX’s parent firm).”
Also read | Why WazirX will find it hard to recover stolen cryptos
Zanmai Labs is WazirX’s India holding arm for all cash deposits. On the other hand, Singapore-headquartered Zettai is WazirX’s crypto token-holding entity that holds all cryptocurrency assets of the exchange.
The class action, expected to be filed by mid-November, currently has 30 victims seeking the recovery of crypto assets worth over ₹5 crore ($600,000).
Khan expects more victims to join in by the time the suit is filed.
“Zettai was never a party to the user agreement. Further, we’re looking for a restoration of the entire cryptocurrency balance for withdrawal, and not 55%,” Khan added. “For cash balances, too, WazirX did not inform users prior to the incident that a legal entity was freezing one-third of it. This is another breach of user trust, and we’re seeking damages, penalties and recovery worth over ₹5 crore in this conflict.”
WazirX had said in September that it would allow its customers to withdraw 55% of their cryptocurrency token holdings and 66% of cash deposit holdings.
Meanwhile, the Delhi high court on 18 October issued notices to the Enforcement Directorate and Financial Intelligence Unit to investigate WazirX’s management in the case filed by Bains.
WazirX did not immediately respond to Mint’s queries, stating that it was in the process of its legal team vetting the company’s stance. Representatives for Liminal Custody, WazirX’s wallet provider, could not be reached for comment. Mandiant Inc., the hack’s security auditor, declined to comment on the story.
Who bears the responsibility?
Unhappy with WazirX’s handling of the incident, users allege that the exchange is trying to “distance itself from recovering the stolen funds and look for a way to wash its hands off its liability”.
The legal actions seek to pressure WazirX to offer users a clear roadmap for withdrawing their cryptocurrency holdings and allowing full withdrawal of cash holdings.
“As one of the largest investors in WazirX, we feel that the exchange’s post-hack communications have not exactly been helpful. This is one of the reasons why we’re pursuing legal solutions against the company in both India and Singapore,” said Singhal of CoinSwitch.
The co-founder of the cryptocurrency exchange aggregator said on 28 August that 2% of CoinSwitch’s cryptocurrency holdings, amounting to $9.6 million, were invested through WazirX. Singhal added that assets worth over $70 million were mishandled by WazirX.
Also read |The $230-million WazirX hack: regulatory gap leaves 4 million Indians stranded
A Telegram group, ‘Justice for WazirX Users’, has more than 2,000 members, some of whom claim to have faced losses of over ₹1 crore ($130,000).
A separate group of 11 other users, on condition of anonymity, said they were waiting until the moratorium expired to pursue legal solutions against the exchange in Singapore as well.
Speaking with Mint, a senior WazirX executive, requesting anonymity, said that the moratorium the exchange applied for was essential for it “to identify the right way forward and give users a structured solution to return their investments”.
“We are also against opening up partial cryptocurrency withdrawals since most investor portfolios hold a mix of tokens. This means that it would be difficult to gauge how much user holdings we can allow in terms of withdrawals,” the executive said.
This person added that while an investor holding only Bitcoin may feel it’s unfair since they do not hold any Ether, any user whose funds were stolen due to the wallet hack would feel short-changed with a lopsided withdrawal policy.
The executive also insisted that the responsibility to refund users may also lie with Binance Holdings Ltd, claiming that the latter took over Zettai in 2020. However, Binance has categorically denied this.
On 17 September, Binance said: “We urge the WazirX team under Zanmai/Zettai to be accountable to WazirX users and compensate them for the funds that have been lost under their management. Their responsibility to WazirX users is unrelated to their dispute with Binance… their attempts to shift responsibility is a disappointing deflection tactic.”
Also read | Stage set for return of Binance, Kucoin to India
Questions over WazirX’s security measures
The hack also raises questions on whether WazirX had taken ample steps to secure its holdings and funds, said Vikram Subburaj, co-founder of homegrown rival Giottus.
“WazirX’s hack happened on a single custody wallet, which held its entire Ethereum ERC-20 token holdings. This was also a hot wallet, which means that it was connected to the exchange’s live servers. This is an erroneous strategy since typically, at any given point, a safe practice is to keep 90% of any asset holdings in ‘cold’ wallets that are safe from online breaches,” he said.
Siddharth Sogani, chief executive of cryptocurrency research firm Crebaco, concurred, saying that questions needed to be raised on whether WazirX’s efforts to keep funds secure were enough.
“WazirX first tried to put the blame on wallet infrastructure provider Liminal, which then tried to blame WazirX back. There is a complete lack of transparency, and so-called ‘resolutions’ that WazirX has pursued are not conducive to user interest at all,” he said.
Also read | The $230 million WazirX hack: How safe are your cryptocurrencies?
At WazirX’s 2 September town hall, chief executive Nischal Shetty showed that the exchange had $284 million in cryptocurrency token assets, while net user assets liabilities for the platform amounted to $546 million for 4.3 million users.
On 24 October, WazirX published a proof of reserves document, claiming that its crypto holdings are now worth $298 million.
“At a recent town hall, the exchange’s officials said one-third of users’ cash holdings are being held back because of various legal proceedings. This not only suggests that WazirX is using its customers’ funds to fight its own battles, but it is also doing so while not letting users withdraw their own money in full,” said a senior industry executive, who requested anonymity, citing legal proceedings against the exchange.
The executive added that there is complete ambiguity on a fundamental question: When would customers be able to get a majority of their money out of the exchange? “None of this is helping user faith for WazirX, as well as the crypto industry in general.”
According to a second executive and four users who requested anonymity because they are all pursuing legal actions against WazirX, the communication has been full of “heavy jargons, with a pretext of we-care-for-you approach that WazirX has been peddling since the breach. We’ve seen little action towards the actual recovery of funds”.
Giottus’ Subburaj added that the cybersecurity audit that WazirX pursued “was in reference to seeing if there was any malware in its systems”, which does not quite address anything else about the hack.
Meanwhile, the hack has emboldened the voices seeking cryptocurrency regulation in the country.
“Without regulations, there are only secondary legislations, such as consumer courts, that a user can pursue, and that is not effective since consumer lawsuit regulations take years of time and lots of money,” said Uttkarsh Bhatnagar, partner at law firm Cyril Amarchand Mangaldas. “With dedicated regulations, users will have a clear method they can pursue in case of a breach. Without such laws, consumer peril is unavoidable.”
Also read | Who is Bitcoin’s creator Satoshi Nakamoto? It’s not irrelevant.
