- Introduction
On July 18, 2024, Zanmai Labs Private Limited, doing business under the brand name WazirX, experienced a major security breach that resulted in the theft of approximately $230 million worth of virtual digital assets1 (VDAs). This cyber-attack is now recognized as one of the largest VDA thefts in India's history2. The breach has reverberated through the crypto community, raising critical concerns about the security of digital assets and highlighting the urgent need for more robust safeguards in the rapidly growing VDA sector.
WazirX had garnered a substantial user base in India3. The exchange's popularity, however, did not shield it from the vulnerabilities that plague the digital world. The breach exposed the underlying risks associated with VDAs, which, while offering lucrative opportunities, also present attractive targets for cybercriminals. The aftermath of the hack was marred by controversy when WazirX proposed a loss-sharing plan, suggesting that the $230 million loss be distributed among its users4. This proposal, unprecedented in the Indian crypto space, drew sharp criticism from users and experts alike. The idea of customers bearing the brunt of a security lapse for which they were not responsible was deemed unacceptable and unfair.
In the aftermath of the WazirX hack, the blame game intensified, with both WazirX and Liminal, the wallet infrastructure provider, attempting to deflect responsibility. WazirX maintained that the root cause of the breach lay in the compromise of three devices on their end, leading to the exploitation of signatures in specific transaction sequences. They alleged that attackers gained access through these compromised devices and injected malicious payloads into seemingly legitimate transactions5.
Liminal countered by asserting that their infrastructure remained secure and unaffected, emphasizing that the compromised wallet was a self-custodial, multi-signature Gnosis SAFE smart contract wallet deployed by WazirX before on boarding with Liminal. This type of wallet requires multiple private keys to authorize a transaction, and in this case, WazirX held three of the required keys, while Liminal held only one. This distribution of keys meant that even if Liminal's key was compromised, it would not have been sufficient to authorize the malicious transactions6.
The fact that WazirX held the majority of the keys and the alleged compromise of their devices raised questions about their internal security practices. It suggested that the attackers may have gained access to WazirX's systems, and obtained the necessary keys to initiate the fraudulent transactions. Liminal's possession of only one key meant that they were not in a position to prevent the hack on their own, further complicating the issue of liability.
The WazirX hack has left users reeling, but amidst the chaos, the question remains: Is there any hope for these victims to recover their lost assets? The answer lies in the legal recourse available to them. While the road to restitution may be long and challenging, let's delve into the various legal options that WazirX users may consider.
- Timeline at your glance
July 18, 2023:
- WazirX suffers a major security breach, losing $230 million in digital assets.
- Cyvers, a Web3 security firm, detects suspicious transactions involving WazirX's Safe Multisign wallet on Ethereum7.
- WazirX acknowledges the security incident and halts all asset withdrawals from the platform.
July 19, 2023:
- WazirX files a police complaint and reports the incident to the Financial Intelligence Unit (FIU) u/s 12 of Prevention of Money Laundering Act, 2002 ("PMLA") and Indian Computer Emergency Response Team (CERT-In) u/s Section 70-B of Information Technology Act, 2000 (IT Act).8
- The exchange reaches out to over 500 exchanges to block identified addresses.9
- WazirX's investigation suggests the breach originated from a discrepancy in Liminal's interface, allowing unauthorized transactions. In counter Liminal publishes a blog post refuting WazirX's claims about the hack and explaining their perspective.10
July 29, 2023:
- WazirX announced a controversial plan to distribute the $230 million loss among its customers.
August 3, 2023:
- WazirX concludes a poll, with users overwhelmingly voting against the loss-sharing proposal. According to the article published in Moneycontrol Crypto exchange drops plan to socialise losses after backlash11.
August 5, 2023:
- A company petition was filed on August 5th, 2024 before the Hon'ble National Company Law Tribunal in Indore invoking Section 213 (b) and Section 221 of the Companies Act, 2013. Section 213(b) allows any person to seek an investigation into a company's affairs if there are reasons to believe in mismanagement, malpractices, or fraudulent activities.
August 6, 2024:
- WazirX said that based on its earlier police complaint dated July 19th, 2024 in connection to the $230-million cyberattack last month, a First Information Report (FIR) was registered at PS Special Cell, PS Lodhi Colony in New Delhi.
August 8, 2024:
- WazirX declared that it is restoring account balances and undoing trades made after July 18th, 2024 at 1 PM IST due to the cyberattack.12
Ongoing:
- Investigation into the hack continues.
- WazirX is yet to announce a revised plan to compensate its users.
- Possible Recourse Available to Customers
Consumers seeking compensation or recovery of their assets or tokens held by WazirX after a security breach have three possible legal recourses. They may file a complaint under the IT Act, for violations related to the protection of data. Additionally, pursuing a civil suit is another option. Consumers may also approach the Consumer Disputes Redressal Commission (CDRC) under the Consumer Protection Act, 2019. While there are criminal and constitutional provisions which can be invoked, this article discusses and provides a framework for seeking recovery of lost assets and/or compensation/ damages for the losses suffered.
A. Consumer Protection Act,2019: A Shield for Consumer's
The Consumer Protection Act, 2019 (CPA), a comprehensive legal framework safeguarding consumer rights in India, offers a significant recourse for WazirX users affected by the security breach. Specifically, Section 2(7) defines a "consumer" as any person who buys any goods or avails services for a consideration. As WazirX users paid fees for the exchange's services and entrusted their digital assets to the WazirX platform, they clearly fall under the purview of "consumers" as per Section 2(7) of the CPA13. The term "consumer rights" as defined under section 2 (9) of the CPA includes the right to be protected against hazardous marketing practices, the right to be heard and to be assured that consumer's interests will receive due consideration at appropriate fora; and the right to seek redressal against unfair trade practice or restrictive trade practices or unscrupulous exploitation of consumers.
In the context of the WazirX hack, the platform's alleged failure to maintain adequate security measures may be construed as a "deficiency" in service as defined in Section 2 (11) of the CPA.14 Furthermore, the resulting loss of user funds may be interpreted as an "unfair trade practice" under Section 2 (47), as it has been claimed to have caused significant financial loss to consumers and usage of scheme called "Socialise of Funds" which has allegedly been dropped by WazirX.15 Under Section 85 of the CPA,16 WazirX may be held liable for product liability, as the security breach resulted in the loss of a "product",17 i.e., the VDA's held by users. This provision allows consumers to seek compensation for the loss or damage suffered due to the deficient service.
Section 2(42) defines "service" as service of any description which is made available to potential users and includes the provision of facilities in connection with banking, financing, insurance, transport, processing, supply of electrical or other energy, boarding or lodging or both, entertainment, amusement or the purveying of news or other information, but does not include the rendering of any service free of charge or under a contract of personal service. WazirX's services as a VDA exchange clearly falls within the purview of "Service" as defined under CPA.
Empowered by Chapter four of the CPA, affected users may file complaints with the Consumer Disputes Redressal Commission (CDRC) based on territorial and pecuniary jurisdiction of CDRC. These complaints may detail the events leading to the hack, the losses incurred, and the relief sought, such as compensation for the lost funds and damages for the mental agony caused by the incident. The CDRC, after examining the evidence and hearing both sides, may issue an order directing WazirX to compensate the affected users. Additionally, considering the large number of affected users, consumers may jointly approach National Consumer Disputes Redressal Commission (NCDRC) if, the claim amount satisfies the pecuniary jurisdiction of NCDRC.
B. Information Technology Act, 2000: Your Digital Shield
The Information Technology Act, 2000 serves as a digital shield for consumers in India, providing a robust legal framework to address cybercrimes and protect their rights in the digital world. In the context of the WazirX hack, the IT Act offers affected user's various avenues for legal recourse.
Firstly, Section 43 of the IT Act deals with penalties and compensation for damage to computer systems18. If investigations reveal that WazirX was negligent in maintaining adequate security measures, leading to the breach and subsequent loss of user funds, the exchange may be held liable under this provision. Affected users may seek compensation for their financial losses through legal channels.
Secondly, Section 43A addresses the compensation for failure to protect sensitive personal data or information.19 Given the potential compromise of user data20 during the hack, WazirX may be liable for additional compensation under this section if they are found to have not implemented reasonable security practices to safeguard user information. Since Section 2 (47A) of the Income Tax Act, 1961 defines VDA as any information or code or number or token (not being Indian currency or foreign currency), generated through cryptographic means or otherwise, WazirX was obligated to protect such information with best industry practices. Additionally, if any WazirX employees or third-party vendors were involved in the breach, they may be penalized under Section 72A, which addresses the punishment for disclosure of information in breach of a lawful contract.21
While the IT Act offers a comprehensive framework for addressing cybercrimes, its effectiveness in the context of VDA exchanges like WazirX may be somewhat limited due to the unique nature of VDA and the complexities of blockchain technology. Tracing and recovering stolen VDA may be challenging due to their pseudonymous nature and the decentralized structure of blockchain/VDAs networks.
C. Seeking recovery and compensation through Civil and Commercial Courts
A civil suit is a legal action initiated by a creditor (in this case, the WazirX users) against a debtor (WazirX) to recover a debt or financial loss under Order IV of Civil Procedure Code, 1908. It is a civil suit filed before a competent court of law, aiming to hold the debtor accountable for their actions or negligence and compensate the creditor for the damages suffered. In the WazirX scenario, a recovery suit would seek to establish WazirX's liability for the security breach and compel them to reimburse users for their lost digital assets. Further, a proceedings may be initiated before Commercial Court under Commercial Courts Act, 2015 is the claims meets the specified value22 under Section 12 of the Commercial Court's Act, 2015.
Legal Provisions Underpinning Civil Suits:
a) Under Civil Procedure Code, 1908 (CPC): Section 26 of the CPC (Institution of suits), provides the structural framework for WazirX user to recover their losses caused by WazirX hack/ cyberattack by instituting a suit for recovery of lost VDAs and/ or damages caused because of the said hack, the paint filed before the competent court should include details of the security breach and resulting financial losses, specific legal grounds for the claim (breach of contract, negligence, etc.), and the precise compensation or relief sought. Order VII (Plaint) of the CPC, outlines the essential components of a plaint, the document initiating a civil suit. In the WazirX context, the plaint would detail the facts of the security breach, the losses incurred by the user, and the legal grounds upon which the claim are based. Order VI (Pleadings) of the CPC, governs the rules and procedures related to the pleadings in a civil suit, including the contents of the plaint, written statements, and other documents filed by the parties. Order XVIII (Hearing of the Suit and Examination of Witnesses) of the CPC, provides a comprehensive framework for the procedural aspects of conducting a civil suit, including the presentation of evidence, examination of witnesses, and arguments. Additionally, Order I Rule 8 of the CPC23 allows for class-action suits. This provision enables a group of affected WazirX users, who have suffered a common injury due to the security breach, to collectively file a lawsuit against the exchange and seek same relief.
b) Under Specific Relief Act, 1963: Section 7 deals with recovery of specific movable property and allows for the recovery of movable property through civil suits.24 In the WazirX case, affected users may argue that their stolen VDAs are specific movable property. They may seek recovery by demonstrating their right to possession and the wrongful withholding of their assets in case of non ERC-20 VDA holders. Section 8 of Specific Relief Act, 1932 deals with liability of possessor to deliver property to the rightful owner and compels individuals who possess movable property (but are not owners) to deliver it to the rightful owner.25 In the WazirX case, since WazirX held users' VDAs on their behalf as a trustee or agent, users may claim that WazirX should return their assets as the compensation in money would not afford adequate relief for the loss of the VDA claimed. It would be helpful for the non-ERC-20 VDA holders as the court presumes that compensation in money would not afford the adequate relief for the loss of the thing claimed by the users and therefore WazirX should return the exact VDAs held by such user(s).
4. WazirX Hack: Legal Recourse for Customers Amidst Mandatory Arbitration
In the aftermath of the WazirX hack, a significant point of contention emerged regarding the mandatory arbitration clause (14.1) under Subheading of dispute resolution in WazirX's terms of service. This clause requires users to resolve any disputes arising from their use of WazirX's services through arbitration, rather than traditional court litigation. Specifically, the clause stipulates that arbitration must be conducted under the rules of the Singapore International Arbitration Centre (SIAC). This has raised concerns among affected users, as arbitration may often be a costlier process compared to court litigation. The mandatory arbitration clause applies to both Binance and WazirX. However, there are exceptions to the clause for certain claims that fall under the jurisdiction of the Small Claims Tribunals of Singapore (SCT), or where a party seeks injunctive or other urgent equitable relief.26
In the context of the WazirX hack, the mandatory arbitration clause in WazirX's terms and conditions has raised concerns about access to justice for affected users. Many users may lack the resources to pursue arbitration through the SIAC, effectively limiting their ability to seek redress for their losses. Additionally, the requirement that arbitration be conducted in Singapore, a foreign jurisdiction for most WazirX users, may further discourage them from pursuing their claims.
5. Conclusion
The WazirX hack of July 2024, resulting in the loss of $230 million in VDA's, has exposed critical vulnerabilities in the Indian digital asset landscape. While affected users grapple with the aftermath, the incident has also raised broader questions about legal recourse, arbitration clauses, and the overall security of digital assets.
One of the major issues arising from the hack is the limited information available to the public. While both WazirX and Liminal, have released statements and reports detailing their findings, the lack of a definitive findings from an independent investigation leaves many questions unanswered. This lack of transparency hinders users' ability to fully understand the circumstances surrounding the hack and assess the potential for recovering their losses.
Another contentious issue is the mandatory arbitration clause in WazirX's terms of service. This clause compels users to resolve disputes through arbitration in Singapore, rather than court litigation, potentially limiting their options and access to justice. While specific case precedents involving SIAC arbitration and its implications for WazirX users may be limited, the general concern remains that mandatory arbitration clause before SIAC may restrict consumers' rights and remedies. They may face limitations on their ability to join class-action lawsuits, seek punitive damages, or have their case heard in a competent court. These restrictions may be challenging for WazirX users to recover their losses. This mandatory arbitration clause may affect the proceedings initiated before CDRC or Civil Courts/ Commercial Courts.
WazirX's terms of service further includes limitation of liability clauses. According to the terms of services, WazirX and its affiliates will not be liable for any incidental, indirect, special, punitive, or consequential damages, including loss of data, revenue, or profits.27 Their total liability is capped at the amount of fees paid by the user in the twelve months preceding the event giving rise to the claim, except in cases of gross negligence, fraud, or intentional violations of law.
Furthermore, the applicability of the force majeure clause in WazirX's terms of service is another point of conflict. This clause typically exempts a party from liability for non-performance of their obligations due to unforeseen events beyond their control. However, whether a cyberattack like the WazirX hack constitutes a force majeure event is debatable, especially when there is no third party investigation report stating that the cyberattack was not preventable or beyond the control of WazirX. If WazirX is unable to prove that the cyberattack was beyond their control as per the force majeure clause, it may be held liable for its alleged negligence in maintaining adequate security measures.
The issue of insurance coverage for digital assets is also crucial in this scenario. While some cryptocurrency exchanges like Coinbase and Gemini proactively provide insurance policies to protect against cyberattacks and other risks, WazirX seems to have fallen short in this regard. It is unclear whether WazirX had any similar insurance coverage in place at the time of the hack, raising serious concerns about the potential for user compensation. This lack of preparedness stands in stark contrast to industry leaders like Coinbase,28 which offers a crime insurance policy covering losses due to theft, hacking, or employee theft, and Gemini,29 which boasts a comprehensive insurance policy encompassing both hot wallet and cold storage assets.
While the journey to recovering compensation, damages, return of VDAs, or any other monetary relief from WazirX may be fraught with challenges, it is by no means an impossible task. Affected users still have the option to approach the competent courts to seek justice for the losses they have suffered. Though the legal battle may be demanding, it is a necessary step toward achieving a resolution that best serves the interests of consumers who have been wronged through no fault of their own. In the pursuit of justice, every effort should be made to ensure that those responsible are held accountable and that users are compensated for their losses. This is not just a fight for restitution, but also for upholding the principles of fairness and trust in the rapidly evolving digital asset landscape.
Footnotes
1 Income Tax Act, 1961, Section 2 (47A) - "virtual digital asset" means—
(a) any information or code or number or token (not being Indian currency or foreign currency), generated through cryptographic means or otherwise, by whatever name called, providing a digital representation of value exchanged with or without consideration, with the promise or representation of having inherent value, or functions as a store of value or a unit of account including its use in any financial transaction or investment, but not limited to investment scheme; and can be transferred, stored or traded electronically;
(b) a non-fungible token or any other token of similar nature, by whatever name called;
(c) any other digital asset, as the Central Government may, by notification in the Official Gazette specify: Provided that the Central Government may, by notification in the Official Gazette, exclude any digital asset from the definition of virtual digital asset subject to such conditions as may be specified therein.
Explanation.—For the purposes of this clause,—
(a) "non-fungible token" means such digital asset as the Central Government may, by notification in the Official Gazette, specify;
(b) the expressions "currency", "foreign currency" and "Indian currency" shall have the same meanings as respectively assigned to them in clauses (h), (m) and (q) of section 2 of the Foreign Exchange Management Act, 1999 (42 of 1999);
2 WazirX Content Team, Preliminary Report: Cyber Attack on WazirX Multisig Wallet, WazirX Blog (180724), https://wazirx.com/blog/preliminary-report-cyber-attack-on-wazirx-multisig-wallet/, last accessed (040824).
3 WazirX, About WazirX, WazirX Blog, https://wazirx.com/blog/about/ , last accessed (040824).
4 The WazirX Content Team, Important Update: Managing Your Funds After the Cyberattack, WazirX Blog (270724), https://wazirx.com/blog/managing-your-funds-after-the-cyber-attack/ , last accessed (040824).
5 WazirX Content Team, WazirX Cyber Attack: Key Insights and Learnings, WazirX Blog (250724), https://wazirx.com/blog/wazirx-cyber-attack-key-insights-and-learnings/ , last accessed (060824).
6 Update on WazirX Incident, Liminal Blog (190724), https://www.liminalcustody.com/blog/update-on-wazirx-incident/ , last accessed (050824).
7 Cyvers, Press and Media, https://cyvers.ai/press-and-media (last accessed 050824)
8 WazirX Content Team, Important Update: Cyber Attack Incident and Measures to Protect Your Assets, WazirX Blog (180724), https://wazirx.com/blog/preliminary-report-cyber-attack-on-wazirx-multisig-wallet/, last accessed (040824)
9 ibid
10 Supra at 6
11 Debangana Ghosh, WazirX Hack: Crypto Exchange Drops Plan to Socialise Losses After Backlash, Moneycontrol (03082024), https://www.moneycontrol.com/technology/wazirx-hack-crypto-exchange-drops-plan-to-socialise-losses-after-backlash-article-12786150.html#google_vignette (last accessed 050824).
12 WazirX Content Team, Announcement, WazirX Blog (080824), https://wazirx.com/blog/wazirx-cyber-attack-key-insights-and-learnings/ , last accessed (080824).
13 Consumer Protection Act, 2019, Section 2(7), (Definition of consumer).
14 Consumer Protection Act, 2019, Sec 2(11), (Definition of Deficiency).
15 Consumer Protection Act, 2019, Sec 2(47) ("'Unfair trade practice' means a trade practice which, for the purpose of promoting the sale, use or supply of any goods or for the provision of any service, adopts any unfair method or unfair or deceptive practice").
16 Consumer Protection Act, 2019, Sec 85. (Product Supplier liability)
17 Consumer Protection Act, 2019, Sec 2(33) "product" means any article or goods or substance or raw material or any extended cycle of such product, which may be in gaseous, liquid, or solid state possessing intrinsic value which is capable of delivery either as wholly assembled or as a component part and is produced for introduction to trade or commerce, but does not include human tissues, blood, blood products and organs;
18 Information Technology Act, 2000 Sec 43, (Penalty and Compensation for Damage to Computer, Computer System, etc.).
19 Information Technology Act, No. 21 of 2000, Sec 43A, (pertains to the compensation for failure to protect data.)
20 "data" includes personal user information and VDA-related data like holdings, transaction history, wallet addresses, and private keys.
21 Information Technology Act, 2000 Sec 72A, (Punishment for Disclosure of Information in Breach of Lawful Contract).
22 Commercial Courts Act, 2015, Section 2 (i) "Specified Value", in relation to a commercial dispute, shall mean the value of the subject matter in respect of a suit as determined in accordance with section 12 1which shall not be less than three lakh rupees or such higher value, as may be notified by the Central Government.
23 This rule allows one person to sue or defend on behalf of all others with the same interest in the case.
24 Specific Relief Act, 1963, Sec 7: "Recovery of specific movable property."
25 Specific Relief Act, 1963, Sec 8: "Liability of person in possession, not as owner, to deliver to persons entitled to immediate possession."
26 WazirX User Agreement (Version 1.04, Last Revised on (010823), https://s3.ap-south-1.amazonaws.com/wrx-assets/WazirXUserAgreement.pdf?v1 (last accessed 060824).
27 Ibid.
28 Coinbase, Insurance Policy, https://www.coinbase.com/legal/insurance (last accessed 090824).
29 Gemini, Wallet, https://www.gemini.com/wallet (last accessed 090824).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.