NEW DELHI: WazirX, one of India’s leading crypto currency platforms that claims to have suffered a loss of $230 million or Rs 19.12 billion of its investors to a cyber attack on 19 July, which it has claimed was 45% of the total value of digital assets that it was holding, has filed an affidavit for a moratorium in the Singapore High Court seeking to stop and slow down proceedings against it and provide legal protection.
This has raised concerns among its India users—whose deposits are already locked and cannot be completely withdrawn—who are taking to various social media platforms to allege that the three promoters of the company are trying to escape legal proceedings in India by forum shopping in Singapore. Many have shared their bank account statements online to show their financial situation while requesting the platform to let them withdraw from their crypto account.
However, WazirX in its response to The Sunday Guardian (below) has stated that it has filed the application in Singapore because the parent company is listed there.
WazirX has stated that more than 43 lakh Indian users had invested in crypto currencies through WazirX.
Zanmai Labs Private Limited, registered in India on 21 December 2017, is the Indian company which manages WazirX crypto currency exchange in India. Its parent company, Zettai Private limited is registered in Singapore.
As per official records, Zettai was incorporated on 7 January 2019 with a paid up capital of $3,228. The company has three shareholders and its virtual office is at Bs Bendemeer Centre, a 7-storey building in Singapore.
In its affidavit filed in Singapore, Nishcal Shetty, director and one of the three shareholders and founder of Zettai, has sought that for a period of six months from the date of the application or until further order: no resolution shall be passed for a winding up of the applicant, no proceeding, whether before a court, arbitral tribunal or administrative agency, and whether current, pending or threatened against Zettai, shall be commenced or continued against Zettai, except with the leave of the Court and subject to such terms as the Court imposes, no execution, distress or other legal process may be commenced, continued or levied against any property of the Applicant, except with the leave of the Court and subject to such terms as the Court imposes and the Moratorium Order shall apply to any person in Singapore or within the jurisdiction of this Court whether the act takes place in Singapore or elsewhere.
As per the documents, Zettai has two directors, Shetty and Paripooranam d/o V Chettiar, who is Zettai’s local resident director.
Zanmai India’s directors are Sameer Hanuman Mhatre, Tushar Patel, Muthuswamy Iyer and Shetty. Except Muthuswamy, the rest three are the sole shareholders of Zettai.
IMPRESSION OF AN INDIAN ENTITY
Interestingly, WazirX on 20 March last year, had stated that it had started reporting transactions to India’s Financial Intelligence Unit (FIU) as early as August 2022, even though there were no laid down requirements for the same.
Virtual asset service providers like WazirX, in March 2023 were brought under the ambit of the Prevention of Money Laundering Act 2002 (PMLA), after the Ministry of Finance (MOF) released a gazette notification that brought virtual asset businesses and service providers under the purview of PMLA.
As per the gazette by the Ministry of Finance and statement by Wazir X, it followed the detailed Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) guidelines that were issued for Virtual Asset Service Providers (VASPs) like WazirX on 10 March 2023.
One of the primary requirements in these guidelines was that all VASPs register on the FIU portal as a reporting entity.
“WazirX was quick to comply with this requirement and registered as a reporting entity with the FIU”, it had stated while releasing a statement.
Other legal documents filed by Wazirx clearly show that it has from the beginning made it clear that it was an Indian company and its platform can only be used for Indian citizens which allowed it to gain more customers than all its competitors.
As per its statement, “The Platform is distributed and managed in India by Zanmai Labs Pvt Ltd, a company incorporated under the Companies Act, 2013 of India.”
It had further stated that “Any Indian national resident can open a WazirX Account with WazirX and such WazirX Account can only be accessed within the geographical territory and jurisdiction of India. The User must provide the following documents before his/her WazirX Account can be made operational: a. Permanent Account Number (PAN) given by Income Tax Authorities, b. Officially Valid Documents for identification and proof of residence (Aadhaar/Voter ID/Passport), c. Live selfie from the camera.”
EXTENT OF ASSETS HELD AND LOST BY INDIAN INDIVIDUALS, CORPORATES AND LAW ENFORCEMENT AGENCIES WITH WAZIRX
As per the data, when the cyber incident happened, 43.52 lakh individual users had a balance of $558,671,126 in the wallet, while 640 corporate users had a balance of $11,397,232. The total comes to Rs 4,782 crore. More than 94% of these individual and corporate users are from India.
While the systems of Zettai and Zanmai India were not compromised by the cyber attack, the cyber attack saw one of the platform’s wallets (containing digital assets with an aggregate value of around $234 million at the time) managed using Liminal, which is a digital asset custody and wallet provider, emptied of its funds.
WazirX has said that $284,045,215 worth of crypto currency are still in Zettai’s control. In addition, they also have liquid assets worth $12 million crypto that have been set aside to meet costs and expenses that Zettai anticipates to incur in the near future. Similarly, it also has contingent Assets Illiquid $17,742,017.
Apart from that, WazirX accepted deposits of crypto currency tokens aggregating $28,004,198 from various Indian law enforcement agencies (LEAs) under a special arrangement where the platform would hold these tokens on trust for the LEAs. These tokens remain with Zettai, were unaffected by the cyber attack, and continue to be held on trust for the LEAs.
POST HACKING DEVELOPMENT
After announcing the said digital robbery, WazirX announced a bounty of $23M to help recover stolen digital assets. It has also filed an FIR under the BNS & IT Act, which has been registered on 5 August at a Special Cell police station New Delhi, while also lodging a complaint with the authorities in Singapore on 17 August. The company, sources said, is also in touch with agencies in the United States.
Significantly, this is not for the first time that Wazirx has grabbed the headlines for a reason that it would not be happy about.
In August 2022, the Enforcement Directorate conducted searches on one of the directors of M/s Zanmai Lab Pvt Ltd, the parent company of WazirX, and issued a order to freeze their bank balances to the tune of INR 64.67 crore.
The said step by the ED was taken in wake of its money laundering investigation against a number of Indian NBFC companies and their fintech partners for predatory lending practices in violation of the RBI guidelines and by using tele-callers who misuse personal data and use abusive language to extort high interest rates from the loan takers.
The ED had stated that various fintech companies backed by Chinese funds could not get NBFC licence from RBI for carrying lending business after which they devised the MoU route with defunct NBFCs to piggyback on their licence.
After the criminal investigation begun by ED, many of these fintech apps shut down their operations and diverted the huge profits earned using the above modus operandi.
It was during this fund trail investigation that the ED found that large amounts of funds were diverted by the fintech companies to purchase crypto assets, launder them abroad and then go into hiding.
The ED had found that the maximum amount of funds were diverted to WazirX exchange and the crypto-assets so purchased have been diverted to unknown foreign wallets.
During the ED investigation, it was revealed that Zanmai Labs Pvt Ltd created a web of agreements—with Crowdfire Inc. USA, Binance (Cayman Islands), Zettai Pte Ltd Singapore—to obscure the ownership of the crypto exchange.
When the ED reached WazirX, its managing director Nischal Shetty initially claimed that WazirX is an Indian exchange which controls all the crypto-crypto and rupee-crypto transactions and it only has an IP and preferential agreement with Binance. But later Zanmai claimed that they are involved in only rupee-crypto transactions, and all the other transactions are done by Binance on WazirX.
The ED had said that Shetty was giving contradictory and ambiguous answers to evade oversight by Indian regulatory agencies.
The ED also found that WazirX works from a cloud-based software, all employees work from home, its registered office is composed of two chairs at co-working Wework space.
Despite being given repeated opportunities by the ED, WazirX had failed to give the crypto transactions of the suspect fintech app companies and reveal the KYC of the wallets. Most of the transactions are not recorded on the blockchain also.
Shockingly, WazirX told ED that prior to July 2020, they did not even record the details of the bank account from which funds were coming into the exchange to purchase crypto assets.
WazirX told ED that no physical address verification was done from its end and there is no check on the source of funds of their clients.
It was also not doing Enhanced Due Diligence that involves gathering information in order to verify the identity of customers and calculate the exact level of money laundering risk, nor were any Suspicious Transaction Reports raised.
When the ED conducted a search operation it was found that Sameer Mhatre, one of the directors of WazirX, had complete remote access to the database of WazirX, but despite that he was not providing the details of the transactions relating to the crypto assets, purchased from the proceeds of crime of the instant loan app fraud.
The ED found that by relying on lax KYC norms, loose regulatory control of transactions between WazirX and Binance, non-recording of transactions on Blockchains to save costs and non-recording of the KYC of the opposite wallets, WazirX had actively assisted around 16 accused fintech companies in laundering the proceeds of crime using the crypto route.
The case is still under investigation and WazirX is presumed innocent until proven guilty in the court of law.
WHY WAS THE APPLICATION FILED IN SINGAPORE?
After the 19 July cyber attack, on 27 August WazirX filed an application with the High Court of Singapore for a moratorium under Section 64 of the Insolvency, Restructuring and Dissolution Act 2018 to facilitate its intention to restructure its liabilities under a scheme of arrangement.
Singapore was chosen as the forum, company officials told The Sunday Guardian, because the parent company, Zettai, was registered there.
A moratorium, as per rules, will provide a breathing space even as Zettai progresses with a restructuring, which the company has claimed represents the most efficient way to address the users’ cryptocurrency balances on the platform and facilitate recovery for users. It is a form of legal protection under Singapore law that protects the applicant from creditor enforcement, such as winding-up proceedings, enforcement of security and other legal proceedings which are stayed until the expiry of the moratorium.
Legal experts said that with the application now filed in Singapore, the company and its founders are safe from any coercive action by the Indian agencies.
An automatic moratorium of 30 days has now arisen from the filing of the application (i.e., 27 August 2024), and the Singapore Court will determine whether to grant the moratorium sought at a hearing of the application (and the duration of the moratorium, if so granted). The hearing date has not yet been scheduled.
If the restructuring scheme is approved by the creditors and sanctioned by the Singapore Court, it would be legally binding on all relevant parties, including Zettai. WazirX has said that Zettai will need at least 6 months to consider the terms of the restructuring plan and work with the relevant stakeholders.
The company has engaged multiple law firms to handle these developments and any future legal backlash including Kroll Private Ltd as financial advisors, Rajah & Tann Singapore LLP as legal advisors in Singapore and Nishith Desai Associates as legal advisors in India.
HOW WILL THE INVESTORS BE COMPENSATED?
As per an earlier statement by WazirX, 66% of investors’ balance will be available for withdrawal in phases starting on 26 August. From 26 August till 8 September, users will be able to withdraw up to half of the present 66% limit of their INR balances. From 9 September till 22 September users will be able to withdraw up to the full 66% limit of their balance. The remaining 34% will be made available for withdrawal once the on-going disputes and ED investigations are resolved, and the remaining funds are released.
However, the company’s decision to stop customers from withdrawing their investments has not found resonance with other industry players.
“The first contribution to losses should ALWAYS come from the company (i.e. WazirX in this case) and the treasury and assets the company holds. I have not seen any such commitment around this from the company side, instead making customers directly absorb the 45 per cent losses is utter nonsense,” said Sumit Gupta, co-founder CoinDCX, a competitor of WazirX in a post on X.
Later, CoinDCX announced that it has allocated Rs 50 crore as part of its Crypto Investors Protection Fund (CIPF) to compensate users for losses incurred in security breaches. This comes days after the WazirX theft. The company said that it would add 2% of its brokerage income to this initial corpus, thereby increasing the size of the fund over a period of time.
RESPONSE OF WAZIRX
The Sunday Guardian reached out to Wazir X for a response on this entire controversy including why Singapore was chosen as the forum to file the affidavit when all of its customers are based in India. The company stated that “this route was taken since the restructuring is the most efficient legal path available to WazirX under the current circumstances.”
Q: Wazirx has claimed that it has received a clean chit from a globally renowned and leading cybersecurity and investigations firm which did a forensic analysis to determine if any of the three laptops used by WazirX team members for performing transactions had been compromised. Which company did this forensic analysis? Secondly, why were only three laptops analysed? Was the said investigation firm able to find out how the hackers managed to steal the digital assets?
A: Mandiant, a leading cybersecurity firm, and Google subsidiary has confirmed that the laptops used by WazirX team members during the recent $230M cyber attack were not compromised. For this particular transaction involving a loss of funds exceeding $230 million, 3 signatures of WazirX from 3 different devices that each use different hardware wallets were used. All 3 devices were at different locations and the links were bookmarked. That is the standard sign off procedure where 4 different signatures from 4 different locations and two parties (WazirX and Liminal in this case) are needed. This wallet was operated utilizing the services of Liminal’s digital asset custody and wallet infrastructure from February 2023.
A transaction typically requires approval from three of the WazirX signatories (all three of whom use Ledger Hardware Wallets for security), followed by the final approval from Liminal’s signatory. A policy to whitelist destination addresses was also in place to enhance security. These whitelisted addresses were earmarked and facilitated on the interface by Liminal; consequently, the WazirX team had the ability to initiate transactions to the said whitelisted addresses. The cyber attack stemmed from a discrepancy between the data displayed on Liminal’s interface and the transaction’s actual contents.
During the cyber attack, there was a mismatch between the information displayed on Liminal’s interface and what was actually signed. We suspect the payload was replaced to transfer wallet control to an attacker. We had robust security features, including the Gnosis Safe multisig smart contract platform and Liminal’s whitelisting policy. Despite us taking all necessary steps to protect the customer assets, the cyber attackers appear to have possibly breached such security features, and the theft occurred.
Q: The company earlier this week filed an affidavit in the Singapore High Court seeking relief under Section 64 of IRDA. Why was the affidavit filed in Singapore when over 90% of its customers are based in India?
A: The application was filed at Singapore under the Singapore Scheme of Arrangement which is a corporate rescue and restructuring mechanism set out under the Insolvency, Restructuring and Dissolution Act 2018 (“IRDA”) of the Singapore regulatory framework. This way, the company can put forward a proposal to its creditors to restructure its debts and potentially deliver stronger recoveries to creditors than under an insolvent liquidation. A creditor-approved and Court-sanctioned Scheme will be legally binding on both the Company and its creditors, and the IRDA sets out clear timelines, requirements and Court processes to ensure that creditors have enough information to make an informed decision on the proposed terms. This approach was taken keeping the best interests of all stakeholders in mind and the goal of reaching a fair resolution at the earliest.
Q: WazirX customers believe that this step was taken to stop the Indian judiciary from taking up this matter. Can you confirm or deny this?
A: This route was taken since the restructuring is the most efficient legal path available to WazirX under the current circumstances. Among all possible options, this seemed like a win for all parties. Our primary goal is to assist our users in recovering as much as possible while simultaneously exploring ways to enhance value. We have our townhall scheduled next week and will address our users’ concerns and sentiments towards the approach.