
Today marks exactly two years since roughly ₹2,000 crore in user funds left WazirX in a single transaction. On July 18, 2024, an attacker drained approximately $230 to 235 million, close to 45% of the exchange’s reserves, from one multisig wallet in what remains the largest crypto theft in Indian history.
In the 24 months since, this publication has documented every stage of the aftermath: the frozen withdrawals, the townhalls, the Singapore hearings, the creditor votes, the restart, and the Recovery Tokens.
The second anniversary is the right moment to step back from the news cycle and examine what two years of “recovery” have actually produced. When the record is read closely, a different story emerges from the one WazirX has told.
It is a story of a breach that was preventable in execution, a restructuring whose most quoted numbers were never the most important ones, a compensation structure that has not paid out a single additional rupee since January, and a founder who has managed the entire crisis from outside the reach of every Indian institution that has tried to question him.
The Crypto Times sent repeated requests for comment to WazirX, Zanmai Labs, and Nischal Shetty, as it has done throughout its coverage of this story. As of publication, none of those requests have received a response.
The Breach Was Visible for Eight Days Before It Happened
The accepted version of the hack is short: North Korea’s Lazarus Group spoofed a custody interface, tricked the signers, and emptied the wallet. That version is accurate as far as it goes. What it leaves out is the timeline, the division of responsibility, and the paper trail, all of which complicate the picture considerably.
The malicious smart contract at the center of the exploit was deployed on-chain on July 10, 2024, a full eight days before it was activated, as per a report by Medium. It sat dormant, interacting with nothing. WazirX later clarified that its signers did not sign anything malicious on that date, responding to claims circulating on social media. That clarification, however accurate, avoided the more uncomfortable question.
An adversary had pre-positioned attack infrastructure targeting India’s largest exchange for over a week, and neither WazirX’s own security operation, nor Liminal Custody’s monitoring, nor any third-party threat intelligence service flagged it. A window for detection existed. Nobody was looking through it.
The Signers Trusted a Screen Instead of Their Devices
The compromised wallet required three signatures from WazirX personnel using Ledger hardware wallets, plus one from Liminal. The attackers presented a spoofed interface that displayed a routine transaction while the underlying payload was a contract upgrade that transferred control of the wallet.
The entire security premise of a hardware wallet is that transactions are verified on the device itself, not on the web page in front of it. Three separate senior signers approved the transaction without catching the mismatch, and Liminal’s signature completed the set.
This was not an unstoppable zero-day. It was a verification failure that standard operational discipline is designed to catch, and it followed the same pattern later seen in the Radiant Capital exploit, a parallel WazirX never voluntarily drew attention to. Reports at the time also indicated that Liminal’s systems had rejected several suspicious transactions before the successful one, without that anomaly triggering an escalation to the signers.
Two Audits, Two Clients, Two Exonerations
Two forensic investigations were conducted, and they point in opposite directions. Mandiant, commissioned by WazirX, found no compromise on WazirX’s own machines and located the failure in the externally managed custody environment. Grant Thornton, commissioned by Liminal, cleared Liminal’s frontend, backend, and interface, and pointed back toward the client side. Each company paid for an investigation, and each investigation cleared the company that paid for it.
No independent authority ever reconciled the two reports, and Delhi Police investigators were reported to have struggled to obtain complete logs during their probe. Two years after the event, there is still no single court-supervised technical account of what happened inside that wallet. That absence is not a byproduct of complexity. It is the direct result of both companies controlling their own investigations, and it has suited both of them.
The Wallet Filing That Undercut the Blame Game
There is a detail from the Singapore proceedings that received almost no attention when it surfaced. When WazirX submitted wallet addresses to the court, the filing ran to roughly 240,000 addresses, and the overwhelming majority of them were hot wallets under WazirX’s own direct control, with only a small number managed by Liminal.
For a company whose public messaging leaned heavily on the failure of its custody partner’s interface, the court record quietly showed how much of the operational surface WazirX itself was responsible for. The Crypto Times reported on the dubious nature of that wallet submission at the time, and the finding was never seriously addressed by the exchange.
The recovery record completes this section of the ledger. Despite a bounty program launched on July 21, 2024 offering rewards of up to $23 million, despite FBI contact, and despite a formal joint attribution of the attack to North Korea by the United States, Japan, and South Korea in January 2025, investigators had frozen only about $3 million of the stolen funds by early 2025, and no materially larger figure has been announced since. That is roughly 1.3% of what was taken.
The remainder was laundered through Tornado Cash within months of the theft, much of it converted to Bitcoin. Measured in today’s prices, the stolen assets have appreciated. The compensation paid to the victims, as this piece will show, was anchored to prices from the day of the hack.
Also Read: Rise and Fall of WazirX: Mapping India’s Biggest Crypto Hack
The Numbers Behind the 95.7% Approval
The restructuring of Zettai Pte Ltd, WazirX’s Singapore parent, is routinely described with one statistic: 95.7% of voting creditors approved the amended scheme. That figure is accurate. It is also close to meaningless without the numbers that sat around it, and those numbers were rarely reported together.
The Singapore High Court rejected Zettai’s original scheme outright on June 4, 2025, before reversing course the following month and ordering a revote on an amended version. In the first vote, participation stood at just 3.3% of total creditors.
The celebrated supermajorities in the revote were percentages of those who voted, not of the 4.4 million affected users, most of whom never engaged with a foreign court process conducted in English, on Kroll’s platform, under Singapore insolvency law.
Both statements were true at the same time: the scheme won overwhelming support among voters, and only a small, self-selected fraction of victims ever participated. Only one of those framings appeared in the exchange’s communications.
The same period produced findings that deserve more weight in the historical record than they have received. In her June 2025 ruling, Justice Kristy Tan of the Singapore High Court noted that the platform had misled users in its post-hack communications, documenting delays and distortions while users waited.
During the same stretch of 2025, The Crypto Times fact-checked corporate filings showing the company’s quiet redomiciliation to Panama and rebranding as Zensui, a move that coincided with Singapore’s tightening of rules on unlicensed crypto firms serving overseas customers. Users learned of it from journalists, not from the exchange.
There is a final structural detail in the scheme that almost nobody interrogated before voting. Claims were valued at reference prices from July 18, 2024, the day of the hack. Between that date and the platform’s restart in October 2025, the crypto market ran a full bull cycle.
Users therefore received 85% of a portfolio valued at pre-rally prices, which means the real economic loss, measured against what those holdings would be worth today, is substantially larger than the nominal 15% gap. WazirX has never quantified that opportunity cost in any disclosure.
In October 2025, the Madras High Court ruled in a separate user case that crypto assets held on an exchange remain the property of the individual user and cannot be socialized against unrelated platform losses. It was the strongest judicial statement on crypto property rights India has produced, and it arrived after the Singapore scheme was already sanctioned and beyond the reach of Indian courts.
Where is Nischal Shetty?
This is the question readers ask this publication more than any other, and on the second anniversary, it deserves a factual answer rather than a rhetorical one.
As per a report by Business Today, Nischal Shetty and co-founder Siddharth Menon moved their base from Mumbai to Dubai in April 2022, during the exodus of crypto founders that followed India’s 30% tax and 1% TDS regime. That relocation predates the WazirX hack by more than two years, a fact often lost in the retelling. What matters for this anniversary is what has happened since July 18, 2024.
In the two years since the breach, there is no public record of Shetty appearing in person before any Indian court, any Indian investigative agency, or any physical gathering of the users whose funds were frozen.
The Enforcement Directorate’s (ED) Foreign Exchange Management Act (FEMA) show-cause notice covering transactions worth ₹2,790 crore predates the WazirX hack and remains open. The Delhi High Court proceedings concerning his exchange have been conducted through counsel.
Even in Singapore, the jurisdiction his own company chose, The Crypto Times reported in January 2025 that Shetty skipped a scheduled court date, failing to file an expected affidavit and leaving users without answers. The crisis, from beginning to end, has been managed remotely: posts on X, recorded videos, virtual townhalls, and lawyers.
Claims about Shetty’s personal luxurious lifestyle in Dubai have circulated from anonymous sources throughout this period. The Crypto Times has not been able to independently verify those claims and does not present them as fact. The verifiable record is sufficient on its own, and it is the following.
The Paper Trail Around the Founder
On August 13, 2024, less than four weeks after the WazirX hack, corporate records published in the UAE showed that Shetty transferred 100% of his ownership in Shinjuku FZC LLC, an Ajman-licensed company linked to the wider WazirX network, to his wife, Moujhari Guha. His own shareholding was reduced to zero.
The transfer was not disclosed to users, to the media, or to regulators, and came to light only when The Crypto Times obtained the filing months later. Whatever the private rationale, the timing speaks for itself: while wallets were frozen and users were demanding answers, the founder was restructuring his personal holdings in silence.
The money trail runs backward from the hack as well. Zanmai Labs’ own annual report records a payment of ₹342.28 crore in the 2021-22 financial year to Qizil21 Software Pvt Ltd, a private company controlled by Shetty and Guha, an elevenfold jump from the ₹28 crore recorded the year before, booked under business auxiliary services with no explanatory notes.
A second founder-linked entity, Shibuya Labs LLP, received ₹35.5 crore in 2020-21. These are related-party transactions from a company that simultaneously maintained it had been sold to Binance, and they have never been publicly explained.
The pattern extends into the exchange’s post-restart product decisions. While users’ funds were locked, Shetty was publicly building Shardeum, the Layer 1 blockchain he co-founded in 2022, which launched its mainnet during the restructuring period.
After the restart, WazirX listed Shardeum’s SHM token in February 2026, ran a trading contest denominated in 52.9 million SHM, and in March announced a partnership with Sikka.fun, a memecoin launchpad built on Shardeum.
As reported in March, there has been no disclosure of how the commercial relationship between the exchange and its founder’s other venture is structured, whether payment is involved, or whether any revenue from that activity reaches the recovery pool owed to creditors.
The exchange’s 16 million registered accounts have, in effect, become a distribution channel for the founder’s second company, and the users who are still owed 15% of their money have no visibility into the terms.
The contrast in accountability completes the picture. The only arrest Indian police have made in connection with the hack itself was of SK Masud Alam, a man from West Bengal accused of selling the KYC-verified account that served as an entry point. Two years on, the account seller has faced criminal prosecution. The leadership that designed the custody arrangement, selected the vendor, and set the signing procedures has faced no personal legal consequence in any jurisdiction.
Where Everyone Stands on the Second Anniversary
A two-year mark invites a full accounting of every party to this story, because the aftermath of the hack was never only about WazirX. It tested an entire ecosystem of companies, courts, and regulators, and the results are now measurable.
The Exchange: Operational, Expanding, and Silent on the Only Number That Matters
WazirX restarted trading on October 24, 2025, with zero trading fees, BitGo as custodian, and a Fireblocks integration added in January 2026. Since then, the product cadence has been relentless.
The exchange launched a ₹99-per-month WazirX ZERO subscription in November 2025, which drew immediate criticism from users who argued the priority should be repayment rather than new revenue products. It listed SHM in February and announced the Sikka.fun partnership in March, and rolled out INR-settled futures, initially at 20x leverage in early access before the figure was quietly reduced to 10x by the public launch in May, a revision the company never explained.
What has not shipped is more telling. The decentralized exchange promised during restructuring as an additional revenue stream for creditors has never launched. No revenue or profit figures have been disclosed, despite the entire recovery mechanism resting on profits.
And in his June 2026 interview with PTI, covered in detail by this publication, Shetty confirmed the exchange now holds roughly 7 to 10% of the Indian market, down from a claimed 50 to 60% in its prime, while describing profitability for creditor repayment as the top priority and pitching AI-powered trading as the path forward. He conceded the exchange is “far away from the original level,” offered no timeline, and confirmed no buyback progress.
On May 20, 2026, WazirX representatives appeared before India’s Parliamentary Standing Committee on Finance to discuss virtual digital assets. The outcome of that appearance has not been made public.
The Users: Repaid at Stale Prices, Holding a Claim They Cannot Sell
Eligible users received their first distribution, about 85% of approved claims at July 2024 reference prices, within days of the restart, and their Recovery Tokens on January 9, 2026, allocated pro-rata and visible in the app’s Funds tab. Those tokens cannot be traded, withdrawn, or transferred.
At restart, some users publicly reported receiving what they calculated as roughly 30% of their expected balances or facing unexplained calculation discrepancies, and others were caught in repeated re-KYC loops before they could withdraw anything. Many users simply withdrew everything they received and left the platform, treating the restart as an exit rather than a return.
The Supreme Court of India had already closed the domestic legal route in April 2025, when a criminal writ petition filed by 54 victims against Shetty and the management was dismissed in under five minutes, with the bench citing the absence of crypto regulation in India.
Binance and Liminal: The Two Companies That Walked Away
The ownership question that predates the hack remains unresolved and remains central. Binance continues to deny that it ever completed the 2019 acquisition of WazirX; Shetty continues to maintain that it did.
In August 2025, the Delhi High Court ordered Zettai to produce its actual agreement with Binance along with all Singapore proceedings. That document, which determines who ultimately owed a duty of care to 4.4 million Indian users in July 2024, has still never been made public.
Binance delisted WRX on December 25, 2024, the same day the Delhi High Court rejected the police’s attempt to close its probe and ordered a fresh investigation. The token recorded its all-time low that day.
Liminal Custody, the vendor whose interface sat at the center of the exploit, terminated its relationship with WazirX amid mutual blame, produced its own clearing audit, and continues to operate. No regulator in any jurisdiction has announced action against it. The question of what a custodian owes the end users of its client was never answered, because it was never seriously litigated.
Indian Institutions: Two Years of Jurisdiction Ping-Pong
The domestic institutional record is a study in deferral. The Supreme Court declared itself not the relevant authority. The Delhi High Court issued notices in January 2025 to the RBI, SEBI, and multiple ministries, demanding they explain who actually regulates crypto platforms, a question that, as of July 2026, still has no statutory answer. The users’ demand for a Special Investigation Team went nowhere.
The ED’s FEMA file, the FIU proceedings, and the GST demands against Binance and WazirX all continue in the background, and none has returned a rupee to a user. India’s largest crypto consumer-harm event has produced, in two full years, no new investor-protection law.
Meanwhile, the attackers, formally attributed to the Lazarus Group by three governments, laundered the proceeds at industrial speed and, given Bitcoin’s appreciation since July 2024, are likely holding assets worth more today than the amount they stole.
What the Tokens Say About the Recovery
Token prices are the one part of this story that cannot be managed through press releases, and on the second anniversary, they deliver an unambiguous verdict.
WRX: A Market Verdict in Real Time
WRX, the exchange’s native token, reached an all-time high of $5.94 in April 2021, when WazirX was processing tens of billions of dollars in annual volume. It recorded its all-time low of roughly $0.015 on December 25, 2024, the day of the Binance delisting.

As of this week, WRX trades at approximately $0.0188, a decline of more than 99.6% from its peak, with a market capitalization of around $7.16 million and daily trading volume in the region of $8,500. That volume figure deserves to be read twice. A token that once anchored one of Asia’s largest exchanges now trades less in a day than a modest monthly salary.
Neither the zero-fee relaunch, nor the futures launch, nor any promotion since October has moved it meaningfully. There is also a structural detail from the restructuring worth recalling: 33% of locked WRX was included in the rebalancing calculations, meaning the exchange’s own depressed token was used as part of the compensation arithmetic at valuations users had no role in setting. WRX is, in effect, a live index of how much trust WazirX has rebuilt, and the reading has barely moved off the floor.
Recovery Tokens: Two Quarters, Zero Buybacks
Stripped of its financial engineering, the Recovery Token is a simple instrument. WazirX owes users the remaining 15% of their claims and has promised to buy the tokens back if and when it generates enough profit or recovers enough stolen assets, assessed in rolling three-month cycles against a threshold of $10 million in unencumbered value, in a program the scheme runs to roughly 2028.
The scheme’s own documentation also provides for a $30 million cost reserve inside the structure, a provision that received almost no scrutiny before the vote.
Two full quarters have now elapsed since the tokens were credited on January 9, 2026. In that time, no buyback has been announced. No quarterly report has confirmed whether the $10 million threshold was approached, met, or missed. The promised tradability of the tokens remains subject to legal clearance with no date attached.
The futures product was launched with an explicit written assurance that its profits would flow toward additional recoveries for Recovery Token holders, yet no mechanism for verifying that flow has ever been disclosed. Users cannot sell the token, cannot borrow against it, and cannot see a published formula tracking what it might be worth.
On the second anniversary, the remaining 15% of user funds exists as an unaudited promise on the balance sheet of a company that publishes no balance sheet. That, more than the hack itself, is the defining fact of the second year.
The Questions WazirX Has Not Answered
Every anniversary piece about this saga eventually arrives at the same wall, which is the exchange’s silence on specifics. The unanswered questions are concrete and have been put to the company repeatedly. Whether WazirX has generated any net profit since October 2025, and where it sits, remains undisclosed, since no profit and loss statement has ever been published.
What the Binance agreement actually says remains unknown to the public despite a court order for its production nearly a year ago. Which individuals signed the malicious transaction, and whether anyone inside the company faced consequences for the verification failure, has never been stated.
Whether Shardeum pays WazirX for its listings, contests, and launchpad integration, and whether any of that revenue reaches Recovery Token holders, has never been disclosed. And whether Nischal Shetty will ever appear in person before an Indian court or agency remains, on the evidence of two years, unlikely.
The Crypto Times put questions on each of these points to WazirX, Zanmai Labs, and Nischal Shetty in the course of preparing this piece. No response was received before publication, consistent with the pattern this publication has documented across two years of requests.
The Verdict at Two Years
An honest accounting must record what the restructuring achieved. WazirX did not become another FTX; no evidence of internal theft of the stolen funds has emerged; the company completed a court-supervised restructuring faster than most comparable cases, returned 85% of claims at hack-date prices, and moved custody to institutional providers.
Those are facts, and the roughly 95% of voting creditors who backed the scheme made a calculated judgment that a functioning exchange offered better odds than liquidation.
But the fuller ledger reads differently, and the second anniversary is the time to read it in full. The breach was enabled by verification failures and vendor blind spots that two conflicting, self-commissioned audits ensured no one would ever formally own. The restructuring’s celebrated approval rates concealed catastrophic non-participation and a Singapore judge’s finding that users had been misled.
The compensation locked in prices from the worst possible day and converted the shortfall into an instrument with no market, no reporting, and, through two full quarters, no buybacks.
The founder restructured his personal UAE holdings within weeks of the hack, has routed his other venture’s token through the recovering exchange without disclosing terms, and has conducted the entire crisis from jurisdictions that Indian users and Indian courts cannot reach. The only person arrested in India’s biggest crypto heist sold a KYC account in Bengal.
The lesson of July 18, 2024, was never simply that hacks happen. It is that when a centralized Indian exchange fails, the company restructures abroad, the founder operates remotely, the regulators write notices to one another, and the users end up holding a token they cannot sell, backed by a promise nobody is obligated to update them on. Two years later, WazirX is operational. The remaining money, the founder, and the answers are all still somewhere else.
This is an opinion and analysis piece. Factual claims are drawn from court records, corporate filings, forensic reports commissioned by the parties, official WazirX and Zettai disclosures, on-chain data, and two years of reporting by The Crypto Times. Claims that could not be independently verified are identified as such.
Frequently Asked Questions
How much of the stolen $230 million has been recovered two years after the WazirX hack?
Publicly confirmed freezes amount to roughly $3 million, or about 1.3% of the stolen funds. The bulk of the assets were laundered through Tornado Cash in the months after the theft and largely converted to Bitcoin, and no materially larger recovery has been announced since early 2025.
Have WazirX users been fully repaid?
No. Users received approximately 85% of their approved claims after the October 2025 restart, valued at prices from July 18, 2024. The remaining 15% was converted into non-tradable Recovery Tokens issued in January 2026, and no buyback of those tokens has been publicly reported through two full quarterly cycles.
What is the WRX price two years after the hack?
WRX trades at approximately $0.0188 as of mid-July 2026, with a market capitalization near $7.16 million and a daily volume of roughly $8,500. The token remains more than 99.6% below its April 2021 all-time high of $5.94, and its all-time low was recorded on December 25, 2024, the day Binance delisted it.
Where is Nischal Shetty now?
Shetty has been based in Dubai since April 2022 and has managed the entire post-hack process remotely through Singapore’s courts. There is no public record of him appearing in person before any Indian court or investigative agency since the hack, and he skipped a scheduled Singapore court date in January 2025. Repeated requests for comment from The Crypto Times have gone unanswered.
Also Read: Mudrex & KoinX Launch Crypto Tax Campaign Ahead of India’s July 31 Deadline
