WazirX, a leading Indian crypto exchange, halted withdrawals Thursday after a security breach it called a “force majeure event” resulted in the loss of $230 million, nearly half its reserves.
The Mumbai-based firm said one of its multisig wallets had suffered a security breach. A multisig wallet requires two or more private keys for authentication. WazirX said its wallet had six signatories, five of whom were with WazirX team. Liminal, which operates a wallet infrastructure firm, said in a statement to TechCrunch that its preliminary investigation had found that a wallet created outside its ecosystem had been compromised.
“The cyber attack stemmed from a discrepancy between the data displayed on Liminal’s interface and the transaction’s actual contents,” said WazirX in a statement on Thursday. “During the cyber attack, there was a mismatch between the information displayed on Liminal’s interface and what was actually signed. We suspect the payload was replaced to transfer wallet control to an attacker.”
Lookchain, a third-party blockchain explorer, reported that more than 200 cryptocurrencies, including 5.43 billion SHIB tokens, over 15,200 Ethereum tokens, 20.5 million Matic tokens, 640 billion Pepe tokens, 5.79 million USDT and 135 million Gala tokens were “stolen” from the platform.
Blockchain data suggests the attackers are trying to offload the assets using the decentralized exchange Uniswap. Risk-management platform Elliptic reported that the hackers have affiliation with North Korea.
About $230 million in missing assets is significant for WazirX, which reported holdings of about $500 million in its June proof-of-reserves disclosure.
CoinSwitch and CoinDCX, two other leading crypto exchanges in India, assured their customers that their funds were secure and unaffected by this incident.
“Our wallet security remains robust,” Sumit Gupta, co-founder and chief executive of CoinDCX, wrote in a tweet.
“We advise all our crypto investors to be mindful of potential market volatility during this time and exercise caution in their trading and investment activities,” tweeted Ashish Singhal, co-founder and chief executive of PeepalCo, the group holding firm of CoinSwitch.
This is the latest setback for WazirX, which separated from Binance in early 2023 after the two crypto exchanges had a public and high-profile fallout in 2022. Two years after Binance announced it had acquired WazirX, the two companies started a dispute over the ownership of the Indian firm. Binance founder Changpeng Zhao eventually said that the two firms hadn’t been able to conclude the deal and moved to terminate Binance’s businesses with the Indian firm.
“This is a force majeure event beyond our control, but we are leaving no stone unturned to locate and recover the funds. We have already blocked a few deposits and reached out to concerned wallets for recovery. We are in touch with the best resources to help us in this endeavor,” WazirX said in a statement posted on its X account.
The story was updated throughout the day, including most recently at 11:03 p.m. India Standard Time to include WazirX’s confirmation that it lost the crypto assets in the security breach.
WazirX, a leading Indian crypto exchange, halted withdrawals Thursday after a security breach it called a “force majeure event” resulted in the loss of $230 million, nearly half its reserves.
The Mumbai-based firm said one of its multisig wallets had suffered a security breach. A multisig wallet requires two or more private keys for authentication. WazirX said its wallet had six signatories, five of whom were with WazirX team. Liminal, which operates a wallet infrastructure firm, said in a statement to TechCrunch that its preliminary investigation had found that a wallet created outside its ecosystem had been compromised.
“The cyber attack stemmed from a discrepancy between the data displayed on Liminal’s interface and the transaction’s actual contents,” said WazirX in a statement on Thursday. “During the cyber attack, there was a mismatch between the information displayed on Liminal’s interface and what was actually signed. We suspect the payload was replaced to transfer wallet control to an attacker.”
Lookchain, a third-party blockchain explorer, reported that more than 200 cryptocurrencies, including 5.43 billion SHIB tokens, over 15,200 Ethereum tokens, 20.5 million Matic tokens, 640 billion Pepe tokens, 5.79 million USDT and 135 million Gala tokens were “stolen” from the platform.
Blockchain data suggests the attackers are trying to offload the assets using the decentralized exchange Uniswap. Risk-management platform Elliptic reported that the hackers have affiliation with North Korea.
About $230 million in missing assets is significant for WazirX, which reported holdings of about $500 million in its June proof-of-reserves disclosure.
CoinSwitch and CoinDCX, two other leading crypto exchanges in India, assured their customers that their funds were secure and unaffected by this incident.
“Our wallet security remains robust,” Sumit Gupta, co-founder and chief executive of CoinDCX, wrote in a tweet.
“We advise all our crypto investors to be mindful of potential market volatility during this time and exercise caution in their trading and investment activities,” tweeted Ashish Singhal, co-founder and chief executive of PeepalCo, the group holding firm of CoinSwitch.
This is the latest setback for WazirX, which separated from Binance in early 2023 after the two crypto exchanges had a public and high-profile fallout in 2022. Two years after Binance announced it had acquired WazirX, the two companies started a dispute over the ownership of the Indian firm. Binance founder Changpeng Zhao eventually said that the two firms hadn’t been able to conclude the deal and moved to terminate Binance’s businesses with the Indian firm.
“This is a force majeure event beyond our control, but we are leaving no stone unturned to locate and recover the funds. We have already blocked a few deposits and reached out to concerned wallets for recovery. We are in touch with the best resources to help us in this endeavor,” WazirX said in a statement posted on its X account.
The story was updated throughout the day, including most recently at 11:03 p.m. India Standard Time to include WazirX’s confirmation that it lost the crypto assets in the security breach.
In July 2022, someone sent Google a batch of malicious code that could be used to hack Chrome, Firefox, and PCs running Microsoft Defender. That code was part of an exploitation framework called Heliconia. And at the time, the exploits used to target those applications were zero-days, meaning the software makers were unaware of the bugs, according to Google.
Later in November 2022, Google’s Threat Analysis Group, the company’s team that investigates government-backed threats, published a blog post analyzing those exploits and the Heliconia framework. Google’s researchers concluded that the code belonged to Variston, a Barcelona-based startup that was unknown to the public.
“It was a huge crisis at the time, mainly because we had stayed under the radar for quite a while,” a former Variston employee told TechCrunch. “Everyone believed that in the end we’d be exposed by being caught [in the wild], but it was a leaker instead.”
Another former Variston employee said that the code was sent to Google by a disgruntled company employee and that after it happened, Variston’s name and secrecy were “burned.”
Google kept digging into Variston’s malware. In March 2023, the tech giant’s researchers found that spyware made by Variston was used in the United Arab Emirates. Last week, Google reported that it found Variston hacking tools used against iPhone owners in Indonesia.
In the past year, more than half a dozen Variston employees have left the company, they told TechCrunch on the condition of anonymity, as they were not authorized to speak to the press because of nondisclosure agreements.
Now, according to four former employees and two people with knowledge of the spyware market, Variston is shutting down.
At the beginning of the 2010s, the public began to learn that there was a flourishing market where Western-based companies, such as Hacking Team, FinFisher, and NSO Group, were providing surveillance and hacking tools to countries and regimes all over the world with questionable or poor records of human rights, such as Ethiopia, Mexico, Saudi Arabia, the United Arab Emirates, and many others.
Since then, digital and human rights organizations like the Citizen Lab and Amnesty International have documented dozens of cases where government customers of these spyware makers were using those tools to hack and spy on journalists, dissidents, and human rights defenders.
In the last few years, the offensive security industry has become more public and normalized. Some of these spyware makers and exploit developers openly advertise their services online, their employees disclose where they work on social media, and there are a few popular security conferences that openly cater to this industry, such as OffensiveCon and HexaCon.
Variston, however, has always tried to fly under the radar.
The company’s only public-facing information is a barebones website where it vaguely describes what it does.
“Our toolset is built upon the vast cumulative experience of our consultants. It supports the discovery of digital information by [law enforcement agencies],” reads Variston’s website, in what is the only short mention of its work as a spyware and exploit maker for government agencies.
Variston forbade employees from disclosing where they work, not only on LinkedIn, but also at cybersecurity conferences, according to the former employees who spoke to TechCrunch.
According to Spanish business records seen by TechCrunch, Variston was founded in Barcelona in 2018, listing Ralf Wegener and Ramanan Jayaraman as the founders and directors.
While its website lists another address in the city, Variston most recently worked out of an office in the Barcelona neighborhood of Poblenou, inside a co-working space located one block from the beach. In October, a representative for the co-working space told TechCrunch that Variston was located there and had been for a couple of years.
When TechCrunch visited Variston’s office this week, a co-working space representative claimed Variston is still working there. The representative offered to take a message for Variston, saying they were not there that day but that they had been in the building that week. Neither Wegener nor Jayaraman responded to multiple emails from TechCrunch requesting comment about Variston. An email to Variston’s public email address went unreturned.
One of Variston’s first moves in 2018 was to acquire Truel IT, a small zero-day research startup in Italy, according to Italian business records seen by TechCrunch. Since then, Variston grew to a company of around a hundred staff. Other than Heliconia, the company’s exploitation framework for targeting Windows devices, Variston also developed exploits and hacking tools targeting iOS and Android. Variston’s Android product was called Violet Pepper, according to the former employees.
Even Truel IT’s founders, who moved to work at Variston, do not disclose Variston as an employer on their LinkedIn profiles.
According to the former Variston employees, this level of secrecy also applied to the identity of the company’s customers — except for its special relationship with Protect, a company based in the United Arab Emirates city of Abu Dhabi.
“Variston was a supplier of Protect,” said a person with knowledge of Protect’s operations, who asked to remain anonymous because they were not authorized to speak to the press. “It was an important relationship for both for a while.”
The company’s work “was going to the UAE,” and that Protect was “de facto the only customer,” according to former Variston employees.
The former employees told TechCrunch that Protect was funding all the operations at Variston, including the research and development side. One former Variston employee said once Protect pulled its funding from the development side in early 2023, Protect tried to force Variston employees to relocate. Then, when the funding for research stopped later in the year, Variston “closed shop,” the person said.
Contact Us
Do you know more about Variston or Protect? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
At the beginning of 2023, Protect asked all Variston employees to move to Abu Dhabi. This is where Variston began to unravel, as most of Variston’s staff did not accept the proposal. The former employees said management gave them two choices: “move to Abu Dhabi or get fired” and that there would be no exceptions.
Protect bills itself as “a cutting edge cyber security and forensic company.” Much like Variston, Protect says little else on its website about what the company does.
But Google’s security researchers believe that Protect, also known as Protect Electronic Systems, “combines spyware it develops with the Heliconia framework and infrastructure, into a full package which is then offered for sale to either a local broker or directly to a government customer.”
That would explain how Variston’s tools allegedly ended up being used in Indonesia.
According to Intelligence Online, a trade publication that covers the surveillance and intelligence industry, Protect was launched after DarkMatter, a controversial UAE-based hacking company, was revealed to have employed Americans who then helped the UAE government spy on dissidents, political rivals, and journalists.
As of 2019, Protect was headed by Awad Al Shamsi and was providing “UAE government users with discreet access to foreign cyber technology,” reported Intelligence Online. It’s not known if Al Shamsi is still at Protect, and Al Shamsi did not respond to an email requesting comment. Protect did not respond to several other emails from TechCrunch.
Variston’s founders Wegener and Jayaraman also appear to have worked at Protect, at least as of 2016, according to public online records of encryption keys linked to their Protect email addresses seen by TechCrunch.
Wegener is a veteran of the spyware industry. According to Intelligence Online, Wegener runs several other companies, some based in Cyprus and also co-owned by Jayaraman. Wegener used to work at AGT, or Advanced German Technology, a surveillance provider founded in Berlin in 2001 with an office in Dubai. In 2007, along with Italian spyware maker RCS Lab, AGT worked with the Syrian government to develop a centralized real-time country-wide internet monitoring system, according to news reports based on leaked documents and research by nonprofit Privacy International. Eventually, AGT did not provide the system to the Syrian government.
Five years after it was founded, Variston is not a secret startup anymore.
Three former employees said Google’s report in 2022 blew the lid on Variston’s secrecy. One of the employees said the Google report exposing Variston “might have been the beginning of the end” for the spyware maker.
But another former Variston employee said the company — like other spyware makers — would have been exposed eventually. “It was bound to happen sooner or later,” the person said. “It’s quite normal.”
Natasha Lomas contributed reporting.
An earlier version of this report misattributed Google’s discovery of Variston’s tools to Italy, Kazakhstan, and Malaysia due to conflation of an unrelated campaign. The story was updated to correct Google received the leaked tools in July 2022. These corrections were made due to editor’s error. ZW.
Struggling EV startup Faraday Future owes the landlord of its Los Angeles headquarters nearly $1 million after missing the last two months’ rent, TechCrunch has learned.
The landlord, Rexford Industrial, filed a previously unreported lawsuit against Faraday Future this week in Los Angeles Superior Court that accuses the startup of missing its January and February lease payments, as well as associated maintenance fees and taxes. Rexford claims the startup owes it $917,887.26 as a result and is seeking to take possession of the building. A lawyer for Rexford declined to comment.
Faraday Future is also being sued by the landlord of an office it has leased in San Jose since 2022. That previously unreported complaint, filed by BXP Realty in Santa Clara Superior Court on January 31, alleges that Faraday Future stopped making lease payments in December, leading to an outstanding balance of $127,311.16.
BXP says it applied Faraday Future’s $99,518 security deposit to the balance in January and asked the company to pay the remainder; the startup did not pay that sum. As a result, BXP is looking to boot the startup from the premises. A lawyer for BXP did not immediately respond to a request for comment.
“We are actively working with the landlords of our offices in both San Jose and our HQ in Gardena and are in negotiations to resolve the situation with both amicably and as quickly as possible,” a Faraday Future spokesperson said in a statement.
The missed payments are the latest sign of trouble for the startup, which only recently began shipping its first luxury SUVs to employees and hand-picked celebrities after nearly 10 years and more than $3 billion in losses. Faraday Future warned shareholders in a December regulatory filing that its ongoing fundraising efforts continue to face major hurdles, and that without a cash infusion, the startup may not have “sufficient resources” to continue operating and “will likely have to file for bankruptcy protection and its assets will likely be liquidated.” Faraday Future became a publicly traded company in 2021 after merging with a special purpose acquisition company.
Faraday Future reported just $8.5 million in cash at the end of September 2023. The startup is also under investigation by the Securities and Exchange Commission.
Faraday Future has survived a series of crises over the years as it attempted to develop and ship its luxury electric SUV, the FF 91. In 2019, after a messy breakup with one of its financial backers, Faraday Future sold the Los Angeles headquarters to generate cash and leased it back from a subsidiary of New York real estate firm Atlas Capital. Rexford assumed Faraday Future’s lease in 2022 after buying the building for $64.3 million.
Faraday Future managed to survive long enough to merge with Property Solutions Acquisition Corp. in 2021, a transaction that netted Faraday Future $1 billion in fresh funding. But Faraday Future has spent the intervening years mired in more drama centered around its billionaire founder, Jia Yueting.
This story has been updated to include a comment from Faraday Future.
Elon Musk’s decision to green-light a robotaxi over an affordable EV might cost the company its lead.
Last week, Musk reportedly canned the effort in favor of a robotaxi, the sort of pie-in-the-sky project that defined his first decade at the helm. There’s an argument to be made that the company is where it is today by betting big, then delivering on enough of its promises to impress shareholders and generate significant positive cashflow. Problem is, in the early days, there was both everything and nothing to lose. The whole company could have gone under, but there was also less on the line.
Today, Tesla is no longer the plucky upstart. It brought in nearly $100 billion in revenue last year and earned net profits of $15 billion, the sort that would have other automakers rewarding shareholders with richer dividends. It’s a global manufacturer that cranks out hundreds of thousands of cars every quarter, the type of operation where success is measured in continuous improvement in productivity and process indicators.
Tesla was reportedly on the cusp of building a $25,000 EV. In January, Musk confirmed that the company would begin construction of a next-generation vehicle at its Texas plant in the second half of 2025. Suppliers had been asked to bid on parts contracts, Reuters reported, with weekly production volume starting at 10,000 vehicles per week. Given flagging sales of the company’s existing product line, it would have been a welcome shot in the arm.
An inexpensive EV would have significantly increased Tesla’s total addressable market by dramatically undercutting the average sales price in the U.S., which is currently at around $47,000. It also would have given the company a product to hold its ground against a predicted onslaught of inexpensive Chinese EVs.
But it also would have meant creating a production line from scratch, something the company last did at scale with the Model 3. By all accounts, that wasn’t a fun experience.
Building a robotaxi, though. Now, that sounds like fun.
Musk has long been enamored with the concept. Four years ago, he said that such a car would be able to earn its owner up to $30,000 per year as it ferried paying passengers to and fro. It would be so popular, Musk reportedly told biographer Walter Isaacson, that “there is no amount that we could possibly build that will be enough.”
Problem is, Tesla has been trying to master autonomous hardware and software for a while now, and it doesn’t appear anywhere close to delivering a vehicle capable of Level 5 driving, which would require zero human input. Despite years of work, Autopilot remains a Level 2 system, which means it requires human attention at all times. The same is true for Full Self-Driving. (Indeed, the company recently started using the term “supervised” when referring to the software suite.) And while artificial intelligence has been advancing rapidly of late, is it moving quickly enough to provide Tesla with a blockbuster product in the next few years?
Given Musk’s desire to pursue exploratory projects, the logical path would be to spin up a skunkworks inside Tesla or spin out a division that’s purely focused on bringing a robotaxi to market. The latter is unlikely to happen because much of Musk’s wealth is tied up in Tesla stock, and he probably doesn’t trust anyone else to run the company when that much money is on the line. The former has more of a chance, but Musk also likes to appear heavily involved in, well, everything at Tesla. He’d balk at the idea of “only” running a skunkworks.
It’s something that Tesla’s board should probably be weighing in on. And maybe they are. But numerous reports have also illustrated just how tightly linked that board is with Musk. They don’t appear to disagree on much, and that could cost Tesla its lead.
President Joe Biden signed the bill this week that could ban TikTok from the U.S. if its parent company ByteDance doesn’t sell the platform. According to young political content creators, the ban could decimate Gen Z’s access to political news and information.
“An unfortunately large amount of 18- to 24-year-olds find out information about local elections from TikTok, so my heart is breaking,” Emma Mont, a political content creator, told TechCrunch. According to the Pew Research Center, about a third of American adults between ages 18 and 29 regularly get their news from TikTok.
“I think it’s going to have an impact not only on the people who provide information, but also the people who receive that information,” Mont said. “Part of the reason I make the content I do is that I know there’s someone who’s watching and this is the first time they’re ever gonna learn about Roe v. Wade, or whatever I’m talking about.”
For most content creators, the transition away from TikTok is difficult, but not insurmountable — many full-time creators already cultivate multi-platform followings, rather than depending on one platform, in preparation for this exact kind of worst-case scenario (remember Vine?).
Instagram Reels is a clear alternative to TikTok, but for political creators, it’s not a real option. As of March, Instagram is filtering out political content from users that you don’t already follow. That means that it’s basically impossible for political creators and activists to reach a wider audience.
“I think it’s ridiculous,” said Pratika Katiyar, a Northeastern University student and research assistant at Harvard’s Berkman Klein Center for Internet & Society. “There’s no need for Instagram to limit political content. That’s just driving users away from their platforms.”
Even before Instagram’s recent policy update, users alleged that their posts about the war in Gaza were being suppressed. Meta communications director Andy Stone chalked up these complaints to a “bug” that had “nothing to do with the subject matter” of the posts.
“I post a lot on my [Instagram] story about politics and the work I’m doing, and it’s becoming really, really hard,” Katiyar told TechCrunch. “There’s no way to get visibility anymore on Instagram, and now with the limiting of political content, I just fear that’s being compounded.”
These gripes have been so prevalent among creators that Instagram head Adam Mosseri addressed the issue on Threads.
“Before some of you say ‘the algorithm’ is the culprit, understand that ranking and recommendations *increase* the amount of posts people get to,” Mosseri wrote.
Lawmakers are adamant that this bill isn’t a ban. Rather, they say it’s forced divestiture of TikTok from its Chinese parent company. But ByteDance could have a hard time finding an American company that can afford to buy TikTok without raising antitrust concerns. Even if it does find a buyer, the Chinese government has the power to block a forced sale anyway.
All the while, President Biden’s reelection campaign is posting multiple TikToks per day, accumulating over 300,000 followers since creating the account in February.
“I’m even more surprised that Biden signed it into law,” TikTok creator Annie Silkaitis told TechCrunch. “I think it’s going to be such a hot topic this year, his campaign being on the app while he’s actively trying to ban it or force them to sell it. It just feels very hypocritical.”
An obstacle for Biden’s campaign
Biden’s decision to set up shop on TikTok makes sense: It’s a platform where more than 170 million Americans spend their time. This is especially true of younger voters, who are part of a key voting bloc with a historically low turnout. But Biden’s presence on the app, which he’s helping to ban, rubs users the wrong way.
“Being on TikTok is a brilliant campaign move, but I do think it’s a bit of a shot in the foot to take it away,” Mont said. “How do you come to terms with these two true things, that you’re banning TikTok and your campaign has had a lot of traction on TikTok?”
In any case, if TikTok does get banned, it won’t get removed from app stores until solidly after Election Day. Per the version of the bill that Biden signed, ByteDance has nine months to divest TikTok, with a 90-day possible extension. Plus, TikTok is expected to mount a substantial legal challenge against the legislation.
Biden’s stance on TikTok may still impact him in November, though.
“With TikTok being banned, that was one of the biggest news sources for Gen Z. It was a place where people felt like their voices were heard. And now that’s being taken away,” Katiyar said. “I think that’s concerning for how the election is going to turn out. And I do think people will hesitate to vote now… We feel like no one is really listening to our concerns right now.”
Voter turnout in the 18- to 29-year-old bloc is already expected to be lower in 2024 than 2020, a Harvard Youth Poll shows.
Not only does this move hurt Biden’s chance at securing the youth vote, but he’s also failing to capitalize on the power of the internet. Though the Biden campaign has been meeting with creators, the president’s organic reach could be limited if online activists feel complacent about his run.
Online momentum can shape an election. During the 2020 election cycle, for example, teens across the U.S. organized online for Senator Ed Markey (D-MA), dubbing themselves the “Markeyverse.” Most of them weren’t even eligible to vote in the Massachusetts Senate race, whether due to their age or residence, but supported the senator for his stance on curbing climate change. This network of Markey fan accounts helped propel the incumbent to victory over a formidable challenger, Representative Joe Kennedy III.
“Engaging young people online in a way that speaks to them gets them excited about political races that they might otherwise have not had any kind of stake in,” Mont said.
But TikTok users are unlikely to rally behind Biden in any way that’s reminiscent of the Markeyverse.
Some creators are frustrated about their lack of context for the TikTok ban. While the Senate has been party to closed-door briefings about TikTok’s threat to national security, very little information has been made apparent in public hearings. Those hearings have only served to show how little our legislators understand about the internet — last year, Representative Richard Hudson (R-NC) asked TikTok CEO Shou Zi Chew if TikTok accesses Wi-Fi.
“If President Biden went out today and said China is intentionally putting X-Y-Z on your TikTok feed, I’d be like, ‘Okay, thank you for telling me, that’s all I needed.’ But it’s all very like, ‘Oh, we don’t understand the algorithm.’ Well, we don’t understand a lot of algorithms!” Mont said. “My biggest gripe about all of this as a political content creator is like, how much data do Mark Zuckerberg and Elon Musk have access to?”
Creators likely won’t be getting any answers soon. For now, they’re locked in limbo.
“It’s something that I’m gonna probably be talking about every day until anything happens, which likely won’t be for another year or two, which is scary to think,” said Silkaitis. “How drawn out is this going to be?”
Biden signs bill that would ban TikTok if ByteDance fails to sell the app
