In crypto world, the hacker is God

In the foggy world of cryptocurrencies, a faceless hacker in Hamhung or Ramnicu Valcea is the unconquerable Lucifer. When such a cyber villain invades to cripple a system, it is a calamity as unstoppable as an earthquake or pandemic. Traders whose coins and funds are frozen at WazirX -- the Indian crypto exchange that was recently hit by a massive cyber heist --- are now discovering this from the fine print of the terms and conditions they had hitherto ignored.

What is coming to the fore in the wake of the WazirX fiasco is that unlike banks or stock exchanges most local crypto platforms categorise ‘cyber breach’ as a ‘force majeure’ event (or, an ‘Act of God’) in their ‘terms of use’ that investors signing in to open accounts rarely read. But for traders a ‘force majeure’ clause may legally shut the doors for claiming lost assets after such a disaster.

When is it a Force Majeure event?


Amid countless cyberattacks, the incident has also raised a bigger question: can, and when, a malware attack be classified as a ‘force majeure’ event? And, can a service provider escape liability?

According to Supreme Court senior advocate N. S. Nappinai, “In the opaque world of crypto, contract is king. The terms are invariably captured in standard form contracts and not negotiated. Including a wide array of circumstances in a force majeure is standard practice but the same is ring fenced by those circumstances which are beyond the control of the offeror. Whilst any outcome beyond the control of the offeror may be included in a force majeure it will not automatically protect the party from liability.”

“The party would still be required to demonstrate that all foreseeable preventive and protective measures were taken to mitigate risks. An exemption from liability cannot be treated as a waiver of responsibility,” said Nappinai who founded Cyber Saathi, an organisation focusing on cyber laws and remedies.

A WazirX spokesperson said that most virtual digital asset service providers and some of the stock brokers include cyber breach as a force majeure event because such attacks are often beyond reasonable control of the service provider.

About $235 million (nearly Rs 2,000 crore) worth assets were stolen on July 18, 2024 following an attack on a WazirX crypto wallet managed by Liminal, a digital custody provider. It was a multi-sig wallet --- requiring multiple signatures (of WazirX and Liminal) to approve a transaction. Ongoing investigations may identify the point of breach and lapses.

The WazirX official claimed the platform followed “stringent security measures” and Liminal provided “advanced security infrastructure”. Despite this, the attacker, speculated to be the North Korea-based Lazarus group, circumvented the security layers, said the person.

Rival crypto exchanges agree that a platform beaten by a third-party malware attack may justify it as a force majeure event provided reasonable security measures are implemented. “The concept of force majeure includes, both, ‘act of god’ and ‘act of people’. The force majeure will be governed by the contract executed between the user and exchange,” said Tushar Tarun, legal head at CoinDcx, one of the largest exchanges.

Regulatory Void

However, in a regulatory void, there are no cyber security measures laid down by any regulator or central authority that crypto exchanges should follow. In India crypto is neither banned (like China and Bangladesh) nor allowed with restrictions (like the US, UK, and UAE). But crypto trades and profits are heavily taxed and exchanges are directed to curb money laundering rules. “If a Rs2000 crore fraud had happened in a brokerage or stock exchange, there would have been a hue and cry. Here, the government does not seem to be bothered. And traders who evaded tax or moved around money would not speak up,” said an industry official.

Sangram Gayal, who leads the Cyber investigations practice at PwC believes there is nothing force majeure about a cyber breach as it is the fiduciary duty of a financial services organisation to implement adequate cyber security measures. “One should question whether crypto exchanges have controls like those of banks. In the absence of adequate controls, a sophisticated attacker can pull off a serious fraud. Cryptos are the wild west of financial services …Unfortunately, there is limited recourse for the affected parties,” said Gayal.

What would be the course of action of central cyber police and surveillance bodies like I4C and CERT-In, who are tracking the fraud at WazirX? “The mandate of I4C and CERT-In may not extend to providing succour to victims deprived of remedies in case of force majeure but the security and safety measures mandated by these organisations can certainly be relied upon to point out shortfalls if any by the organisation, which will negate a force majeure defence,” said advocate Nappinai.

A spokesperson for the industry body Bharat Web3 Association (BWA) said its members (the crypto exchanges) have agreed to follow the guidelines on consumer protection and token listing. “Our member firms adhere to best practices in cyber security.. All of us are committed to learning from such incidents and using them as a catalyst to strengthen our initiatives,” said BWA.