Read Time: 09 minutes
On July 17, 2024, a multi-signatory wallet server belonging to WazirX, which held the digital assets and cryptocurrency of investors, was compromised, resulting in a loss of INR 1,900 crores. A petition was subsequently filed regarding WazirX's measures to address the losses, which involved distributing the remaining funds equally among all investors, including both those affected and those unaffected by the incident. The petition asserted that such a distribution was (a) in violation of the user agreement and (b) detrimental to the interests of investors whose funds had remained unaffected.
On October 18, the Delhi High Court heard a petition from investor Jaivir Bains, who sought action against WazirX for merging funds to compensate for losses experienced by certain investors following a hacking incident involving the company's multi-signatory wallet server, which led to the misappropriation of INR 1,900 crores. The bench of Justice Sanjeev Narula presided over the matter.
The petition, filed through Advocate Ankit Bhatia, claimed that WazirX was hacked in July 2024, resulting in the loss of INR 1,900 crores belonging to Indian investors. The company subsequently decided to mitigate the losses by merging the affected and unaffected funds, aiming to equalize them to ensure that no investor suffered a financial loss due to the incident.
WazirX, along with its associated exchange, was registered with the Financial Intelligence Unit (FIU), which was responsible for regulatory oversight; however, such regulation appeared inadequate. The petition also revealed that the stolen funds had been transferred to Singapore, raising concerns that they might not be recovered without a proper investigation, as no alternative recovery mechanisms were available.
The petitioner had reached out to the relevant authority, but no action was taken. The petitioner alleged that he was verbally informed that the matter would not be pursued due to the involvement of 'IAS officers in the government'.
The petitioner claimed that when he attempted to withdraw funds, the company cited FIU guidelines as the reason for rejecting the requests. Later, the petitioner learned of the hack through a whistleblower and made another withdrawal attempt, which was again denied, with the company referring to an updated user agreement.
The hacking incident, acknowledged by WazirX, was attributed to an international entity that breached the servers hosting the digital assets. In response, the company opted to distribute the unhacked funds among all users, including those affected by the breach. The petitioner contended that this approach adversely affected investors whose funds had not been compromised.
The petitioner argued that without a formal investigation, the funds would be permanently lost. The court sought to clarify the involvement of state authorities in what was essentially a private dispute. The petitioner responded that state bodies, such as the FIU, were tasked with regulating the entities concerned.
The court acknowledged the reported crime and directed the police to investigate, specifying that any legal proceedings against WazirX would be a civil matter. The petitioner further contended that the FIU and Enforcement Directorate (ED) should examine whether the hacking incident was externally orchestrated or self-inflicted.
The court remarked that requesting an FIU investigation was a significant step and questioned the basis for the allegations, noting that mere suspicion was insufficient to justify court orders. It instructed the police to proceed with the investigation and involve the FIU if evidence emerged.
Regarding regulatory breaches, the petitioner highlighted WazirX's practice of merging hacked and unhacked funds for equalization. The court determined that this was a civil issue, advising the petitioner to review the user agreement's terms governing withdrawals. It stated that regulatory authorities could only intervene upon the presentation of evidence indicating regulatory violations.
The court concluded that resolving the matter would effectively constitute the creation of new legislation, which was beyond its purview.
In its order, the court noted the petitioner's investment of INR 22 lakh in WazirX, which marketed itself as India's most compliant exchange. The petitioner learned of the hack on July 18, 2024, which resulted in the misappropriation of INR 1,967.52 crores. Allegations that the hack was self-inflicted were raised, with the petitioner alleging that the ED and FIU had failed to take adequate preventive measures. The company’s strategy to distribute the funds equally among all investors, including those affected, was argued to contravene the user agreement and disadvantage unaffected investors.
The court concluded that such grievances should be pursued in a civil court rather than through a writ petition. Although the petitioner’s suspicion of a self-inflicted hack could justify regulatory intervention, there was no prima facie evidence to compel action by the FIU or ED. However, the court directed the Assistant Commissioner of Police to investigate the complaint.
Advocate for Petitioner: Advocate Ankit BhatiaCase Title: Jaivir Bains v Financial Intelligence Unit & Ors. (W.P.(C)-14571/2024)
Please Login or Register