In the world of cryptocurrency, hackers are akin to omnipotent forces. A faceless hacker from places like Hamhung or Ramnicu Valcea can wreak havoc on a system, causing disruptions as severe as natural disasters or pandemics. Traders who found their assets frozen at WazirX—an Indian crypto exchange recently targeted by a massive cyber heist—are now grappling with the harsh reality of overlooked terms and conditions.
The WazirX incident highlights a significant issue: many local crypto platforms classify a ‘cyber breach’ as a ‘force majeure’ event (or ‘Act of God’) in their terms of use, which most investors don’t read thoroughly. This classification can legally prevent traders from claiming lost assets in the event of a cyber attack.
The question now is whether a malware attack qualifies as a ‘force majeure’ event and if service providers can escape liability. According to N. S. Nappinai, a senior advocate at the Supreme Court, “In the opaque world of crypto, contracts are crucial. While a wide range of circumstances can be included in a force majeure clause, it doesn’t automatically shield parties from liability. They must demonstrate that all possible preventive and protective measures were taken.”
A WazirX spokesperson mentioned that cyber breaches are often categorized as force majeure events because these attacks are generally beyond the service provider’s control. On July 18, 2024, an attack on a WazirX crypto wallet managed by Liminal resulted in the theft of approximately USD 235 million (nearly Rs 2000 crore). The wallet was multi-signature, requiring approvals from both WazirX and Liminal. Ongoing investigations aim to pinpoint the breach and any possible oversights.
Despite claims of stringent security measures, the attacker—believed to be the North Korean Lazarus group—managed to bypass these defenses. Other crypto exchanges agree that such attacks can be deemed force majeure if reasonable security measures were in place. Tushar Tarun, legal head at CoinDcx, notes, “Force majeure covers both ‘acts of God’ and ‘acts of people’. Its application will depend on the contract between the user and the exchange.”
However, the lack of regulatory standards for crypto exchanges in India leaves a gap in cybersecurity measures. Unlike countries with strict regulations or outright bans, India’s crypto sector is heavily taxed but lacks clear security guidelines. “If such a massive fraud occurred in a brokerage or stock exchange, it would spark significant outrage. The government’s indifference and traders’ reluctance to disclose tax evasion are concerning,” said an industry official.
Sangram Gayal from PwC’s Cyber Investigations team argues that a cyber breach should not be considered force majeure since financial institutions have a fiduciary duty to implement adequate cybersecurity measures. “Crypto exchanges lack the controls found in traditional banks, making them vulnerable to sophisticated attacks. There is limited recourse for victims in this ‘wild west’ of financial services,” Gayal added.
While central cyber police and surveillance bodies like I4C and CERT-In are investigating the WazirX fraud, their mandates may not cover remedies for force majeure cases. Nonetheless, their security and safety guidelines can help identify shortcomings, potentially challenging a force majeure defense. The Bharat Web3 Association (BWA) stated that its member firms are committed to following consumer protection guidelines and improving cybersecurity practices in light of such incidents.