In the murky world of cryptocurrencies, faceless hackers like Hamun or Ramnik Balcea are unconquerable Lucifers. When such cyber bad guys get in and cripple your systems, it’s a disaster as unstoppable as an earthquake or a pandemic. Traders whose coins and funds were frozen at WazirX, an Indian cryptocurrency exchange that was recently hit by a major cyber heist, discovered this from the fine print of terms of use that they had previously ignored. What has been noted in the wake of the WazirX debacle is that unlike banks and stock exchanges, most local cryptocurrency platforms classify “cyber breaches” as “force majeure” (or “acts of God”) events in their “terms of use” that are rarely read by investors who sign in to open accounts. But for traders, the “force majeure” clause could legally close the door to claiming lost assets after such a disaster.
Enhance your technical skills with high-value skills courses
Offered University Course Website Indian School of BusinessISB Product Management Visit Indian School of Business Professional Certificate in Product Management Visit MIT xPROMIT Technology Leadership and Innovation Visit When does a Force Majeure Event occur?
As countless cyberattacks continue to occur, the incident also raises a larger question: Can and when a malware attack be classified as a “force majeure” event, and can service providers avoid liability?
According to NS Napinai, senior advocate of the Supreme Court, “In the opaque world of cryptocurrency, contracts are king. Terms are invariably written into standard contracts and are non-negotiable. It is standard practice to include various circumstances in force majeure, but the same is limited by circumstances beyond the offeror’s control. Any outcome beyond the offeror’s control may be included in force majeure, but it does not automatically protect the parties from liability.”
Find the stories that interest you
“Parties will need to prove that all foreseeable precautions and safeguards were taken to mitigate the risks. Disclaimers cannot be treated as waiver of liability,” said Napinai, who founded Cyber Thirty, an organisation focused on cyber law and remedies.
A WazirX spokesperson said most virtual digital asset service providers and some stock brokers treat cyber breaches as force majeure events, as cyber attacks are often beyond the service provider’s reasonable control.
On July 18, 2024, an attack on the WazirX crypto wallet managed by digital custody provider Liminal led to the theft of assets worth approximately $235 million (approximately Rs 200 crore). It was a multi-sig wallet, meaning multiple signatures (WazirX and Liminal) were required to approve a transaction. The ongoing investigation may identify points of compromise and inadequacies.
WazirX officials claimed the platform follows “strict security measures” and that Liminal provides “advanced security infrastructure.” Nevertheless, the attackers, suspected to be the North Korea-based Lazarus group, managed to circumvent the security layers, the officials said.
Rival crypto exchanges agree that if a platform suffers a third-party malware attack, it can be justified as force majeure if reasonable security measures are in place. “The concept of force majeure includes both ‘acts of God’ and ‘man-made disasters.’ Force majeure is regulated by the contracts concluded between users and the exchange,” said Tushar Tarun, head of legal affairs at CoinDcx, one of the largest exchanges.
Regulatory Vacuum
But in a regulatory vacuum, there are no cybersecurity measures laid down by any regulator or central authority for crypto exchanges to follow. In India, crypto is neither banned (like China and Bangladesh) nor allowed with restrictions (like the US, UK and UAE). But crypto transactions and profits are heavily taxed and exchanges have been directed to curb money laundering regulations. “If a Rs 2,000 crore fraud had happened at a brokerage or stock exchange, there would have been a big uproar. Here, the government doesn’t seem to care, and traders who have evaded taxes or moved funds will not speak up,” said an industry source.
Sangram Gayal, head of PwC’s cyber investigations practice, believes cyber breaches are not unavoidable as it is the fiduciary responsibility of financial services organizations to implement proper cybersecurity measures. “You have to wonder whether crypto exchanges have bank-like controls in place. Without proper controls in place, sophisticated attackers can commit serious fraud. Crypto is a lawless zone in financial services…Unfortunately, victimized parties have limited recourse,” Gayal said.
What will be the course of action for central cyber police and watchdog agencies such as I4C and CERT-In, which are tracking the WazirX scam? “While the mandate of I4C and CERT-In may not extend to providing relief to victims who are left without recourse in cases of force majeure, the security and safety measures mandated by these organisations can certainly be relied upon to point out deficiencies, if any, in the organisation, negating the force majeure defence,” said Napinai, the lawyer.
A spokesperson for industry group Bharat Web3 Association (BWA) said its members (cryptocurrency exchanges) have agreed to follow guidelines on consumer protection and token listing. “Our member companies adhere to cybersecurity best practices, and we are all committed to learning from and strengthening our efforts in wake of incidents like this,” the BWA said.
