Attackers stole about $230 million from WazirX after upgrading a 4-of-6 multisig wallet to a malicious implementation. The source argues the attack likely required three WazirX signer approvals and one Liminal signer, possibly through phished signatures, compromised signer laptops, or a compromised Liminal UI that showed benign transaction details while signing malicious data. The attackers rehearsed the contract upgrade eight days earlier, converted stolen assets into Ether through DEX services, used Tornado Cash-linked funding, and operated during a time window aligned with North Korean daytime. The author assesses the activity as very likely Lazarus-linked, but presents that attribution as an inference from behavior, timing, laundering, and the lack of ransom contact rather than confirmed evidence.