Exactly one year ago, on July 18, 2024, India’s largest and once most trusted crypto exchange, WazirX, was hacked. Over Rs 2,000 crore worth of user assets vanished in a matter of hours.
While investigations have dragged on, and regulators and the company itself have remained mostly silent, a much larger and deeper issue has been overlooked: the blatant disregard for Singapore’s financial laws by WazirX’s parent company, Zettai Pte Ltd.
This report is an exclusive collaboration between The Crypto Times and Toofaan Army (Romy Johnson), bringing forward in-depth research, legal records, and insights compiled over the past year since the WazirX hack.
Tomorrow, July 15, 2025, the Singapore High Court will hold a critical hearing under case number HC/SUM 940/2025.
This isn’t just another procedural matter; it is set to answer serious questions:
- How did Zettai Pte Ltd operate as a Digital Payment Token Service Provider (DPTSP) in Singapore without ever securing a license?
- Why did Singapore’s Monetary Authority (MAS) fail to intervene even though Singapore’s Payment Services Act 2019 made licensing mandatory in January 2020?
- Why have Singapore’s strict crypto regulatory frameworks not been enforced in this high-profile, globally watched case?
To understand the gravity of this, let’s revisit the rules Singapore has laid out. Under the Payment Services Act 2019 and its 2023 amendments, licensed DPTSPs must:
- Segregate and safeguard customer assets in custody accounts.
- Maintain independent custody functions that are operationally separate from other business units.
- Ensure that no customer assets are commingled with company assets.
- Maintain proper daily reconciliations and real-time reporting to customers.
- Provide clear disclosures on how assets are held, potential risks, and insolvency consequences.
- Never transfer user assets without explicit, prior written instructions.
These are not recommendations, they are law. Yet Zettai Pte Ltd, which ran WazirX’s backend operations, never held a license, nor did it follow these rules.
WazirX Promised ‘Your Assets.’ Singapore Law Says the Same.
In the days following the hack, WazirX’s official blog post dated July 21, 2024, titled “Important Update: Cyber Attack Incident and Measures to Protect Your Assets,” stated:
“We are reaching out to update you on the recent cyber attack theft that has severely impacted WazirX. The safety and security of your assets always remain our top priority.”
The blog explicitly called the assets stolen “user assets.” That’s legally significant. Singapore’s High Court ruling in Re Taylor & Eqonex Capital Ltd (June 2025) established a crucial precedent: unless users explicitly transfer title, crypto assets held in custodial wallets belong to the users, not the exchange.
Justice Aedit Abdullah ruled in Re Taylor:
- Custody does not mean ownership.
- Users retain full ownership rights unless a transfer of title is documented.
- Exchanges cannot restructure, liquidate, or touch user assets to settle their own debts unless explicitly stated.
WazirX’s own user agreement mirrors this. It clearly mentions: “WazirX acts as an agent working on the instructions of the user.” In plain words, WazirX is a middleman, a custodian, not the owner of the crypto held in user wallets.
Despite all this, post-hack restructuring saw Zettai rebalancing tokens without user consent and without any court order. Worse, court records and investigative reports show that Zettai may have used user assets to cover company debts.
If proven, this would be one of the most blatant violations of Singapore’s Payment Services Act and common law principles on custodial responsibility.
From Singapore to Panama: The Real Reason Zettai Moved
In June 2025, Toofaan Army revealed one of the most explosive facts in this entire saga: Zettai Pte Ltd quietly established a Panama shell entity named Zensui.
Why transfer to Panama? Because Singaporean courts had just ruled in Re Taylor, making it impossible for Zettai to legally touch user funds. Panama, lacking equivalent crypto custody regulations, became the escape route.
Documents show Kroll, hired by WazirX for fund recovery, was allegedly involved in orchestrating this move. Instead of focusing on recovering stolen assets for users, Kroll allegedly assisted Zettai in setting up offshore structures to sidestep Singaporean law.
This is not mere speculation. On June 20, 2025, the Toofaan Army reported: “The Real Reason Why #WazirX Ran to Panama? Exposing Kroll’s Dirty Tricks.” The report detailed how Kroll’s involvement was not just about investigation, but creating legal detours.
Singapore law made it clear: user funds in custody remain user property. Panama offered Zettai a way to muddy those waters.
MAS Rules Were Crystal Clear—Why Weren’t They Enforced?
Singapore’s MAS isn’t known for regulatory laxity. MAS introduced major amendments to the Payment Services Regulations in 2023, specifically because of global concerns about crypto exchanges mismanaging user funds.
Under Regulation 16C and 16D:
- All customer assets must be deposited in custody accounts held on trust.
- Customer assets must not be used to pay off company debts.
- Transfers of user assets require explicit customer instructions.
- Daily reconciliations and full transparency with users are mandatory.
Zettai did none of this. What’s worse, it never even applied for a Digital Payment Token Service Provider (DTSP) license. This wasn’t a grey area. This was black-and-white illegal.
Even Rajah & Tann, Singapore’s leading law firm, pointed this out in their August 2023 publication on MAS’s regulatory updates. Yet, here we are, in July 2025, and Zettai still hasn’t been held fully accountable.
How Much Money is Actually Involved?
WazirX officially claims that over $230 million was hacked. But what they’ve never disclosed—neither to the court nor users- is the exact figure of the company’s profits they keep calling “under dispute.”
Insider reports, transaction records, and whistleblower data reviewed independently suggest that over $400 million in company profits are actually under dispute. Yet WazirX has never publicly disclosed or confirmed the exact figure.
The Crypto Times and Romy both reached out to WazirX for an official comment regarding this amount, but so far, there has been no response or official clarification from the company.
That so-called dispute seems less like a legal matter and more like a cover to shield undisclosed earnings and founder wealth. Fund transfers worth ₹342 crore to companies owned by Nischal Shetty and his spouse, Moujhari Guha, have already surfaced.
A key figure: around Rs 1,000 crore in transactions have been linked directly to entities controlled by Nischal Shetty and his close family members. These are documented in court filings and internal accounting ledgers now part of the Singapore court case.
One particularly damning detail: Zanmai Labs, listed as the operational entity in India, shows zero employees on record while allegedly controlling exchange operations. That in itself is another red flag that regulatory bodies have so far overlooked.
Tomorrow’s Court Hearing: Singapore’s Moment of Truth
On July 15, 2025, at 7:30 AM IST (10:00 AM SGT), the Singapore High Court is set to hear further arguments in HC/SUM 940/2025. The hearing could stretch into July 16, as a reserve date has been set.
The court will examine several core issues:
- Was Zettai Pte Ltd unlawfully operating as a DPT service provider in Singapore before June 30, 2025?
- Did Zettai misuse user assets to cover company debts in violation of both MAS regulations and Singapore’s fiduciary laws?
- Did MAS fail in its duty to enforce its own licensing and regulatory requirements?
Toofaan Army has issued a clear statement ahead of the hearing: “While Zettai Pte Ltd may attempt to claim it was not in breach of the Financial Services and Markets Act prior to 30 June 2025, it is clear that it was unlawfully conducting Digital Payment Token (DPT) services without a license under the Payment Services Act 2019.”
Final Nail: Negligence, Hidden Wallet Signers, and Unanswered Questions
Adding to the already damning facts, Cybersecurity and Forensic Analysis Expert Nabil Salih has highlighted an alarming detail that WazirX has never officially addressed. The custodial wallet from which $230 million was drained was controlled by six authorized signatories, including representatives from Liminal.
Crucially, only four of these six signers were needed to approve any transaction. As Nabil bluntly put it, “It’s evident that four of them signed these transactions intentionally, or it’s utter negligence by the company, and this cannot be considered as a force majeure event.”
To date, WazirX has refused to disclose who these six individuals are. The identities of the people holding the keys to the wallet remain hidden, shielding them from personal liability. But make no mistake, this silence is strategic. If WazirX were to reveal those names, the legal game would shift instantly.
Individuals could be held directly accountable. Founders, linked entities, and associated assets could all be dragged under liquidation proceedings. This is why, as legal experts argue, targeting only the company isn’t enough. Going after the people involved is the real way to bring justice.
Further strengthening this argument, Nabil also established that the 240,000 wallet addresses published in Nischal Shetty’s fourth affidavit can be traced back to individual users.
These are unique deposit wallets clearly belonging to WazirX users, which proves beyond any reasonable doubt that WazirX was merely acting as a custodian, not an owner, of user assets.
This forensic insight aligns perfectly with blockchain entrepreneur Romy Johnson’s affidavit submitted in the Honourable High Court of Singapore.
On page 13/45A, it states: Nischal Shetty’s affidavit fails to explain why internal multisig controls, used to facilitate the July 2024 token drain, should qualify as a force majeure event.
This violates the standard in Glahe International v Yap Chwee Hock [1999] 3 SLR(R) 923, where the court held that force majeure cannot apply where the event was internally foreseeable or caused by the party’s own negligence.
Also Alliance Concrete Singapore Pte Ltd v Sato Kogyo (S) Pte Ltd [2014] 3 SLR 857, confirming that internal control failure does not excuse performance.
Even respected blockchain investigator TruthLabs, known as @BoringSleuth, weighed in sharply:
“To date, @WazirXIndia and its founders have done nothing outside of immensely harming their customers, locking them out of their Web3 and Crypto future, while they hide behind words and not actions.”
The pattern is unmistakable: negligence disguised as accident, secrecy disguised as compliance. If WazirX ever discloses who exactly held the keys to that hacked wallet, it’s Game Over—not just for WazirX, but for everyone tied to it.
Why This Case Matters Globally
This isn’t just about WazirX or Indian crypto investors. This case is about the credibility of Singapore as one of the world’s leading crypto jurisdictions.
If a company like Zettai can operate without a license, hold hundreds of millions in user funds, move assets offshore, and avoid legal repercussions for over five years, what message does that send to the global crypto community?
One year after India’s largest crypto hack, there are still no clear answers for users. No recovered funds. No proper accounting. No accountability.
But tomorrow’s hearing could change that.
The world will be watching the Singapore High Court on July 15, 2025. It’s not just a legal matter. It’s about trust in the financial system, in regulations, and in the promise that user rights matter.
Because if Singapore doesn’t enforce its own laws in a case as open-and-shut as WazirX, then truly, where is the line drawn?
Every crypto investor deserves clarity, protection, and justice. It’s time Singapore proves it still stands for all three.
Also Read: WazirX Under FIU Probe Again Over Alleged Terror Crypto Links
