Inside The $44 Mn CoinDCX Breach: Another Dark Day For Indian Crypto

It was around 9 PM in India on July 19 (Saturday) when blockchain investigator ZachXBT took to social media about unusual outbound transfers involving wallet addresses associated with crypto exchange CoinDCX.

“Looks like the India centralised exchange ‘CoinDCX’ was likely drained for ~$44.2 Mn almost 17 hours ago and has yet to disclose the incident to the community,” he said in a message to his Telegram community. 

Someone was moving large volumes of Tether (USDT) and Solana (SOL) from CoinDCX-linked wallets via the Jupiter aggregator on Solana. These were then bridged to Ethereum via Wormhole routes, and later deposited into newly created Ethereum wallets.

Cryptocurrencies worth around $44.2 Mn (about INR 378 Cr), distributed across USDT, SOL and Ether (ETH), most of which currently remain dormant in two primary wallets, were stolen. But it wasn’t until ZachXBT disclosed the details that CoinDCX CEO Sumit Gupta publicly addressed the heist on July 19.

After the high-profile $234 Mn WazirX heist, which is still unresolved to a large extent, the CoinDCX case is another wake-up call for India’s crypto ecosystem. However, CoinDCX said it suffered the loss from its operational treasury, and no investor or customer funds were impacted. 

The wallets where the attackers have parked the funds are now being watched by investigators for activity, which might make it easier for them to trace it, but there’s no guarantee that any funds will be recovered.

A full investigation is now underway, involving cybersecurity firms like Sygnia, Seal911, and zeroShadow Cybertech. India’s official cybersecurity response team, CERT-In, has also been brought in to help. The results of this investigation are expected to be shared publicly in August 2025. 

As part of its response, CoinDCX has launched what it claims is the largest Web3 bug bounty in India, offering up to 25% of any recovered assets, worth potentially around $11 Mn, as a reward to ethical hackers, bug bounty platforms, and security experts who assist in the recovery effort.

What Exactly Happened?

The breach, according to the company, was caused by the compromise of an internal account used to provide liquidity on a third-party platform.

This is concerning as CoinDCX plays a flagship role in India’s crypto space. With over 15 Mn registered users, and hundreds of millions of dollars in daily trading activity in digital assets, it is an important part of India’s crypto economy. 

“Our systems detected anomalous activity concerning an operational wallet. We swiftly isolated the compromised account and began forensics. Importantly, customer funds are unaffected. We are absorbing 100% of the loss from our treasury,” a CoinDCX spokesperson told Inc42.

According to the spokesperson, the company is coordinating with the Cyber Crime Division of the Karnataka State Police, CID, and other relevant departments. The company will be filing an FIR and conducting a thorough investigation in collaboration with international teams. 

The breach stemmed from the infiltration of an internal operational wallet, specifically, one used to provide liquidity to a partner exchange. This wallet was isolated from customer holdings and doesn’t form part of CoinDCX’s primary treasury management system that secures user deposits. 

However, attackers managed to access it and extract funds by exploiting unspecified server-side vulnerabilities, bypassing input controls and off-chain authentication processes.

Who’s To Blame?

With CoinDCX acknowledging the breach later that day, criticism emerged over its tardiness despite clear early signals from on-chain analysts.

“We made a conscious decision to focus first on fact-verification, containment, and customer protection. Immediate steps included freezing impacted services, isolating the breached account, and engaging global cyber forensic teams. Once we ensured zero risk to user assets, only then did we communicate publicly. We were advised not to disclose it to the public before the initial investigation,” the company claimed. 

According to the CoinDCX spokesperson, the company had received the trigger around 3:30 AM to 4:00 AM on Saturday, and it was able to isolate the affected account after it.

For users, the most visible symptom was the temporary outage of CoinDCX’s APIs, which delayed transactions and created concern about possible wallet compromise. While deposits and withdrawals were technically operational, the rush of speculative withdrawals caused transaction bottlenecks, particularly in INR remittances.

This undoubtedly caused some panic, but CoinDCX did not suspend trading or fiat on-ramp/off-ramp functionality, which the company claims was a strategic choice to maintain platform trust. 

The INR withdrawals below INR 5 Lakh resumed within a 4-6-hour window after the breach was resolved, while higher-value withdrawals took longer but were processed within 72 hours. 

It is pertinent to note that despite the public uproar, CoinDCX was quick to allay user fears after confirming that no customer wallets or assets were impacted. 

How Much Does CoinDCX Lose?

According to the company, the breach strictly affected the platform’s internal trading fund, a liquidity provisioning treasury segregated from main balances. 

CoinDCX as of now has absorbed the loss without insurance backing or invoking emergency reserves. This move is estimated to cost nearly 7.6% of CoinDCX’s internal fund reserves, a setback the company states it is “financially strong enough to absorb.”

Notably, the company claims to have INR 10,000 Cr ($1.2 Bn) in assets under custody (AUC) with annualised group revenue of INR 1,179 Cr. Notably, in FY24, the company’s operating revenue stood at INR 391.7 Cr with INR 15.4 Cr in net profit. It is yet to file its FY25 numbers. 

Technically, CoinDCX experienced a server-side hack that targeted weak spots in its liquidity systems, which were actually hosted on a partner company’s infrastructure. 

The attacker used a crypto-washing platform called Tornado Cash to hide where the initial funds came from, making it harder for anyone to trace their actions early on. This is very typical of crypto heists, since Tornado Cash allows users to mix in their crypto with other users and withdraw anonymously for a fee. 

Notably, the company didn’t spot the hack straight away. It was only when unusual trading activity on Solana was picked up by its internal alert system that the company realised something was wrong. 

Once the issue was discovered, CoinDCX froze the compromised wallet, applying security fixes to stop the attacker from moving deeper into their systems, and contacting third-party partners to prevent more money from being stolen. 

What Happens To CoinDCX?

Given the size of the heist and CoinDCX’s financial state, it’s unlikely that it will go through a similar fate as WazirX. The latter has been hit by faced liquidity freezes and user withdrawal halts, lessons that appear to have guided CoinDCX’s risk isolation architecture.

However, operations and active liquidity pools remain the weak link in large centralised digital asset platforms such as CoinDCX or WazirX or any other comparable exchange. In the light of no clear regulations, operational security is left to platforms resulting in weak cold wallet practices, lack of transparency and no playbooks to respond to incidents. 

While 30% capital gains tax on digital assets (plus 1% TDS) is already in force in India, there is no legal liability for exchanges. 

The CoinDCX breach may have cost $44 Mn and does not impact individual crypto investors directly, but a deeper conversation is required on whether crypto platforms are taking themselves seriously enough to be regulated.

If crypto exchanges want regulations — as they have called for several times — security issues need to be addressed. They need to have a clear plan for heists, hacks and other incidents that result in losses. This time, retail investors didn’t suffer a loss, but that will not always be the case.

Edited by Nikhil Subramaniam