CoinDCX Hit by $44M Hack – Internal Wallet Compromised, User Funds Safe

On July 19, 2025, CoinDCX, one of India’s leading cryptocurrency exchanges, suffered a security breach where approximately $44 million was stolen from its internal operational wallet. The compromised funds came entirely from company reserves, not user funds, and customer wallets remain unaffected and secure.

Severity Level: High

Incident Details

• Date of breach: July 19, 2025 (Saturday evening)
• Amount stolen: ~$44.2 million
• Affected assets: Internal operational wallet (used for liquidity provisioning)
• User impact: No user funds were compromised; customer assets are safe in cold storage
• Response: CoinDCX isolated the wallet, paused related services, enhanced infrastructure, and engaged external cybersecurity partners.

How The Breach Happened

• A sophisticated server breach allowed unauthorized access to an internal wallet.
• The attacker moved 1 ETH through Tornado Cash to initiate obfuscation and launched fund movements across Solana and Ethereum.
• Funds were routed via cross-chain bridges and mixers to cover traces – a tactic aligned with advanced laundering strategies seen in previous North Korean and DeFi exploits.

Timeline Visualization

Date/Time	Event
July 19, 2025, 6:00 PM IST	Unusual outflows from CoinDCX’s internal wallet detected
July 19, 2025, 7:30 PM IST	Transaction paths through Tornado Cash and bridges confirmed
July 19, 2025, 9:00 PM IST	Public disclosure by CEO Sumit Gupta on X
July 19, 2025, 11:00 PM IST	All affected systems isolated; internal investigation launched
July 20, 2025	Services (portfolio APIs) restored with enhanced server capacity
July 21, 2025	Announcement of upcoming bug bounty program & continued fund tracing

Threat Actor Profile (Preliminary)

Attribution is currently unknown, but the use of Tornado Cash and cross-chain laundering resembles tactics by:

• North Korean APT groups (e.g., Lazarus Group)
• Russian-speaking ransomware actors active in DeFi exploits

No public claim or definitive technical attribution has yet been made.

Lessons Learned

• Operational wallets used for liquidity must be secured with the same rigor as custodial wallets, including multi-signature controls and strict access policies.
• Server compromises can directly lead to crypto theft, making it essential to isolate cryptographic operations from general infrastructure using secure enclaves or HSMs.
• Cross-chain bridges and mixers are critical laundering paths, and exchanges must implement real-time monitoring and anomaly detection for such activities.
• Cold wallet segregation is a strong mitigation strategy, and maintaining user funds in cold storage protected CoinDCX users despite the operational breach.

Comparative Analysis (Crypto Hacks 2024–2025)

Exchange	Date	Amount	Attack Vector	User Funds Lost	Attribution
CoinDCX	Jul-25	$44M	Server breach, liquidity wallet	❌ No	Unknown
WazirX	Jul-24	$235M	API key hijack, phishing	✅ Yes	Not publicly known
Euler Finance	Feb-24	$197M	Flash loan + contract exploit	✅ Yes	Alleged lone actor
KyberSwap	Sep-24	$48M	Front-end injection + bridge theft	✅ Yes	Unknown, North Korea suspected

Recommendations

1. While CoinDCX stated that user funds in cold wallets were unaffected, keeping large assets in exchange wallets poses systemic risk. Store significant crypto holdings in hardware wallets (e.g., Ledger, Trezor). Use multi-signature wallets for institutional or high-value assets.
2. Even if the exchange is secure, user-level authentication adds a layer of protection. Enable 2FA with authenticator apps (not SMS). Set withdrawal whitelists and verify all changes via email and device fingerprinting. Review API key access and disable unused keys.
3. Early detection allows faster mitigation if a compromise begins. Set real-time transaction alerts via SMS/email. Use platforms like Etherscan, Solscan, or Nansen Portfolio to track wallet movements. Periodically download and audit your CoinDCX account statement.
4. The attacker exploited a cross-chain liquidity bridge used by CoinDCX. Avoid leaving funds in margin or derivative positions unless actively trading. Withdraw tokens not being traded to personal wallets, especially if they are wrapped assets.
5. Timely action during incidents can prevent cascading losses. Follow @CoinDCX, @smtgpt, and @neerajKh_ on X (Twitter) for real-time updates. Act immediately if CoinDCX issues a temporary suspension or recall announcement. Join CoinDCX community or Telegram groups to stay in sync with ongoing issues.
6. Be cautious of: Fake CoinDCX support messages or refund offers, Scam airdrops claiming to recover lost funds.
7. Never share your private key or seed phrase with anyone.

Source:

• https://www.goodreturns.in/news/coindcx-hacked-for-44-million-major-crypto-exchange-suffers-security-breach-what-we-know-so-far-1443879.html
• https://x.com/neerajKh_/status/1946598377019646038
• https://x.com/smtgpt/status/1946597988660645900

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.