On July 19, 2025, CoinDCX, one of India’s leading cryptocurrency exchanges, suffered a security breach where approximately $44 million was stolen from its internal operational wallet. The compromised funds came entirely from company reserves, not user funds, and customer wallets remain unaffected and secure.
Severity Level: High
Incident Details
- Date of breach: July 19, 2025 (Saturday evening)
- Amount stolen: ~$44.2 million
- Affected assets: Internal operational wallet (used for liquidity provisioning)
- User impact: No user funds were compromised; customer assets are safe in cold storage
- Response: CoinDCX isolated the wallet, paused related services, enhanced infrastructure, and engaged external cybersecurity partners.
How The Breach Happened
- A sophisticated server breach allowed unauthorized access to an internal wallet.
- The attacker moved 1 ETH through Tornado Cash to initiate obfuscation and launched fund movements across Solana and Ethereum.
- Funds were routed via cross-chain bridges and mixers to cover traces – a tactic aligned with advanced laundering strategies seen in previous North Korean and DeFi exploits.
Timeline Visualization
| Date/Time | Event |
| July 19, 2025, 6:00 PM IST | Unusual outflows from CoinDCX’s internal wallet detected |
| July 19, 2025, 7:30 PM IST | Transaction paths through Tornado Cash and bridges confirmed |
| July 19, 2025, 9:00 PM IST | Public disclosure by CEO Sumit Gupta on X |
| July 19, 2025, 11:00 PM IST | All affected systems isolated; internal investigation launched |
| July 20, 2025 | Services (portfolio APIs) restored with enhanced server capacity |
| July 21, 2025 | Announcement of upcoming bug bounty program & continued fund tracing |
Threat Actor Profile (Preliminary)
Attribution is currently unknown, but the use of Tornado Cash and cross-chain laundering resembles tactics by:
- North Korean APT groups (e.g., Lazarus Group)
- Russian-speaking ransomware actors active in DeFi exploits
No public claim or definitive technical attribution has yet been made.
Lessons Learned
- Operational wallets used for liquidity must be secured with the same rigor as custodial wallets, including multi-signature controls and strict access policies.
- Server compromises can directly lead to crypto theft, making it essential to isolate cryptographic operations from general infrastructure using secure enclaves or HSMs.
- Cross-chain bridges and mixers are critical laundering paths, and exchanges must implement real-time monitoring and anomaly detection for such activities.
- Cold wallet segregation is a strong mitigation strategy, and maintaining user funds in cold storage protected CoinDCX users despite the operational breach.
Comparative Analysis (Crypto Hacks 2024–2025)
| Exchange | Date | Amount | Attack Vector | User Funds Lost | Attribution |
| CoinDCX | Jul-25 | $44M | Server breach, liquidity wallet | ❌ No | Unknown |
| WazirX | Jul-24 | $235M | API key hijack, phishing | ✅ Yes | Not publicly known |
| Euler Finance | Feb-24 | $197M | Flash loan + contract exploit | ✅ Yes | Alleged lone actor |
| KyberSwap | Sep-24 | $48M | Front-end injection + bridge theft | ✅ Yes | Unknown, North Korea suspected |
Recommendations
- While CoinDCX stated that user funds in cold wallets were unaffected, keeping large assets in exchange wallets poses systemic risk. Store significant crypto holdings in hardware wallets (e.g., Ledger, Trezor). Use multi-signature wallets for institutional or high-value assets.
- Even if the exchange is secure, user-level authentication adds a layer of protection. Enable 2FA with authenticator apps (not SMS). Set withdrawal whitelists and verify all changes via email and device fingerprinting. Review API key access and disable unused keys.
- Early detection allows faster mitigation if a compromise begins. Set real-time transaction alerts via SMS/email. Use platforms like Etherscan, Solscan, or Nansen Portfolio to track wallet movements. Periodically download and audit your CoinDCX account statement.
- The attacker exploited a cross-chain liquidity bridge used by CoinDCX. Avoid leaving funds in margin or derivative positions unless actively trading. Withdraw tokens not being traded to personal wallets, especially if they are wrapped assets.
- Timely action during incidents can prevent cascading losses. Follow @CoinDCX, @smtgpt, and @neerajKh_ on X (Twitter) for real-time updates. Act immediately if CoinDCX issues a temporary suspension or recall announcement. Join CoinDCX community or Telegram groups to stay in sync with ongoing issues.
- Be cautious of: Fake CoinDCX support messages or refund offers, Scam airdrops claiming to recover lost funds.
- Never share your private key or seed phrase with anyone.
Source:
- https://www.goodreturns.in/news/coindcx-hacked-for-44-million-major-crypto-exchange-suffers-security-breach-what-we-know-so-far-1443879.html
- https://x.com/neerajKh_/status/1946598377019646038
- https://x.com/smtgpt/status/1946597988660645900
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.