The $44M CoinDCX Hack Explained

A Breach That Shook India’s Crypto Sector

CoinDCX, one of India's most prominent cryptocurrency exchanges, confirmed a security breach that resulted in the theft of over $44 million in digital assets. 

The exploit targeted an operational wallet on the Solana network used for liquidity provisioning—not customer wallets. Despite the rapid and large-scale nature of the attack, the company insists user funds remain untouched and fully secure.

The incident was first flagged not by the company but by blockchain investigator ZachXBT, who tracked suspicious fund movements and identified the compromised wallet as belonging to CoinDCX. His disclosure forced a response from CoinDCX within minutes, marking one of the most high-profile crypto security incidents in India this year.

How the Attack Unfolded

According to on-chain security firm Cyvers, the attack was well-planned and executed with precision. The setup began as early as July 16, 2025, with 1 ETH sent from Tornado Cash—a cryptocurrency mixer often used to obfuscate fund origin. This ETH was deposited to FixedFloat, withdrawn to Polygon, and later bridged to Solana, where it was converted to SOL to cover transaction fees.

According to Meir Dolev, founder of Cyvers, by July 18, at 21:07 UTC, the attacker initiated a test transaction with just 1 USDT. Then the real exploit began. Within a span of five minutes, the attacker drained approximately $44.2 million in USDT and USDC from one of CoinDCX’s operational wallets on Solana.

The sequence of withdrawals are as follows:

• 22:09 UTC: $2 million
• 22:10: $7 million
• 22:11: $10 million
• 22:12: $10 million
• 22:13: Two separate transactions of $5 million each
• 22:14: Final withdrawal of $5 million

Minutes later, smaller transfers followed, including 102,000 USDC and 79,000 USDT. A portion of the stolen funds—$15.8 million—was bridged from Solana to Ethereum, possibly to diversify routes and complicate recovery.

CoinDCX Responds

The breach came to public attention when ZachXBT shared his findings on Telegram, prompting swift confirmation from CoinDCX CEO Sumit Gupta. He called the incident a “sophisticated server breach” that compromised a single operational account used with a partner exchange.

Importantly, Gupta stated that:

• All user assets are stored in cold wallets
• No customer funds were affected
• The platform continues to operate normally for trading and INR withdrawals

"The incident was quickly contained by isolating the affected operational account,” Gupta emphasized. “Since our operational accounts are segregated from customer wallets, the exposure is only limited to this specific account and is being fully absorbed by us - from our own treasury reserves.”

Security Measures and Recovery Plans Underway

CoinDCX says it has engaged cybersecurity firms to investigate the breach and trace the movement of stolen assets. The company is working with the unnamed partner exchange to freeze funds where possible. A bug bounty program is also in development, aimed at identifying vulnerabilities before attackers can exploit them.

Despite the breach, CoinDCX maintains that its systems are sound. The company has long claimed to use a multi-layered security architecture. Funds are distributed across different wallets and custodians. 

Monthly proof-of-reserve reports have been a cornerstone of the exchange’s transparency policy. There’s also a compensation fund intended to cover users in case of emergencies—although in this case, customer funds were unaffected.

Founded in 2018, CoinDCX rose quickly to become India’s first crypto unicorn in 2021 after raising $90 million at a $1.1 billion valuation. In 2022, another $135 million round nearly doubled its valuation to $2.15 billion.

In July 2024, CoinDCX acquired Dubai-based BitOasis, a move that signaled the company’s intent to go global. The recent breach, however, casts a shadow over these ambitions. 

A Cautionary Moment for Indian Crypto

The hack comes almost exactly one year after the collapse of WazirX, another leading Indian exchange that lost $230 million to a breach attributed to North Korea's Lazarus Group. That attack led to the shutdown of the platform and a failed restructuring plan, with only $3 million recovered to date.

While it’s unclear if the CoinDCX hack is linked to the same actors, the similarities are notable: an operational account breach, delayed disclosure, and reliance on Tornado Cash. So far, no nation-state group has been blamed.

A Problem of Centralization

Though CoinDCX insists on its robust architecture, the incident reveals a significant vulnerability in how centralized exchanges manage operational wallets. The compromised account was used solely for liquidity on a partner platform, yet it held tens of millions of dollars—enough to attract sophisticated attackers.

Adding to the criticism is CoinDCX’s restrictive crypto withdrawal policy. Users cannot withdraw funds by default. Instead, withdrawals are allowed only after internal review based on risk assessments. This centralized control has sparked debate within the Indian crypto community about user autonomy and transparency.

In a Reddit AMA in May, Gupta defended this policy by saying it prevents illicit fund movement. He also downplayed the possibility of a WazirX-style attack on CoinDCX, citing security layers, internal audits, and compliance standards. This latest incident has put those claims under scrutiny.