Cyber Incident Victim: CoinDCX

On 19 July 2025, India’s largest cryptocurrency exchange CoinDCX experienced a security breach that resulted in the unauthorized transfer of approximately US$44.2 million, equivalent to about IDR700 billion, from an internal operational wallet used for liquidity provision. The incident occurred between 16 and 19 July 2025, with the actual siphoning of funds taking place in under five minutes after the attackers gained access to the exchange’s liquidity infrastructure. Although the compromised wallet held funds designated for internal operations, CoinDCX emphasized that no customer assets were affected because those assets were stored separately in cold wallets that remained isolated from the breached system. The breach was not detected internally for nearly 17 hours, and it only became public after the blockchain researcher ZachXBT disclosed the activity on his Telegram channel, prompting the exchange to acknowledge the event. In response, CoinDCX’s chief executive officer Sumit Gupta took to platform X to clarify that the compromised account was an internal liquidity account and reiterated that customer funds remained secure due to the exchange’s architectural separation of operational and customer-held assets. Gupta also expressed that the priority for the exchange was identifying and apprehending the perpetrators rather than merely recovering the stolen funds, and he called for industry‑wide vigilance to prevent similar incidents. The exchange confirmed that it remained fully operational and financially stable despite the loss, and it assured users that trading and withdrawal services continued without interruption.

The attackers executed the theft with a high degree of precision, beginning their on‑chain activity by sending a single ether (ETH) from the Tornado Cash mixer, a service known to have processed over US$7 billion since 2019. From that initial transaction, the threat actors moved funds through Solana‑based wallets, eventually bridging the assets to the Ethereum network using the Wormhole Bridge and the Jupiter Swap Aggregator to facilitate cross‑chain transfers. Blockchain analysis revealed that the stolen value ultimately resided in two primary wallets: a Solana address holding 155,830 SOL, valued at approximately US$27.6 million, and an Ethereum address holding 4,443 ETH, valued at roughly US$15.7 million, both of which remained untouched at the time of reporting. The speed of the transaction—completed in under five minutes—suggested that the attackers possessed deep familiarity with the exchange’s internal transaction flows and were able to bypass typical monitoring thresholds. Cybersecurity expert Deddy Lavid, CEO of CyVers Security, noted that the use of legitimate internal credentials likely allowed the malicious activity to blend with normal operational traffic, thereby delaying the triggering of security alerts. The attackers’ methodology demonstrated a sophisticated understanding of both the exchange’s liquidity mechanisms and the broader DeFi ecosystem tools used to obscure the trail of funds.

Attribution of the breach has been pointed toward the Lazarus Group, a North Korean cybercrime syndicate previously linked to numerous high‑profile cryptocurrency heists, including the alleged US$1.5 billion Bybit breach in February 2025, which at the time represented the largest crypto theft in history. CoinDCX’s internal report and external analysts highlighted similarities in the tactics, techniques, and procedures observed in this incident with those historically associated with Lazarus Group operations, such as the use of mixers, cross‑chain bridges, and rapid fund dispersal. While the exchange stopped short of issuing a definitive attribution, it acknowledged the suspicion and indicated that law‑enforcement and blockchain‑forensics partners were engaged to pursue the perpetrators. Deddy Lavid further commented that the exploitation of exposed internal credentials was a plausible entry vector, emphasizing that the compromised account’s operational privileges were sufficient to authorize large‑value transfers without raising immediate suspicion. The exchange’s statement noted that the attackers’ ability to move funds swiftly and covertly underscored the need for enhanced monitoring of privileged accounts, even those not directly holding customer assets.

Detection of the breach was delayed because the attackers’ use of valid credentials meant their actions did not initially deviate from expected behavioral patterns, allowing the transaction to proceed unnoticed for a significant period. It was only after ZachXBT’s public disclosure on Telegram that CoinDCX became aware of the anomaly and began its internal investigation. Approximately 17 hours elapsed between the completion of the unauthorized transfers and the public revelation, during which time the attackers had already moved the stolen assets into the aforementioned Solana and Ethereum wallets. Following the disclosure, Sumit Gupta addressed the community on platform X, confirming that an internal liquidity account had been compromised and reiterating that customer funds remained secure due to the exchange’s cold‑storage segregation. Gupta also stressed that the exchange’s immediate focus was on cooperation with investigators to identify and apprehend those responsible, and he urged the broader crypto industry to learn from the event to strengthen collective defenses. The exchange’s leadership made clear that recovering the stolen funds, while important, was secondary to ensuring accountability and preventing recurrence.

In response to the incident, CoinDCX launched a bounty program on 21 July 2025, offering up to 25 % of any recovered assets to individuals or groups who provided actionable intelligence leading to the seizure of the stolen funds. Based on the estimated total loss of US$44.2 million, the maximum potential reward under this program could reach approximately US$11 million. The exchange emphasized that the bounty was intended to incentivize the broader blockchain and security communities to assist in tracing and freezing the illicitly moved assets. CoinDCX also reiterated that, despite the breach, its core trading platform, wallet services, and liquidity operations continued to function normally, and that its balance sheet remained sound enough to sustain ongoing business activities without requiring external financial support. The exchange’s public statements highlighted its commitment to transparency, noting that it would continue to provide updates as the investigation progressed and as any recoveries were made.

The CoinDCX breach occurred against a backdrop of escalating cryptocurrency‑related crime, with data from various security firms indicating that total losses from crypto theft in the first half of 2025 had already exceeded US$2.17 billion, surpassing the cumulative losses recorded for the entire year of 2024. This trend underscored the growing scale and frequency of attacks targeting digital asset platforms, regardless of their size or perceived security maturity. Furthermore, industry‑wide recovery rates remained exceptionally low, with estimates suggesting that of the roughly US$2.5 billion stolen across all incidents in the relevant period, only approximately US$187 million—less than eight percent—had been successfully retrieved by victims or authorities. The low recovery statistic highlighted the challenges associated with tracing and reclaiming funds once they have been laundered through mixers, bridges, and decentralized exchanges, reinforcing the importance of preventive controls and rapid detection mechanisms. CoinDCX’s experience contributed to the broader narrative that, while technical safeguards such as the separation of operational and customer wallets can limit the impact of a breach, the evolving tactics of threat actors necessitate continuous improvement in credential management, anomaly detection, and incident response capabilities across the ecosystem.