CoinDCX, one of India’s largest crypto exchanges, confirmed on July 19, 2025 that a sophisticated server breach drained $44 million from an internal liquidity wallet, but all customer funds remained secure in cold storage.
Key Takeaways
- 1Hack exploited a hot wallet used for liquidity provisioning via a server breach.
- 2No user assets were harmed; losses are being absorbed by CoinDCX’s treasury.
- 3Hack was flagged by onchain sleuth ZachXBT and security firm Cyvers, traced via Tornado Cash.
- 4CoinDCX plans bug bounty, security audits, and real-time community updates.
What Happened
On July 18, 2025, around 17 hours before the public announcement, CoinDCX’s internal operational wallet used solely for liquidity provisioning was compromised via a sophisticated server breach. The attackers transferred just 1 ETH from Tornado Cash before bridging stolen assets from Solana to Ethereum.
Onchain investigator ZachXBT publicly tracked the exploit on Telegram and X, exposing the addresses involved and highlighting the fact that CoinDCX had not disclosed the incident by itself.
Company Response
CEO Sumit Gupta took to X to break the silence, explaining that the affected wallet was an internal operational account isolated from customer funds.
He stated:
“No customer funds have been impacted. Your assets remain completely safe and protected in our secure cold wallet infrastructure. All trading activity and INR withdrawals are fully operational.”
He added that the incident was swiftly contained, and the entire $44 million loss would be covered from CoinDCX’s treasury, not passing the burden onto users.
Technical Details and Investigation
According to security analysts:
- The breach originated in a hot wallet used for liquidity provisioning on a partner exchange, not customer-facing systems.
- Cyvers alerted ZachXBT after spotting irregular fund flows.
- The attacker’s public addresses include two Solana accounts and one Ethereum account:
- Solana: 6peRRbTz…FdP22n
- Solana: 3btch8cS…cJs7Gu
- Ethereum: 0xEF0c5b9E…8CD8D
CoinDCX engaged cybersecurity firms to trace fund movements, patch vulnerabilities, and initiate a bug bounty program. The platform also began work with its partner exchange to potentially recover stolen funds.
Industry Context
This incident echoes last year’s breach of WazirX on July 18, 2024, when North Korea linked hackers stole about $235 million via a compromised multisig wallet. That event exposed persistent threats within centralized crypto platforms, prompting concerns about operational security in India’s booming crypto market.
CoinLaw’s Takeaway
I believe transparency is the pillar of trust in crypto. CoinDCX acted responsibly by isolating the breach and using its own reserves to shield customers from financial harm. But the delay in public communication, only after the exploit was exposed onchain, raises concerns about crisis preparedness. Going forward, the launch of a bug bounty and ongoing audits are prudent steps. However, for Indian users to feel secure, exchanges must embed real-time alerts and independent audits into their security protocols.
The recurring pattern of large scale hacks, highlighted by both WazirX and now CoinDCX, should be a wake-up call. Customer assets can be protected, but only if internal controls, code audits, and rapid incident response are institutionalized across the industry.
