QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$44 300 000 USD
JULY 2025
INDIA
COINDCX
DESCRIPTION OF EVENTS
CoinDCX positions itself as India’s leading cryptocurrency platform, serving over 19 million registered users with access to more than 500 crypto assets. The platform facilitates seamless trading using INR and boasts a quarterly trading volume exceeding ₹24.4 trillion. It emphasizes accessibility through its app, promising users a simplified yet robust experience in learning, investing, and trading cryptocurrencies, including major coins like Bitcoin, Ethereum, and Ripple.
Security and regulatory compliance are central to CoinDCX’s offerings. It is compliant with India’s Financial Intelligence Unit (FIU) standards, ISO/IEC 27001:2022 certified for global information security practices, and ensures transparency through third-party audited proof of reserves. Users also benefit from 24/7 customer support, free INR transactions, and automated crypto tax reporting, reflecting the company’s commitment to user trust and convenience.
CoinDCX also aims to educate and support the crypto journey of Indian users, affirming that cryptocurrency is legal in India under specific financial guidelines. The platform offers a wide range of services—from spot and futures trading to VIP accounts and enterprise solutions. It highlights its role in shaping India’s crypto narrative while reminding users that crypto investments are unregulated and carry risks, encouraging informed and compliant participation in the space.
The exploit reportedly targeted an internal operational account used for liquidity provisioning on a partner exchange, not customer wallets. The attackers carried out a highly sophisticated multi-day operation, involving cross-chain fund transfers, mixing protocols, and decentralized bridges, all designed to obscure the movement and origin of the stolen funds.
The technical trail began with 1 ETH from Tornado Cash to fund the exploit, followed by activity across FixedFloat, Polygon, and deBridge, before finally hitting Solana and Ethereum ecosystems. On July 18 between 22:09 and 22:14 UTC, the attackers initiated a rapid-fire sequence of withdrawals totaling tens of millions from CoinDCX’s Solana wallet. The loot, largely in SOL, was quickly swapped, split, and bridged using Jupiter aggregator and Wormhole bridge, ultimately consolidating into wallets that still hold the assets. The pattern and timing suggest a deep familiarity with CoinDCX’s infrastructure, implying either an insider threat or extensive external reconnaissance.
Losses were reported as approximately $44.3m USD.
CoinDCX’s internal response began with the immediate isolation of the compromised operational account, which was used solely for liquidity provisioning on a partner exchange. Fortunately, this account was segregated from customer wallets, which remained untouched due to the platform’s structural separation between internal funds and user assets. This containment helped prevent the breach from spreading further and allowed the exchange to assure users that their personal assets were not at risk.
CoinDCX only publicly acknowledged the exploit 17 hours later, after blockchain investigator ZachXBT publicly exposed the exploit on July 19 at 14:41 UTC. CoinDCX’s leadership responded within minutes of the exposure, issuing a statement claiming full containment of the incident, emphasizing that customer funds were never at risk, and asserting that the loss would be covered entirely from company reserves. Critics, however, labeled this delayed response as "forced transparency," pointing out that the affected wallet was not even listed in the exchange’s Proof of Reserves.
CoinDCX decided to absorb the entire $44.3 million loss from its own treasury reserves, avoiding any impact on customer balances. Internally, the company activated its incident response protocols and began collaborating with global cybersecurity experts, blockchain forensics firms, and Indian regulatory authorities (CERT-In) to trace the stolen funds and identify the attackers.
CoinDCX monitored the movement of assets across blockchains—particularly Solana and Ethereum—and documented how the funds were split, swapped via aggregators like Jupiter, and bridged through protocols like Wormhole. CoinDCX launched a Recovery Bounty Program, offering up to 25% of recovered funds as a reward. The company is now cooperating with CERT-In, blockchain forensic firms, and other exchanges to trace and freeze assets.
CoinDCX has pledged to cover the full balances of all customers. There is no evidence that any funds have been recovered by the platform.
Several key aspects of the CoinDCX breach remain ongoing and unresolved as of now. Most notably, the stolen $44.3 million in digital assets has not yet been recovered. While some of the funds have been traced—initially moved through Solana, then swapped and bridged to Ethereum—the assets currently reside in known wallets, and no significant portion has been frozen or retrieved. The attackers have employed sophisticated laundering techniques, including mixers, cross-chain routing, and fund obfuscation strategies, making recovery efforts complex and time-sensitive.
Additionally, the investigation into how the attackers gained access to the operational account is still underway. CoinDCX has not released a detailed technical post-mortem or audit report, leaving unanswered questions about the root cause of the breach—whether it was due to a misconfigured server, insider compromise, or a zero-day vulnerability. The exchange is reportedly working with two global cybersecurity firms and blockchain forensics teams, but no definitive attribution has been made, although some sources have speculated possible involvement from state-linked groups like Lazarus. This lack of closure continues to fuel concern about internal security controls and incident response planning.
The broader impact on user trust and regulatory perception also remains unresolved. While CoinDCX insists that customer funds are safe and operations are fully functional, the delay in disclosure and reliance on third-party investigators to reveal the breach have drawn criticism. The company’s decision to offer a bounty suggests they are still in active pursuit of intelligence, and the situation could evolve depending on whether more funds are moved, frozen, or recovered.
CoinDCX suffered a sophisticated hack that drained approximately $44.3 million from an internal operational account used for liquidity, without impacting customer funds. The attackers used cross-chain transfers, mixers, and bridges to launder the stolen assets, which remain unrecovered. CoinDCX only disclosed the breach after being publicly exposed by a blockchain investigator, drawing criticism for delayed transparency. The exchange has since launched a bounty program, is working with global security firms and regulators, and continues efforts to trace and recover the stolen funds.
CoinDCX - Rekt (Jul 23)
First Transfer Of 560 SOL - Solscan (Jul 23)
Second Transfer Of 2,704.64660705 SOL - Solscan (Jul 23)
Third Transfer Of 2,800 SOL - Solscan (Jul 23)
Fourth Transfer Of 5,612 SOL - Solscan (Jul 23)
Fifth Transfer Of 5,622 SOL - Solscan (Jul 23)
Sixth Transfer Of 6,200 SOL - Solscan (Jul 23)
Seventh Transfer Of 5,637 SOL - Solscan (Jul 23)
Large Transfer Of 16,913 SOL - Solscan (Jul 23)
Large Transfer Of 37,000 SOL - Solscan (Jul 23)
Final Transfer Of 6,001 SOL - Solscan (Jul 23)
First Transfer Of 1,000 SOL By Attacker - Solscan (Jul 23)
Transfer Of 22,482.827144476 SOL - Solscan (Jul 23)
RektHQ Smirking Response To CoinDCX - TWitter/X (Jul 23)
Incident Report: July 19, 2025 - CoinDCX Blog (Jul 23)
Announcing CoinDCX Recovery Bounty Program: Because this is bigger than us - CoinDCX Blog (Jul 23)
CoinDCX Homepage (Jul 23)
