CoinDCX Sophisticated Server Breach Precise Cross-Chain Heist

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

CoinDCX Logo/Homepage

CoinDCX suffered a sophisticated hack that drained approximately $44.3 million from an internal operational account used for liquidity, without impacting customer funds. The attackers used cross-chain transfers, mixers, and bridges to launder the stolen assets, which remain unrecovered. CoinDCX only disclosed the breach after being publicly exposed by a blockchain investigator, drawing criticism for delayed transparency. The exchange has since launched a bounty program, is working with global security firms and regulators, and continues efforts to trace and recover the stolen funds.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]

About CoinDCX

CoinDCX positions itself as India’s leading cryptocurrency platform, serving over 19 million registered users with access to more than 500 crypto assets. The platform facilitates seamless trading using INR and boasts a quarterly trading volume exceeding ₹24.4 trillion. It emphasizes accessibility through its app, promising users a simplified yet robust experience in learning, investing, and trading cryptocurrencies, including major coins like Bitcoin, Ethereum, and Ripple.

Security and regulatory compliance are central to CoinDCX’s offerings. It is compliant with India’s Financial Intelligence Unit (FIU) standards, ISO/IEC 27001:2022 certified for global information security practices, and ensures transparency through third-party audited proof of reserves. Users also benefit from 24/7 customer support, free INR transactions, and automated crypto tax reporting, reflecting the company’s commitment to user trust and convenience.

CoinDCX also aims to educate and support the crypto journey of Indian users, affirming that cryptocurrency is legal in India under specific financial guidelines. The platform offers a wide range of services—from spot and futures trading to VIP accounts and enterprise solutions. It highlights its role in shaping India’s crypto narrative while reminding users that crypto investments are unregulated and carry risks, encouraging informed and compliant participation in the space.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

CoinDCX was hacked for $44.3 million through a sophisticated exploit on an internal account.

Key Event Timeline - CoinDCX Sophisticated Server Breach Precise Cross-Chain Heist
Date Event Description
July 18th, 2025 4:29:51 PM MDT First Transaction To Attacker The first significant transfer of 560 SOL to the attacker.
July 18th, 2025 4:35:06 PM MDT Second Transaction To Attacker The next significant transfer of 2,704.64660705 SOL to the attacker.
July 18th, 2025 4:40:49 PM MDT Third Transaction To Attacker The third significant transfer of 2,800 SOL to the attacker.
July 18th, 2025 4:46:57 PM MDT Fourth Transaction To Attacker The fourth significant transfer of 5,612 SOL to the attacker.
July 18th, 2025 4:49:44 PM MDT Fifth Transaction To Attacker The fifth significant transfer of 5,622 SOL to the attacker.
July 18th, 2025 4:51:34 PM MDT Sixth Transaction To Attacker The sixth significant transfer of 6,200 SOL to the attacker.
July 18th, 2025 4:52:59 PM MDT Seventh Transaction To Attacker The seventh significant transfer of 5,637 SOL to the attacker.
July 18th, 2025 5:04:21 PM MDT Large Transaction To Attacker A significant transfer of 16,913 SOL to the attacker.
July 18th, 2025 5:12:27 PM MDT Largest Transaction To Attacker The largest transfer of the set is 37,000 SOL to the attacker.
July 18th, 2025 5:22:19 PM MDT First Transaction According to Rekt Rekt News reports this at the first transaction to the attacker, a transfer of 22,482.827144476 SOL.
July 18th, 2025 6:41:29 PM MDT Final Transaction To Attacker The final significant transfer of 6,001 SOL to the attacker. There are multiple additional transactions in the middle.
July 18th, 2025 8:00:00 PM MDT Reported Time Of Attack The officially reported time of the attack in the official report submitted by CoinDCX.
July 20th, 2025 6:33:31 PM MDT First Transaction Moving Funds The first transaction to start moving the funds from the Solana wallet.
July 22nd, 2025 1:18:00 PM MDT Rekt News Publishes Report Rekt News publishes a report about the exploit, where the results are highlighted.
July 22nd, 2025 10:59:00 PM MDT Rekt Is A Dear Customer A Twitter/X account called CoinDCX Cares responds to "Dear Customer" Rekt News to "recognize the 17 hour delay and share [thei]r concern".

Technical Details

The exploit reportedly targeted an internal operational account used for liquidity provisioning on a partner exchange, not customer wallets. The attackers carried out a highly sophisticated multi-day operation, involving cross-chain fund transfers, mixing protocols, and decentralized bridges, all designed to obscure the movement and origin of the stolen funds.

The technical trail began with 1 ETH from Tornado Cash to fund the exploit, followed by activity across FixedFloat, Polygon, and deBridge, before finally hitting Solana and Ethereum ecosystems. On July 18 between 22:09 and 22:14 UTC, the attackers initiated a rapid-fire sequence of withdrawals totaling tens of millions from CoinDCX’s Solana wallet. The loot, largely in SOL, was quickly swapped, split, and bridged using Jupiter aggregator and Wormhole bridge, ultimately consolidating into wallets that still hold the assets. The pattern and timing suggest a deep familiarity with CoinDCX’s infrastructure, implying either an insider threat or extensive external reconnaissance.

Total Amount Lost

Losses were reported as approximately $44.3m USD.

The total amount lost has been estimated at $44,300,000 USD.

Immediate Reactions

CoinDCX’s internal response began with the immediate isolation of the compromised operational account, which was used solely for liquidity provisioning on a partner exchange. Fortunately, this account was segregated from customer wallets, which remained untouched due to the platform’s structural separation between internal funds and user assets. This containment helped prevent the breach from spreading further and allowed the exchange to assure users that their personal assets were not at risk.

CoinDCX only publicly acknowledged the exploit 17 hours later, after blockchain investigator ZachXBT publicly exposed the exploit on July 19 at 14:41 UTC. CoinDCX’s leadership responded within minutes of the exposure, issuing a statement claiming full containment of the incident, emphasizing that customer funds were never at risk, and asserting that the loss would be covered entirely from company reserves. Critics, however, labeled this delayed response as "forced transparency," pointing out that the affected wallet was not even listed in the exchange’s Proof of Reserves.

Ultimate Outcome

CoinDCX decided to absorb the entire $44.3 million loss from its own treasury reserves, avoiding any impact on customer balances. Internally, the company activated its incident response protocols and began collaborating with global cybersecurity experts, blockchain forensics firms, and Indian regulatory authorities (CERT-In) to trace the stolen funds and identify the attackers.

CoinDCX monitored the movement of assets across blockchains—particularly Solana and Ethereum—and documented how the funds were split, swapped via aggregators like Jupiter, and bridged through protocols like Wormhole. CoinDCX launched a Recovery Bounty Program, offering up to 25% of recovered funds as a reward. The company is now cooperating with CERT-In, blockchain forensic firms, and other exchanges to trace and freeze assets.

Total Amount Recovered

CoinDCX has pledged to cover the full balances of all customers. There is no evidence that any funds have been recovered by the platform.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

Several key aspects of the CoinDCX breach remain ongoing and unresolved as of now. Most notably, the stolen $44.3 million in digital assets has not yet been recovered. While some of the funds have been traced—initially moved through Solana, then swapped and bridged to Ethereum—the assets currently reside in known wallets, and no significant portion has been frozen or retrieved. The attackers have employed sophisticated laundering techniques, including mixers, cross-chain routing, and fund obfuscation strategies, making recovery efforts complex and time-sensitive.

Additionally, the investigation into how the attackers gained access to the operational account is still underway. CoinDCX has not released a detailed technical post-mortem or audit report, leaving unanswered questions about the root cause of the breach—whether it was due to a misconfigured server, insider compromise, or a zero-day vulnerability. The exchange is reportedly working with two global cybersecurity firms and blockchain forensics teams, but no definitive attribution has been made, although some sources have speculated possible involvement from state-linked groups like Lazarus. This lack of closure continues to fuel concern about internal security controls and incident response planning.

The broader impact on user trust and regulatory perception also remains unresolved. While CoinDCX insists that customer funds are safe and operations are fully functional, the delay in disclosure and reliance on third-party investigators to reveal the breach have drawn criticism. The company’s decision to offer a bounty suggests they are still in active pursuit of intelligence, and the situation could evolve depending on whether more funds are moved, frozen, or recovered.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. CoinDCX - Rekt (Accessed Jul 23, 2025)
  2. First Transfer Of 560 SOL - Solscan (Accessed Jul 23, 2025)
  3. Second Transfer Of 2,704.64660705 SOL - Solscan (Accessed Jul 23, 2025)
  4. Third Transfer Of 2,800 SOL - Solscan (Accessed Jul 23, 2025)
  5. Fourth Transfer Of 5,612 SOL - Solscan (Accessed Jul 23, 2025)
  6. Fifth Transfer Of 5,622 SOL - Solscan (Accessed Jul 23, 2025)
  7. Sixth Transfer Of 6,200 SOL - Solscan (Accessed Jul 23, 2025)
  8. Seventh Transfer Of 5,637 SOL - Solscan (Accessed Jul 23, 2025)
  9. Large Transfer Of 16,913 SOL - Solscan (Accessed Jul 23, 2025)
  10. Large Transfer Of 37,000 SOL - Solscan (Accessed Jul 23, 2025)
  11. Final Transfer Of 6,001 SOL - Solscan (Accessed Jul 23, 2025)
  12. [solscan.io/tx/BwYzPqpgeNvHrHniFhmsfbpWUNjt6su2BPk7b4EGkJjYwDRBggq27X7CtdvDR251ZYoXU5Nbh58SWRbvmTFHox1 First Transfer Of 1,000 SOL By Attacker - Solscan] (Accessed Jul 23, 2025)
  13. Transfer Of 22,482.827144476 SOL - Solscan (Accessed Jul 23, 2025)
  14. RektHQ Smirking Response To CoinDCX - TWitter/X (Accessed Jul 23, 2025)
  15. Incident Report: July 19, 2025 - CoinDCX Blog (Accessed Jul 23, 2025)
  16. Announcing CoinDCX Recovery Bounty Program: Because this is bigger than us - CoinDCX Blog (Accessed Jul 23, 2025)
  17. CoinDCX Homepage (Accessed Jul 23, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=CoinDCX_Sophisticated_Server_Breach_Precise_Cross-Chain_Heist&oldid=6852"