What is the CoinDCX $44-million crypto theft?
India’s largest crypto exchange, CoinDCX, fell victim to a sophisticated $44.2-million hack on July 19, 2025.
Attackers managed to gain access to an operational wallet and drained it within minutes. Fortunately, the security architecture of CoinDCX meant all customer funds were kept completely safe.
News of the hack took nearly 17 hours to emerge, when blockchain sleuth ZachXBT alerted people to the potential hack via his official Telegram channel.
CoinDCX CEO Sumit Gupta was then quick to respond, releasing a statement on X, explaining that one of their internal operational accounts used for liquidity was compromised, but he confirmed that customer assets were kept safe.
This latest CoinDCX hack attack has been linked to the infamous Lazarus Group of North Korea, which is an aggressive state-sponsored hacking syndicate that targets crypto exchanges.
Many in the crypto community were frustrated at CoinDCX’s slow reporting, especially as the organization claims to keep a strong public stance on transparency. Community comments include, “Y’all built this exchange on the narrative of ‘being transparent with the community,’ yet it took over 18 hours to disclose the hack of more than $44 million.”
So, how did the attack take place, and why did it take CoinDCX so long to report it?
Did you know? North Korean attackers were responsible for the infamous Bybit hack in February 2025, which resulted in the most significant single crypto theft in history, totaling $1.5 billion.
How CoinDCX was hacked
The CoinDCX security breach unfolded with what has been referred to as military precision between July 16 and 19, 2025. Gupta describes the incident as a sophisticated server breach, and according to the exchange’s incident report.
“The attacker accessed the account used for operational liquidity provisioning by penetrating our liquidity infrastructure.”
ZachXBT, who has exposed some of the largest crypto scams over the past few years, has also been following the money trail. On his Telegram channel, he explained that “the attacker’s address was funded with one ether from Tornado Cash and later bridged a portion of the stolen funds from Solana to Ethereum.”
This Tornado Cash laundering crypto mixer has processed $7 billion since 2019 and was used in the initial funding and run-up to this attack.
On July 16, attackers took a “dry run” with a 1-USDt (USDT) test transaction during their careful reconnaissance. It shows this wasn’t an opportunistic attack with hackers learning the exchange and liquidity infrastructure.
It’s currently not known what exact attack vector the criminals used, but security experts, such as Deddy Lavid, CEO of cybersecurity firm CyVers, suggested during their analysis that the vulnerability was due to backend access through exposed credentials.
The CoinDCX internal security and operation teams have been working with top cybersecurity experts to investigate the issues, trace funds and patch any vulnerabilities.
Did you know? Crypto exchange security breaches can cause notable drops in Bitcoin (BTC) prices, typically by 1.5% on news of an attack. Additionally, it can have adverse market effects that persist well beyond the incident date.
Tracing the funds from the CoinDCX Indian crypto exchange hack
Once attackers had drained over $40 million worth of USDT from the operational Solana wallet, funds moved quickly. Within five minutes, the crypto wallet was empty, and funds had started to move through the Jupiter swap aggregator and Wormhole bridge infrastructure.
In the process, assets were systematically bridged from Solana to Ethereum in chunks of 1,000-4,000 Solana (SOL).
The cryptocurrency was routed through multiple hops and ultimately landed in two wallets:
- A Solana wallet holding around 155,830 SOL (approximately $27.6 million) that remains dormant.
- An Ethereum wallet containing about 4,443 ETH (roughly $15.7 million), where much of the stolen value was consolidated.
Interestingly, it’s thought that detection of the hack was delayed due to attackers exploiting legitimate operational privileges. They could make large-scale fund movements without triggering security alarms.
Lavid also added, “Although the compromised account was segregated from user wallets, its operational privileges were sufficient to execute large-scale fund movements without triggering immediate alarms.”
Did you know? Recovery rates for funds after a crypto heist are miserably low. Only $187 million of the $2.5 billion stolen in the first half of 2025 has been successfully returned. That represents less than 8%.
CoinDCX’s response to the hack
On July 21, 2025, CoinDCX announced a bounty program offering up to 25% of any recovered funds. The reward, depending on the success of recovery efforts, could total as much as $11 million.
Gupta explained that the bounty aims to incentivize researchers, blockchain investigators and white hat hackers to help track and retrieve the stolen assets.
“More than recovering the stolen assets, what is important for us is to identify and catch the attackers because such things shouldn’t happen again - not with us, not with anyone in the industry,” he said.
Gupta has also several times reiterated that no customer funds have been impacted and that those assets are completely safe in cold storage infrastructure. He also explained on X that CoinDCX is still “financially strong, fully operational and firmly committed” to building for the long term. It’s business as usual.
The wider impact for crypto exchange security
Every week, it seems like a new wave of crypto crime emerges. 2025 has been a devastating year for crypto security.
It’s estimated that $2.17 billion was stolen from cryptocurrency services in the first half of 2025. This exceeds all of 2024’s losses combined. Experts put the average loss per incident at $7.18 million, making it one of the worst years on record.
One dominant actor in these threats is North Korea’s Lazarus Group. They’ve been linked to stealing more than $1.6 billion in the first half of 2025 alone. They use sophisticated tactics that rely on cross-chain bridging, infrastructure knowledge, crypto mixers and targeting centralized exchanges.
It highlights the importance of exchanges operating with a proper security architecture that limits damage from breaches. In the case of CoinDCX, its segregated wallet system, strong CoinDCX treasury reserves and customer cold storage protected the firm from devastation.
The CoinDCX hack really highlights the need for strong security in crypto exchanges. It’s a cautionary tale, for sure. It shows how relentless groups like North Korea’s Lazarus can be. At the same time, CoinDCX managed to keep all customer funds safe by using separate wallet systems. That sets an industry example for other exchanges to learn from.
Crypto theft isn’t slowing down in 2025, so it’s hard not to worry. Exchanges shouldn’t just focus on stopping breaches; they need to set up their systems so that, if something goes wrong, the damage stays contained and doesn’t infect customer holdings.