Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 241Private Key Compromise

CoinDCX Liquidity Account Drain

Attackers drained $44M from CoinDCX's internal liquidity account for partner-exchange reserves; the exchange absorbed the loss from treasury.

Date
Victim
CoinDCX
Chain(s)
EthereumSolana
Status
Funds Stolen

On July 19, 2025, CoinDCX — India's largest cryptocurrency exchange — suffered a server-side breach that drained approximately $44 million from an internal liquidity-provisioning account used to maintain reserves for routing customer transactions through a partner exchange. Customer cold-storage assets were untouched; CoinDCX absorbed the loss from its own treasury.

What happened

CoinDCX co-founder Sumit Gupta described the incident as a "sophisticated server breach" targeting infrastructure adjacent to a single internal operational account rather than the main custody system. The compromised account existed to provision liquidity to a partner exchange for routing customer trades; it held meaningful capital but was operationally isolated from customer cold storage by design.

The breach pattern matches recent state-aligned operations against mid-tier exchange operators: server-side compromise of a credentials path, programmatic withdrawal of the targeted account's holdings, immediate cross-chain conversion to obscure tracing. CoinDCX did not publicly attribute the attack, though the on-chain laundering signature was consistent with recurring Lazarus / North-Korea-aligned operations targeting Indian and South-East Asian exchanges.

The story broke publicly when ZachXBT posted the wallet movements on his Telegram channel; CoinDCX's official disclosure came after — a recurring pattern at exchange breaches that has become a meaningful incentive for faster disclosure.

Aftermath

  • Customer balances remained intact, with cold-storage assets unaffected.
  • CoinDCX launched a recovery bounty of up to 25% of recovered assets (potentially up to $11M) for help tracing or recovering the stolen funds.
  • A CoinDCX employee was arrested in late July as part of the investigation, though the firm did not publicly characterise the employee's exact role in the breach.
  • The exchange's leadership stated it had absorbed the full loss from corporate treasury and remained well-capitalised.

Why it matters

CoinDCX is part of an emerging pattern in 2024–2025 exchange security where the attack surface has shifted from "customer wallets" to operational accounts used for inter-exchange liquidity routing. These accounts are by design held in hot wallets, are accessible to a wider population of internal staff than core custody systems, and often have looser velocity limits to support normal liquidity-rebalancing operations. The defensive answers — strict HSM isolation of operational accounts, per-account anomaly detection, multi-sig on operationally-significant balances — are not yet universally implemented.

The case also illustrates the disclosure-pace problem: when ZachXBT outs an exchange before its own disclosure, the exchange loses control of the narrative and accelerates legitimate user concern. Faster proactive disclosure is, increasingly, the dominant strategy for exchanges that survive these incidents.

Sources & on-chain evidence

  1. [01]techcrunch.comhttps://techcrunch.com/2025/07/21/indian-crypto-exchange-coindcx-confirms-44-million-stolen-during-hack/
  2. [02]coindesk.comhttps://www.coindesk.com/web3/2025/07/19/indian-crypto-exchange-coindcx-suffers-44m-hack
  3. [03]halborn.comhttps://www.halborn.com/blog/post/explained-the-coindcx-hack-july-2025

Related filings