Crypto Exchange CoinDCX Hit by Security Breach, $44 Million Drained

India’s second-largest crypto exchange, CoinDCX, revealed on 19 July that one of its internal operational accounts used for liquidity provisioning was compromised in a sophisticated server breach. While the platform’s Co-founder and CEO, Sumit Gupta, asserted that “the CoinDCX wallets used to store customer assets are not impacted and are completely safe,” anonymous blockchain investigator ZachXBT claimed that approximately $44.2 million was drained from its accounts.

This marks the second major cyberattack on an Indian crypto exchange in a year. On 18 July 2024, WazirX lost crypto assets worth $234 million in a similar breach.

“Today, one of our internal operational accounts—used solely for liquidity provisioning on a partner exchange—was compromised due to a sophisticated server breach,” Gupta said in a post on X.

He added that no customer funds were affected and that user assets remain secure in CoinDCX’s cold wallet infrastructure. All trading activities and INR withdrawals continue to operate normally.

“The incident was quickly contained by isolating the affected operational account. Since our operational accounts are segregated from customer wallets, the exposure is limited to this specific account and is being fully absorbed by us from our own treasury reserves. Our internal security and operations teams have been working throughout the day with leading cybersecurity partners to investigate the matter, patch any vulnerabilities, and trace the movement of funds,” Gupta explained.

Earlier in the day, ZachXBT posted in a Telegram channel: “Looks like the Indian centralised exchange CoinDCX was likely drained for ~$44.2M almost 17 hours ago and has yet to disclose the incident to the community. The attacker address was funded with 1 ETH from Tornado Cash and later bridged a portion of the stolen funds from Solana to Ethereum.”

CoinDCX’s founder said the company will collaborate with its exchange partner to block and recover the stolen assets and will soon launch a bug bounty programme.

“I understand incidents like this can be unsettling—even when customer assets are unaffected. That’s why I am sharing this incident with you with full transparency,” Gupta said on X.

Last year, WazirX’s $234 million cyber breach was linked to North Korea’s Lazarus Group. Trading and withdrawals were immediately suspended. WazirX’s parent company, Zettai, proposed a recovery plan which, although supported by 93% of creditors, was initially rejected by the Singapore High Court in June due to transparency concerns. After amendments, the court allowed a re-vote, scheduled before September 16.