What is the CoinDCX $44-million crypto theft?
India’s largest crypto exchange, CoinDCX, fell victim to a sophisticated $44.2-million hack on July 19, 2025.
Attackers managed to gain access to an operational wallet and drained it within minutes. Fortunately, the security architecture of CoinDCX meant all customer funds were kept completely safe.
News of the hack took nearly 17 hours to emerge, when blockchain sleuth ZachXBT alerted people to the potential hack via his official Telegram channel.
CoinDCX CEO Sumit Gupta was then quick to respond, releasing a statement on X, explaining that one of their internal operational accounts used for liquidity was compromised, but he confirmed that customer assets were kept safe.
This latest CoinDCX hack attack has been linked to the infamous Lazarus Group of North Korea, which is an aggressive state-sponsored hacking syndicate that targets crypto exchanges.
Many in the crypto community were frustrated at CoinDCX’s slow reporting, especially as the organization claims to keep a strong public stance on transparency. Community comments include, “Y’all built this exchange on the narrative of ‘being transparent with the community,’ yet it took over 18 hours to disclose the hack of more than $44 million.”
So, how did the attack take place, and why did it take CoinDCX so long to report it?
Did you know? North Korean attackers were responsible for the infamous Bybit hack in February 2025, which resulted in the most significant single crypto theft in history, totaling $1.5 billion.
How CoinDCX was hacked
The CoinDCX security breach unfolded with what has been referred to as military precision between July 16 and 19, 2025. Gupta describes the incident as a sophisticated server breach, and according to the exchange’s incident report.
“The attacker accessed the account used for operational liquidity provisioning by penetrating our liquidity infrastructure.”
ZachXBT, who has exposed some of the largest crypto scams over the past few years, has also been following the money trail. On his Telegram channel, he explained that “the attacker’s address was funded with one ether from Tornado Cash and later bridged a portion of the stolen funds from Solana to Ethereum.”
This Tornado Cash laundering crypto mixer has processed $7 billion since 2019 and was used in the initial funding and run-up to this attack.
On July 16, attackers took a “dry run” with a 1-USDt (USDT) test transaction during their careful reconnaissance. It shows this wasn’t an opportunistic attack with hackers learning the exchange and liquidity infrastructure.
It’s currently not known what exact attack vector the criminals used, but security experts, such as Deddy Lavid, CEO of cybersecurity firm CyVers, suggested during their analysis that the vulnerability was due to backend access through exposed credentials.
The CoinDCX internal security and operation teams have been working with top cybersecurity experts to investigate the issues, trace funds and patch any vulnerabilities.
Did you know? Crypto exchange security breaches can cause notable drops in Bitcoin (BTC) prices, typically by 1.5% on news of an attack. Additionally, it can have adverse market effects that persist well beyond the incident date.
Tracing the funds from the CoinDCX Indian crypto exchange hack
Once attackers had drained over $40 million worth of USDT from the operational Solana wallet, funds moved quickly. Within five minutes, the crypto wallet was empty, and funds had started to move through the Jupiter swap aggregator and Wormhole bridge infrastructure.
In the process, assets were systematically bridged from Solana to Ethereum in chunks of 1,000-4,000 Solana (SOL).
The cryptocurrency was routed through multiple hops and ultimately landed in two wallets:
- A Solana wallet holding around 155,830 SOL (approximately $27.6 million) that remains dormant.
- An Ethereum wallet containing about 4,443 ETH (roughly $15.7 million), where much of the stolen value was consolidated.
Interestingly, it’s thought that detection of the hack was delayed due to attackers exploiting legitimate operational privileges. They could make large-scale fund movements without triggering security alarms.
Lavid also added, “Although the compromised account was segregated from user wallets, its operational privileges were sufficient to execute large-scale fund movements without triggering immediate alarms.”
Did you know? Recovery rates for funds after a crypto heist are miserably low. Only $187 million of the $2.5 billion stolen in the first half of 2025 has been successfully returned. That represents less than 8%.
CoinDCX’s response to the hack …
cointelegraph.com