Indian Crypto Exchange CoinDCX Loses $44 Million in Security Breach

The hack comes exactly one year after another major Indian crypto exchange, WazirX, lost $235 million to hackers. This timing raises new questions about security at Indian crypto platforms.

Blockchain detective ZachXBT first spotted the hack and accused the CoinDCX team of waiting 17 hours before disclosing. The investigator found that hackers started with just 1 Ethereum coin from Tornado Cash, a service that hides where crypto comes from. They then moved stolen funds between different blockchains, including Solana and Ethereum.

CoinDCX urges its followers to thank it for its transparency. Source: ZachXBT on X

CoinDCX CEO Sumit Gupta confirmed the attack within 10 minutes of ZachXBT’s public announcement. Gupta blamed a “server breach” that let hackers access an internal account used only for providing liquidity to partner exchanges.

The hackers moved money through multiple wallets across different blockchains, making it hard to track. Security firm Cyvers first detected the suspicious withdrawals from CoinDCX’s hot wallet.

CoinDCX says it has contain the damage. The exchange isolated the affected account and froze related internal systems. CEO Gupta stressed that customer funds stayed safe because the company keeps operational accounts separate from user wallets – a basic security requirement for any exchange.

“The incident was quickly contained by isolating the affected operational account,” Gupta said in a public statement. “Since our operational accounts are segregated from customer wallets, the exposure is only limited to this specific account and is being fully absorbed by us, from our own treasury reserves.”

The exchange kept all trading and rupee withdrawals running normally. However, CoinDCX temporarily shut down its Web3 feature.

In typical exchange ‘close the barn door after the horse has bolted’ fashion, CoinDCX says it is working with security experts and crypto forensics agencies to recover the stolen funds. The company also plans to launch a bug bounty program to find and fix security holes.

Founded in 2018, CoinDCX serves over 13 million users and holds the title of India’s most valuable crypto company. The exchange reached a $2.15 billion valuation in 2022 after raising $135 million from investors including Pantera Capital and Coinbase Ventures.

The company became India’s first crypto unicorn in 2021. As of June 2025, CoinDCX reported holding $584.2 million in total assets across nearly 20 million registered users.

Ironically, CoinDCX has positioned itself as a security-focused platform. The exchange maintains monthly transparency reports and operates a $7 million fund designed to compensate users if a security breach affects customer accounts.

The CoinDCX hack adds to a troubling year for crypto security. CertiK’s latest report shows that hackers stole $2.47 billion in the first half of 2025, already beating all of 2024’s losses.

Two massive hacks drove most of these losses: the Bybit exchange lost $1.5 billion in February, and Cetus Protocol lost $225 million in May. These two incidents alone account for $1.78 billion of the total.

Cyvers CTO Meir Dolev pointed out that centralized exchanges remain prime targets. “In Q2 2024 alone, over 65% of losses in Web3 originated from CEX-related incidents, with nearly $500 million lost due to wallet access breaches,” Dolev said.

The security firm noted that hackers increasingly use sophisticated methods to access exchange wallets. Cross-chain attacks, where criminals move money between different blockchains, make tracking stolen funds much harder.

The CoinDCX hack highlights ongoing security challenges at Indian crypto exchanges. Last year’s WazirX hack, attributed to North Korean hackers, forced that exchange to stop operations. A Singapore court recently rejected WazirX’s restructuring plan.

Before the WazirX incident, CoinDCX CEO Gupta had expressed confidence that his exchange’s security measures would prevent similar attacks. The company pointed to its multi-layered security framework and fund segregation as key protections.

CoinDCX acquired Dubai-based platform BitOasis in July 2024, setting up international expansion plans. The hack may slow these growth efforts as the company focuses on strengthening security.

The $44 million loss represents about 7.5% of CoinDCX’s total holdings. While significant, this amount shouldn’t threaten the exchange’s operations since customer funds remained untouched.

The CoinDCX hack shows that even well-funded exchanges with strong security claims remain vulnerable to sophisticated attacks. While the exchange says it protected customer funds and responded quickly, the incident raises questions about operational security at Indian crypto platforms. As the crypto industry faces record-breaking security losses in 2025, exchanges must strengthen their defenses against increasingly complex threats.