CoinDCX CEO blames 'server breach' for $44 million exploit; Indian firm will cover losses

One year after a $230 million exploit took down Indian crypto exchange WazirX, another prominent Indian exchange, CoinDCX, lost around $44 million in a significant hack. 

The attack took place early Saturday morning in India, and was first identified by blockchain sleuth ZachXBT about 17 hours after it began. ZachXBT flagged the breach to his followers after manually identifying the affected wallet as belonging to CoinDCX. "The attacker address was funded with 1 ETH from Tornado Cash and later bridged a portion of the stolen funds from Solana to Ethereum," ZachXBT wrote. 

Within 10 minutes from ZachXBT's post, CoinDCX CEO Sumit Gupta confirmed the hack in a post on X, blaming a "sophisticated server breach" that compromised an account used for liquidity provisioning on a partner exchange. No customer funds were affected, Gupta said, pledging that the exchange would cover the loss from its own treasury reserves. 

"We are collaborating with the exchange partner to block and recover assets, including coming out with a bug bounty program soon," Gupta wrote. "I confirm that the CoinDCX wallets used to store customer assets are not impacted and are completely safe."

The attack came about one year after a massive $230 million hack took down WazirX, formerly India's largest crypto exchange, on July 18, 2024. The exchange stopped operating after the exploit, and last month, a Singapore court rejected its proposed restructuring plan. On-chain investigators eventually fingered North Korea's state-sponsored Lazarus Group for the attack; it is currently unclear if the same group is behind the CoinDCX exploit. 

CoinDCX became India's first crypto unicorn in 2021 after raising $90 million at a $1.1 billion valuation; the following year, it raised another $135 million, nearly doubling its valuation to $2.15 billion, The Block previously reported. CoinDCX acquired Dubai-based platform BitOasis in July 2024, setting the stage for its international expansion plans. 

CoinDCX's strict withdrawal policy

CoinDCX has faced complaints from customers in the past due to its restricted stance on crypto withdrawals: users are not permitted to withdraw crypto from the exchange by default, but can be granted the ability after internal review by CoinDCX's team. 

"Crypto withdrawals are not enabled by default as they may pose a risk of illicit fund movement," Gupta wrote in May as part of a Reddit ask-me-anything session. "However, we do enable this feature for users who meet our internal risk assessment and enhanced due diligence criteria in line with our risk policy."

When asked about the WazirX hack on Reddit, Gupta said he was confident a similar incident wouldn't happen at CoinDCX. Gupta pointed to CoinDCX's "robust, multi-layered framework to safeguard crypto assets" with funds distributed across multiple wallets and custodians, a fund set up to compensate users in the event of a breach, the firm's monthly proof of reserve reports, and its security measures and regulatory compliance as reasons his exchange is protected against a large exploit. 

The fund meant to compensate users in the event of a breach has about $7 million, according to CoinDCX's most recent proof of reserves post. The exchange said its total holdings were valued at $584.2 million, with nearly 20 million registered users, as of June.