A major Indian cryptocurrency exchange, CoinDCX, recently got hit by a sophisticated cyberattack. The incident led to a loss of about $44 million. However, the company quickly reassured its customers that their money was safe. It seems the hackers only managed to get into an account CoinDCX used for providing liquidity to a partner exchange.
Blockchain analyst ZachXBT first spotted the unusual activity. He noticed a wallet linked to CoinDCX was receiving stolen funds. Within just ten minutes of ZachXBT posting about it online, CoinDCX CEO Sumit Gupta confirmed the attack. Gupta explained that the attacker got their initial funds, about 1 ETH, from a service called Tornado Cash. They then moved some of the stolen assets from the Solana network over to Ethereum.
CoinDCX Promises User Funds Are Safe
Gupta stated clearly that the security breach was a “sophisticated attack on servers.” He emphasized that customer funds were not affected at all. He promised the company would cover the $44 million loss using its own treasury. CoinDCX is now working closely with its partners to track down and recover the stolen digital assets. The company also announced plans to launch a bug bounty program soon. This program will reward people who find and report security weaknesses.
“I confirm that CoinDCX wallets used to store client assets are not compromised and are completely secure,” Gupta wrote in his public statement. This quick and clear response aimed to calm worried investors.
A Familiar Echo: One Year After WazirX
This incident strikes a painful chord, happening almost exactly one year after another massive hack hit WazirX. At the time, WazirX was India’s largest crypto exchange. On July 18, 2024, it suffered a $230 million theft. WazirX eventually stopped its operations, and a court in Singapore rejected its recovery plan last month. Investigators linked the WazirX attack to the Lazarus Group, a notorious hacking organization backed by North Korea. So far, there’s no word if the same group is behind the CoinDCX incident.
CoinDCX itself started in 2018. It became India’s first crypto “unicorn” in 2021. That year, it raised $90 million, pushing its value to $1.1 billion. A year later, it secured another $135 million, bringing its valuation to a healthy $2.15 billion, according to reports from The Block. Just this past July, CoinDCX expanded its reach globally by buying BitOasis, a platform based in Dubai.
Past Debates Over Withdrawal Rules
CoinDCX hasn’t been without its share of public discussion. Users have often complained about its strict rules for withdrawing cryptocurrency. By default, users cannot take their crypto off the platform unless they pass a special risk review.
Gupta defended these policies during a Reddit question-and-answer session in May. He argued that these restrictions help stop illegal movement of funds. “We enable this feature only for users who meet our risk assessment and enhanced due diligence criteria, as per our policy,” he explained. In that same session, Gupta claimed CoinDCX was ready for an attack like the one WazirX faced. He pointed to the company’s multi-layered security, its practice of storing funds with different custodians, a compensation fund for users, and regular reports showing its reserves.
Compensation Fund and Current Health
CoinDCX’s compensation fund holds about $7 million, based on its most recent proof-of-reserves report. As of June this year, the company reported total holdings worth $584.2 million. It serves nearly 20 million registered users.
Despite this security setback, CoinDCX maintains its pledge to safety, openness, and getting back what was lost. This event once again brings up serious questions about how secure centralized exchanges truly are, especially in growing markets like India.