$44 Million Crypto Breach Hits CoinDCX, CEO Assures User Funds Safe
CoinDCX, one of India’s largest cryptocurrency exchanges, has confirmed a $44 million security breach stemming from what CEO Sumit Gupta described as a “sophisticated server breach” that compromised an internal liquidity provisioning account.
The incident, which took place early Saturday morning (IST), marks one of the most significant crypto exchange exploits in India since last year’s $230 million Lazarus Group-led hack on WazirX.
Despite the scale of the loss, CoinDCX has assured users that no customer funds were impacted and that the exchange will fully cover the losses from its treasury.
Also, read| Promotion Of Illicit Betting Apps: ED Issues Notices To Google, Meta
“We are working closely with our partner exchange to block and recover the compromised assets and will soon launch a bug bounty program,” Gupta wrote on X. “Our customers’ wallets remain completely safe. The breach only affected a specific operational account used for liquidity.”
.@CoinDCX just proved what real transparency looks like in crypto.
Despite a server breach hitting one of their internal operational accounts:
👉 No customer funds were touched
👉 Cold wallets remain 100% safe
👉 Trading and withdrawals? Fully operationalShoutout to @smtgpt… https://t.co/avnsiVR7lo
— Money Guru Digital (@Moneygurudigi) July 19, 2025
The breach remained undisclosed for nearly 17 hours until it was flagged by prominent blockchain investigator ZachXBT, who identified suspicious on-chain movements originating from a wallet later confirmed to belong to CoinDCX.
According to ZachXBT, the attacker funded their address with 1 ETH via Tornado Cash before bridging a portion of the stolen funds from Solana to Ethereum, a tactic often used to obscure the movement of illicit assets.
Also, read| After The Coldplay Kiss Cam Scandal, Here Are Some Facts About CEO Andy Byron And Astronomer
Minutes after ZachXBT’s post, Gupta confirmed the exploit, triggering a wave of concern within India’s crypto community. Although Gupta emphasised the exchange’s preparedness, citing a multi-layered asset custody framework and internal insurance fund, the breach has raised fresh concerns over transparency and security, particularly after his recent comments dismissing the possibility of a WazirX-style attack at CoinDCX.
Trading and INR withdrawals on CoinDCX are fully operational and running smoothly. ✅
You can withdraw your INR anytime — without restrictions. We’re here for you, and we stand by our commitment to honour all withdrawal requests. 💯
A gentle reminder: Don’t panic sell your… https://t.co/e4DWVvYx0i
— Sumit Gupta (CoinDCX) (@smtgpt) July 19, 2025
The timing of the breach is striking: it occurred almost exactly one year after the catastrophic WazirX hack on July 18, 2024, which led to the eventual collapse of the once-dominant Indian crypto platform.
Investigations later attributed the WazirX attack to North Korea’s Lazarus Group, although no such attribution has been made yet in the CoinDCX case.
Last month, a Singapore court rejected WazirX’s proposed restructuring plan, sealing the fate of the exchange.
CoinDCX maintains a $7 million user protection fund, according to its latest proof-of-reserves report, released in June. The platform also claims total holdings of $584.2 million and a user base of nearly 20 million.
The exchange has historically maintained strict withdrawal controls, requiring users to pass enhanced due diligence to enable crypto withdrawals. While these policies have drawn criticism for their rigidity, Gupta has argued that they serve to prevent illicit fund flows.
“Withdrawals are disabled by default for security reasons, but users can apply for activation after our internal review,” Gupta said during a Reddit AMA in May.
During the same session, he expressed confidence in CoinDCX’s security architecture and risk protocols, noting that funds were distributed across multiple wallets and custodians, with ongoing audits and regulatory compliance in place.
Founded in 2018, CoinDCX became India’s first crypto unicorn in 2021. After raising $90 million at a $1.1 billion valuation, the company doubled that figure in 2022 to reach $2.15 billion. Its ambitions to go global were further emphasised by its acquisition of Dubai-based BitOasis in July 2024.
But Saturday’s breach has put the company and India’s broader crypto ecosystem under renewed scrutiny, with calls for stronger incident response transparency and heightened regulation.
