When Hackers Waltzed Off with $44M from CoinDCX, Unravelled in Austen’s Wit

It is a truth universally acknowledged, that an exchange in possession of a good fortune must be in want of security. Such was the case with India’s largest crypto exchange, CoinDCX, which, on the fine morning of July 19, 2025, found itself the unwilling host to a most unwelcome guest—a hacker, or rather, a group of hackers, who, with the grace of a gentleman and the stealth of a cat burglar, managed to siphon off a sum of $44.2 million without so much as a nod to the security protocols in place.

The audacity of these modern-day pirates knew no bounds, for they managed to gain access to an operational wallet and drained it within minutes, leaving behind only a trail of digital footprints and a rather large hole in the exchange’s coffers. Yet, one must commend the architects of CoinDCX, for all customer funds were kept in a vault so secure, it might as well have been guarded by the very spirits of Fort Knox.

News of this dastardly deed, however, did not reach the ears of the public until nearly 17 hours later, when the ever-vigilant ZachXBT, a blockchain sleuth of considerable repute, sounded the alarm via his official Telegram channel. One cannot help but wonder if the delay in disclosure was a mere oversight or a calculated decision to maintain the semblance of tranquility.

CoinDCX CEO Sumit Gupta, a man of action and words, was quick to address the matter on X, assuring the world that while one of their internal operational accounts used for liquidity had indeed been compromised, the safety of customer assets remained intact. A reassuring statement, though it did little to quell the murmurs of discontent among the crypto community, who felt that the exchange’s commitment to transparency had been sorely tested.

This latest escapade has been linked to the notorious Lazarus Group of North Korea, a band of miscreants known for their state-sponsored shenanigans and a particular fondness for crypto exchanges. The community, naturally, was not amused, with one commentator remarking, “Y’all built this exchange on the narrative of ‘being transparent with the community,’ yet it took over 18 hours to disclose the hack of more than $44 million.” 🤦‍♂️

So, how did the attack unfold, and why did it take CoinDCX so long to report it? A question that has left many a crypto enthusiast scratching their heads in bewilderment.

Did you know? The Lazarus Group, those cunning foxes, were also responsible for the infamous Bybit hack in February 2025, a heist that netted them a staggering $1.5 billion, making it the most significant single crypto theft in history. 🤑

The CoinDCX security breach, a tale worthy of a Gothic novel, unfolded with military precision between July 16 and 19, 2025. According to Gupta, the incident was a sophisticated server breach, a feat that required the skills of a master thief and the patience of a saint.

“The attacker accessed the account used for operational liquidity provisioning by penetrating our liquidity infrastructure,” Gupta lamented, a statement that left many wondering just how secure their own digital treasures truly were.

ZachXBT, a man whose reputation for exposing crypto scams is as solid as the foundations of the Great Wall, has been diligently following the money trail. On his Telegram channel, he revealed that “the attacker’s address was funded with one ether from Tornado Cash and later bridged a portion of the stolen funds from Solana to Ethereum.” A move as clever as it was daring.

Tornado Cash, a crypto mixer that has processed a whopping $7 billion since 2019, played a crucial role in the initial funding and run-up to this attack. It’s a tool as useful to the criminal as a lockpick is to a safecracker.

On July 16, the attackers conducted a “dry run” with a 1-USDt (USDT) test transaction, a move that demonstrated a level of planning and reconnaissance that would put the best military strategists to shame. It was clear that this was no random act of thievery but a carefully orchestrated assault.

The exact attack vector remains a mystery, but security experts, such as Deddy Lavid, CEO of cybersecurity firm CyVers, suggest that the vulnerability may have been due to backend access through exposed credentials. A simple mistake, perhaps, but one with far-reaching consequences.

The CoinDCX internal security and operation teams, now joined by top cybersecurity experts, are working tirelessly to investigate the issues, trace funds, and patch any vulnerabilities. A task as daunting as it is necessary.

Did you know? Crypto exchange security breaches can cause notable drops in Bitcoin (BTC) prices, typically by 1.5% on news of an attack. Moreover, the adverse market effects can linger long after the dust has settled. 😕

Once the attackers had drained over $40 million worth of USDT from the operational Solana wallet, the funds moved with a speed and efficiency that would make even the most seasoned trader envious. Within five minutes, the crypto wallet was empty, and the stolen assets had begun their journey through the Jupiter swap aggregator and Wormhole bridge infrastructure.

The cryptocurrency was routed through multiple hops, eventually landing in two wallets:

• A Solana wallet holding around 155,830 SOL (approximately $27.6 million) that remains dormant, a silent testament to the thieves’ success.
• An Ethereum wallet containing about 4,443 ETH (roughly $15.7 million), where much of the stolen value was consolidated, a treasure trove waiting to be claimed.

Interestingly, the detection of the hack was delayed due to the attackers’ exploitation of legitimate operational privileges. They could move large sums of money without triggering the security alarms, a feat that speaks volumes about their ingenuity and the need for more robust security measures.

Lavid added, “Although the compromised account was segregated from user wallets, its operational privileges were sufficient to execute large-scale fund movements without triggering immediate alarms.” A sobering reminder that even the best-laid plans can go awry.

Did you know? The recovery rates for funds after a crypto heist are dismally low. Of the $2.5 billion stolen in the first half of 2025, only $187 million has been successfully returned. A mere 8%, a statistic that is both alarming and disheartening. 😢

On July 21, 2025, CoinDCX announced a bounty program offering up to 25% of any recovered funds, a reward that could total as much as $11 million. A sum that would make even the most jaded researcher sit up and take notice.

Gupta explained that the bounty aims to incentivize researchers, blockchain investigators, and white hat hackers to help track and retrieve the stolen assets. “More than recovering the stolen assets, what is important for us is to identify and catch the attackers because such things shouldn’t happen again—not with us, not with anyone in the industry,” he declared, a statement that resonated with many in the crypto community.

Gupta has also reassured customers that their funds remain safe in cold storage infrastructure, a fact he has reiterated on numerous occasions. “CoinDCX is still financially strong, fully operational, and firmly committed to building for the long term. It’s business as usual,” he stated, a sentiment that, while comforting, does little to ease the minds of those who have witnessed the chaos wrought by cybercriminals.

Every week, it seems, brings a new wave of crypto crime, and 2025 has been a particularly devastating year for crypto security. It is estimated that $2.17 billion was stolen from cryptocurrency services in the first half of 2025, a figure that surpasses all of 2024’s losses combined. The average loss per incident stands at a staggering $7.18 million, making it one of the worst years on record.

The Lazarus Group, a shadowy figure in this dark tale, has been linked to stealing more than $1.6 billion in the first half of 2025 alone. Their tactics, which involve cross-chain bridging, infrastructure knowledge, crypto mixers, and targeting centralized exchanges, are as sophisticated as they are sinister.

The importance of exchanges operating with a proper security architecture cannot be overstated. In the case of CoinDCX, its segregated wallet system, strong treasury reserves, and customer cold storage protected the firm from complete ruin. A lesson, perhaps, for others in the industry.

The CoinDCX hack serves as a cautionary tale, a reminder of the relentless nature of groups like North Korea’s Lazarus. While CoinDCX managed to keep all customer funds safe, the incident underscores the need for strong security measures that can contain the damage should the worst occur.

Crypto theft shows no signs of slowing down in 2025, and exchanges must do more than simply prevent breaches. They must ensure that their systems are designed to limit the damage and protect customer holdings, a challenge that is as pressing as it is complex. 🛡️