CoinDCX blames ‘server breach’ for $44 million exploit

CoinDCX has revealed that the $44 million exploit resulted from a server compromise affecting one of its internal liquidity accounts.

In a detailed incident report released on July 20, the Indian crypto exchange confirmed that no customer funds were affected and that the entire loss will be absorbed by the company’s treasury. The attack was identified on July 19 at 4 a.m. IST when unauthorized access was detected in an account used for liquidity provisioning on a partner exchange. 

The company attributed the breach to a “sophisticated server attack” that penetrated its liquidity infrastructure. CoinDCX stressed in the statement that user wallets are kept in separate cold storage and were not impacted by the event.

Withdrawals of INR, deposits, and trading are still completely functional. As a precaution, web3 wallet functionality was temporarily suspended, but it has now been restored. 

“Your funds are 100% safe,” the exchange stated, adding that it is working with international cybersecurity experts, blockchain forensics firms, and Indian authorities, including CERT-In, to trace the stolen assets and identify the attacker. The company has also planned to launch a Recovery Bounty Program to incentivize information that could lead to the recovery of funds. 

CoinDCX had initially delayed public disclosure by about 17 hours, but it appears that the team gave containment and forensic analysis top priority before disclosing specifics. It reiterated that CoinDCX’s strong reserves and proof-of-reserves disclosures provide complete backing and ensure that all customer assets remain unaffected.

Happening a year after a $230 million hack at WazirX, the breach has sparked fresh worries about how resilient India’s crypto infrastructure is. CoinDCX was able to absorb the entire loss without halting operations or affecting user activities in contrast to previous instances that resulted in partial asset freezes or long delays in withdrawal processing, 

Blockchain investigator ZachXBT was among the first to flag the breach on July 19, tracing the attacker’s movements through Tornado Cash and cross-chain activity involving Solana (SOL) and Ethereum (ETH). According to Arkham Intelligence on-chain data, the compromised funds were routed through several wallets and currently reside in two known addresses.