Key Takeaways:
- A “sophisticated server breach” exploited approximately $44.2 million from CoinDCX’s operational wallet on July 19, confirmed by CEO Sumit Gupta. User funds and wallets remain safe.
- Cyvers and others point to cross-chain tactics via Solana and Ethereum bridges, with laundered funds passing through Tornado Cash with signatures linked to Lazarus Group’s previous WzirX and Bybit hacks.
- CoinCDX reassured it will cover the losses with its own treasury and launched a bounty program offering up to 25% or approximately $11 million for anyone who can help trace and recover the stolen funds.
On July 19, India-based crypto exchange CoinCDX has suffered a severe internal wallet exploit after hackers manipulated a “sophisticated server breach”, according to CEO Sumit Gupta. Unlike many high-profile exchange hacks, this one spared user assets, targeting instead an internal operational wallet used solely for liquidity provisioning on partner exchanges. This segregation caused the customer funds to be held in securely managed cold wallets, making it safe and untouched. Still, the attackers managed to withdraw roughly $44.2 million in USDT and USDC, moving the funds quickly through Solana and Ethereum, and obfuscating them with Tornado Cash.
Meanwhile, blockchain investigator ZachXBT first flagged suspicious transactions nearly 17 hours earlier in his Telegram channel, explaining that the hacker address received 1 ETH via Tornado Cash before initiating cross‑chain transfers. CoinDCX publicly acknowledged the hack following the Telegram disclosure.
Evidence points to Lazarus Group
Security experts at blockchain security firm Cyvers are convinced that the CoinCDX exploit has been linked to Lazarus Group. Their analysis reveals same gestures and pattern to the 2024 WazirX hack and the 2025 Bybit mega‑heist done by the North Korea-based hackers, where they used cross‑chain bridges and mixers to conceal traceable activity.
Cyvers CEO Deddy Lavid highlighted the similarity of the security breach made, noting:
Although the compromised account was segregated from user wallets, its operational privileges were sufficient to execute large-scale fund movements without triggering immediate alarms.
Exchange response and recovery efforts
CoinDCX reacted decisively, isolating the breached account and maintaining normal trading, deposits, and withdrawals including INR and web3 wallet services.
Meanwhile, to address liabilities, the exploited crypto exchange committed to covering the $44 million loss through its treasury, following it with a launch of a white-hat bounty program offering up to 25% of recovered assets worth $11 million for those who can help and assist in recovering the stolen funds.
Market Reaction and Sentiment
As of writing, BTC trades around $118,450, down 0.38%, while ETH went along with the decline of roughly 0.7% at $3,677, all according to CoinGecko’s latest market data. The modest dip reflects cautious investor sentiment, influenced by the breach but mitigated by the containment of user assets.
This security incident reinforces a pattern: centralized crypto platforms remain prime targets for highly skilled state-linked hacking groups like Lazarus. India’s regulatory framework and crypto infrastructure now confront renewed scrutiny. This attack follows the WazirX breach of July 2024 ($235 million), also blamed on Lazarus, underlining South Asia’s exposure to increasingly organized cybercrime.
Summary
On July 19, hackers exploited a CoinDCX operational wallet, draining $44.2 million in USDT and USDC via cross-chain bridges and Tornado Cash. While user funds were safe, blockchain investigators including Cyvers and ZachXBT linked the breach to North Korea’s Lazarus Group, citing similarities to the WazirX and Bybit hacks. CoinDCX pledged to cover losses using its treasury and launched an $11M bounty for recovery assistance. Despite the breach, BTC and ETH remained stable. This attack marks India’s second-largest crypto hack, reigniting concerns over centralized exchange security and North Korean cybercrime.
