CoinDCX, one of India’s biggest crypto platforms, just got wiped for $44.2 million in what looks like a hot wallet exploit. The hit happened about 17 hours ago, and the company didn’t say a word until on-chain sleuth ZachXBT exposed it.
The stolen crypto was first flagged by Cyvers, a blockchain security firm that spotted suspicious transactions and alerted Zach.
Zach went public with the information on Telegram: “Looks like the India centralized exchange ‘CoinDCX’ was likely drained for ~$44.2M almost 17 hours ago and has yet to disclose the incident to the community.”
He said the hacker address got 1 ETH from Tornado Cash, and then bridged part of the stolen funds from Solana to Ethereum. The hack wasn’t traced to a tagged wallet or listed in CoinDCX’s proof of reserves. Zach said he figured out the link by checking counterparties manually.
He also listed the attacker’s addresses:
- Solana: 6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n
- Solana: 3btch8cSVp3Uh2SiY9DeiRNYUBmFiBNHZQzDyecJs7Gu
- Ethereum: 0xEF0c5b9E0E9643937D75C229648158584A8CD8D
CEO confirms internal account got breached
Right after Zach’s post started circulating, Sumit Gupta, the CEO of CoinDCX, finally stepped up with a statement on X, saying, “Hi everyone, At CoinDCX, we have always believed in being transparent with our community, hence I am sharing this with you directly.”
According to Sumit, the compromised account was an internal operational wallet, not one that holds customer funds. He said it was used “only for liquidity provisioning on a partner exchange”. The breach was caused by a “sophisticated server attack,” but Sumit claims all customer wallets were safe and hadn’t been touched.
“No customer funds have been impacted. Your assets remain completely safe and protected in our secure cold wallet infrastructure. All trading activity and INR withdrawals are fully operational.”
The team isolated the breached account fast and says the loss is being covered from their own treasury, not customers’ assets. They’ve brought in cybersecurity firms to dig through the breach, patch vulnerabilities, and track where the funds are moving. Gupta said they’re also working with the unnamed exchange partner where the liquidity account was being used.
They plan to launch a bug bounty program to catch other possible security gaps. He also said, “Every security incident is a learning, and we will learn from this and further strengthen our platform… this is our time to win this war against cyberthreats in the industry.”
He ended by promising real-time updates going forward: “I understand incidents like this can be unsettling – even when customer assets are unaffected. That’s why I am sharing this incident with you with full transparency. Thank you for your continued trust. I will keep you informed on a real-time basis as we learn more.”
Cryptopolitan Academy: Coming Soon – A New Way to Earn Passive Income with DeFi in 2025. Learn More
