On the morning of Saturday, July 19, hackers drained about $44 million from the Indian crypto exchange CoinDCX. The breach was first spotted by independent blockchain researcher ZachXBT shortly after it began. Just 10 minutes after he posted about the incident, CoinDCX CEO Sumit Gupta confirmed the attack.
What Happened
The hack began early in the morning according to Indian Standard Time. ZachXBT was the first to report on the compromised wallet, manually linking the address to CoinDCX infrastructure. According to his analysis, the attacker first received 1 ETH through the Tornado Cash mixer, then transferred part of the stolen funds from Solana to Ethereum.
CoinDCX explained that the breach resulted from a “sophisticated server-side hack” which compromised an account responsible for providing liquidity on a partner platform. Gupta stated that customer funds were not affected and that the losses would be covered using company reserves.
According to Gupta, the team is already working with the partner exchange to freeze and recover the stolen funds. A bug bounty program is also in the works. The CEO assured that all client wallets remain secure.
Ongoing Attacks on Indian Exchanges
Exactly one year earlier, on July 18, 2024, India saw its largest crypto exchange hack when WazirX lost $230 million. The company eventually shut down, and a restructuring attempt was later rejected by a Singapore court. The exchange rebranded as Zensui and relocated to Panama. The investigation linked the incident to Lazarus Group, a North Korean state-backed hacker organization.
What We Know About CoinDCX
CoinDCX became India’s first crypto unicorn in 2021 after raising $90 million at a $1.1 billion valuation. In 2022, the exchange doubled its valuation to $2.15 billion following another $135 million funding round. In July 2024, CoinDCX acquired the Dubai-based platform BitOasis as part of its international expansion plans.
As of June 2025, the exchange has around 20 million registered users, and total assets on the platform are estimated at $584.2 million. The reserve fund for user compensation in case of a breach is approximately $7 million.
Withdrawal Restrictions
CoinDCX has previously faced criticism over its restrictive withdrawal policy. By default, users are not allowed to withdraw crypto unless they complete internal verification. In May 2025, Gupta stated that these measures aim to reduce the risk of illicit fund transfers and involve additional screening and risk assessment based on the company’s internal policies.
Security Promises
Responding to questions on Reddit after the WazirX breach, Gupta had assured users that CoinDCX was protected against similar attacks. He cited a multi-layered security architecture, distributed asset storage, a reserve fund, regular Proof of Reserves reports, and compliance with regulatory requirements.
Now, despite those assurances, CoinDCX finds itself at the center of a major security incident. The investigation is ongoing.
This post is for informational purposes only and is not an ad or investment advice. Please do your own research making any decisions.