CoinDCX Hack

On July 19, 2025, CoinDCX—India’s largest crypto exchange with 1.6 crore users—lost $44.2M in a backend server breach linked to North Korea’s Lazarus Group, where attackers penetrated liquidity infrastructure via exposed credentials or social engineering (e.g., fake job offers tricking an employee into malware), draining a hot operational wallet for partner exchange provisioning without compromising private keys or user cold storage. Recon started July 16 with a 1 USDT test; by July 19, $44.2M in USDC/USDT was siphoned in 5 minutes via Jupiter swaps, Wormhole/Mayan bridges to Ethereum (4,443 ETH, ~$15.7M) and Solana (155,830 SOL, ~$27.6M dormant), laundered through Tornado Cash/FixedFloat/deBridge. ZachXBT alerted 17 hours post-exploit; CoinDCX disclosed July 20, contained via wallet disablement, resumed trading/deposits (INR withdrawals processed), and pledged full treasury coverage for users. Bounty: up to 25% ($11M) for recoveries, plus $1M program; CERT-In notified, audits underway with Cyvers/SlowMist. TVL dipped briefly, but segregated architecture shielded customers amid 2025’s $2.17B H1 losses (Lazarus: $1.6B). This infrastructure pivot—exploiting ops without code flaws—urges zero-trust access, behavioral monitoring, and vendor audits to avert $44M CEX drains in India’s tightening regs.