CoinDCX has resumed full operations after a $44 million hack compromised its internal treasury but left customer funds untouched.
Key Takeaways
- 1CoinDCX suffered a $44 million breach in an internal treasury account on July 19.
- 2No customer funds were affected, according to CEO Sumit Gupta.
- 3The breach was traced to a Tornado Cash-funded wallet and flagged by ZachXBT.
- 4CoinDCX has restored all services and is tightening security with new measures.
What Happened
On July 19, CoinDCX, India’s largest cryptocurrency exchange, experienced a significant security breach that led to a $44.2 million loss. The affected wallet was part of the exchange’s operational treasury and used solely for liquidity provisioning on a partner platform. Fortunately, customer assets were stored in separate cold wallets and remained secure.
Timeline and Detection of the Hack
The breach occurred around 4 AM IST on July 19 and was first spotted by blockchain investigator ZachXBT. He traced the activity to a wallet funded by Tornado Cash, which was then used to move stolen assets from Solana to Ethereum.
A Tel Aviv-based cybersecurity firm, Cyvers, also flagged the suspicious transactions. Their alert helped prompt manual review, especially since the affected wallet lacked public tagging and proof-of-reserves transparency. This raised concerns about the exchange’s operational infrastructure and wallet hygiene.
Company Response and User Reassurance
CoinDCX CEO Sumit Gupta and co-founder Neeraj Khandelwal were quick to respond. In a public statement, Gupta confirmed, “No customer funds have been impacted. Your assets remain completely safe and protected in our secure cold wallet infrastructure.” He emphasized that the compromised wallet was completely separate from user deposits.
Khandelwal added, “The total amount lost was USD 44Mn out of our treasury assets. CoinDCX Treasury will be bearing these losses.“
Despite a wave of panic-driven withdrawals that briefly slowed APIs and access to balances, the company managed to restore full functionality, including all trading and INR withdrawal services. Withdrawal requests under Rs 5 lakh are now processed within five hours, while higher amounts are cleared within 72 hours.
Regulatory Notification and Future Plans
CoinDCX reported the incident to CERT-In, India’s cybersecurity watchdog, and has engaged global forensic teams to assist in the investigation.
To prevent similar incidents, CoinDCX is:
- Launching a bug bounty program to crowdsource security improvements
- Working with its partner exchange to block and potentially recover the stolen assets
- Improving wallet transparency and segregation protocols
Gupta noted, “Every security incident is a learning and we will learn from this and further strengthen our platform.“
CoinLaw’s Takeaway
Honestly, it’s a relief to see CoinDCX come clean quickly and keep user funds safe. Hacks like this shake trust, especially in a market still earning credibility in India. But their swift response, full service restoration, and open communication signal they’re taking this seriously. I really like the move to launch a bug bounty program. It’s proactive and smart. Still, they’ll need to double down on transparency if they want users to stick around.
