CoinDCX is a leading Indian cryptocurrency exchange cryptocurrency exchange founded in 2018 by Sumit Gupta and Neeraj Khandelwal. It is considered one of the best platforms for buying, selling, and trading cryptocurrencies in India due to its user-friendly interface robust security measures, and wide array of related products.
CoinDCX reported a security breach on July 19, 2025, leading to the unauthorized transfer of approximately $44 million (around Rs 379 crore). The exact method used in the incident is still under investigation. The following outlines the sequence of events based on available information:
Here’s a breakdown of the modus operandi based on available reports:
- Initial Access and Compromise: The attack was linked to a “sophisticated social engineering attack” that compromised the login credentials of a CoinDCX software engineer. The employee’s work laptop was allegedly infected with malware, possibly through a bait file he received from an unknown party. This allowed the hackers to gain unauthorized access to the company’s servers and, specifically, the internal operational account.Bengaluru City police have arrested a CoinDCX software engineer, Rahul Agarwal, in connection with the theft on .It’s alleged that hackers succeeded in compromising confidential financial processes using Agarwal’s login credentials, which were obtained through his work laptop. Mr.Agarwal admitted to moonlighting for 3-4 private parties without proper authorization and reportedly received Rs 15 lakh (approximately $17,000) from an unknown source. Authorities suspect he may have either knowingly sold his work credentials or unknowingly facilitated the breach through a “bait file”.While Agarwal claimed innocence regarding the theft, he was arrested for potential insider involvement or being an unwitting tool for the hackers.
- API Vulnerability Exploitation:Apart from stolen employee credential to gain access to coinDcx server, cubersecurirty experts also points towards exploitation of a critical API vulnerability. This vulnerability was found within a third-party payment gateway’s API that was integrated with CoinDCX. This means that a vulnerability in a service provided by an external vendor directly impacted CoinDCX’s security.As you know ‘the security chain is only as strong as its weakest link’.
- The Test Run: Reports suggest the attackers conducted a “dry run” with a small transaction of 1 USDT before the major exploit. The initial “test transfer” of 1 USDT at 2:37 AM on July 19th, followed by the main $44 million exfiltration at 9:40 AM, aligns with an attacker testing the compromised access before executing the full theft.
- The Main Heist: Once the hackers had full access, they siphoned off about $44 million in a rapid, large-scale operation. The funds were quickly moved to six different wallets.Segregation of Funds: A key factor in this incident was CoinDCX’s security architecture. The compromised wallet was a “hot wallet” used for daily operations and liquidity, while the majority of customer funds were stored in “cold wallets” that are kept offline. This segregation prevented the hackers from accessing and stealing user funds.
- Post breach Fund Laundering: To obscure the trail, the stolen funds were routed through various methods. They were bridged from the Solana network to the Ethereum network using tools like the Wormhole bridge and Jupiter swap aggregator. A portion of the funds was also sent through Tornado Cash, a crypto mixer often used to hide the origin of transactions, making it more difficult for investigators to trace the money.
This incident highlights the ongoing security challenges faced by cryptocurrency exchanges, emphasizing the importance of robust internal security controls, employee awareness against social engineering, and rapid incident response protocols.
Leave a Reply