.png){kind=logo}
Indian crypto exchange CoinDCX has confirmed a massive security breach, resulting in the theft of approximately $44.2 million. Cybersecurity experts suggest that the hacking was executed by North Korea's known hacking team, the Lazarus Group. The exploit was linked to a series of thefts that took place on July 19, mirroring the exact date and tactics as the $234 million WazirX Hack that occurred on this same date in 2024, raising alarms across the crypto industry.
Blockchain security service Cyvers reported that hackers began to set up the attack on July 16 with a small 1 USDT "test transaction." Then, three days later, in a matter of five minutes, the group executed seven rapid transactions, draining assets from an operational wallet on the Solana Blockchain. The stolen assets, primarily composed of USDC and USDT, were transferred through cross-chain transactions, including transfers to Ethereum, demonstrating a high level of sophistication.
CoinDCX clarified that user funds were not affected, as they were safely stored in cold wallets. The exchange used internal reserves to cover the operational loss while maintaining business as usual for the duration of the incident.
In response to the breach, CoinDCX has rolled out a recovery bounty program, offering up to 25% of any recovered assets, equivalent to $11 million, as an incentive for individuals or teams able to assist in tracking and retrieving the stolen funds.
CEO Sumit Gupta took to social media to stress the broader mission: “Identifying and catching the attackers is more important than just recovering funds. We must ensure this doesn’t happen again, not to us or anyone else in the ecosystem.”
As the industry absorbs the shock of another Lazarus-linked exploit, attention now shifts toward implementing stronger regulatory frameworks, cross-chain threat detection, and reinforcing user fund protections to prevent future breaches.
The timing and nature of the attack sparked immediate comparisons to the WazirX breach, leaving many experts to conclude that this was no accident, but a planned strategy repeated by Lazarus. Cyvers stressed that if India’s largest crypto platforms are being attacked one after the other, then proactive cybersecurity must be the first line of defense for the sector and not an afterthought.
The exploitation of Tornado Cash to mask the movement of stolen funds, as well as the sophistication of the cross-chain strategies, indicates a high level of planning sophistication. These attacks reveal important vulnerabilities in exchange infrastructure, including hot wallets, and underscore the need for multi-layer security and on-chain monitoring systems.
