CoinDCX has confirmed that a recent $44 million exploit stemmed from a server breach targeting one of its internal liquidity accounts.
In a detailed incident report published on July 20, the Indian cryptocurrency exchange clarified that no customer funds were compromised and that the full loss would be covered by the company’s own treasury.
The breach was detected on July 19 at 4 a.m. IST, when unauthorized access was discovered in an account used for liquidity provisioning on a partner platform. CoinDCX described the incident as a “sophisticated server attack” that affected its liquidity infrastructure.
The exchange emphasized that user wallets, which are stored separately in cold storage, were completely unaffected by the breach.
Core platform services—including INR withdrawals, deposits, and trading—remain fully operational. Although web3 wallet functionality was temporarily suspended as a precaution, it has since been restored.
“Your funds are 100% safe,” CoinDCX assured in its statement. The company also noted it is collaborating with international cybersecurity experts, blockchain forensic teams, and Indian authorities, including CERT-In, to trace the stolen funds and identify those responsible.
Additionally, CoinDCX announced plans to launch a Recovery Bounty Program to encourage individuals to provide information that could assist in recovering the lost assets.
CoinDCX delayed its public disclosure of the breach by approximately 17 hours, prioritizing containment and forensic investigation before releasing detailed information. The exchange emphasized that its strong reserves and transparent proof-of-reserves attestations fully back all customer assets, ensuring they remain unaffected.
Coming roughly a year after the $230 million WazirX hack, the incident has renewed concerns over the robustness of India’s crypto infrastructure. However, unlike past breaches that led to partial asset freezes or prolonged withdrawal delays, CoinDCX managed to absorb the entire $44 million loss without interrupting operations or impacting user activity.
The breach was first flagged by blockchain investigator ZachXBT on July 19, who tracked the attacker’s movement through Tornado Cash and cross-chain transfers involving Solana and Ethereum. On-chain data from Arkham Intelligence shows the stolen assets were funneled through multiple wallets and are currently held in two known addresses.
