What vulnerabilities in CoinDCX’s internal system allowed crypto hackers to withdraw $44 million

BY KEYHUNTER 27.07.2025

The hack of Indian crypto exchange CoinDCX, which resulted in the theft of approximately $44.2 million in July 2025, was attributed to vulnerabilities in its internal infrastructure, namely, in the management system of the internal transaction account, which is used to provide liquidity to the partner platform. Key details about the reasons and nature of this attack are as follows:

  • Hackers gained access to the platform’s internal server and were able to compromise one of the internal accounts used exclusively to provide liquidity to the partner exchange. Users’ wallets were not affected and are stored separately in cold storage 3 .
  • The attackers used a sophisticated hack of the server infrastructure, exploiting vulnerabilities in security settings and account management protocols. This allowed them to gain administrator privileges on the internal account and transfer funds from it 6 .
  • Experts believe the attack was well-planned and coordinated, using patterns typical of the North Korean hacker group Lazarus, which made extensive use of cryptocurrency mixers (such as Tornado Cash) and cross-chain bridges to hide traces of stolen funds 6 .
  • The hack affected internal operational processes related to liquidity management, which is the Achilles heel of centralized exchanges – it is this segment of the infrastructure that has proven to be most vulnerable to professional cyberattacks 6 .
  • After discovering the incident, CoinDCX quickly isolated the compromised account, coordinated an investigation, and brought in cybersecurity specialists to fix the vulnerabilities and return the funds. All losses will be covered from the exchange’s reserves 3 .

Thus, the key vulnerabilities that allowed the withdrawal of $44 million were:

  • Insufficient protection of the internal operating server and protocols for managing accounts with elevated privileges.
  • Errors and gaps in the security settings of the liquid account infrastructure.
  • Lack of or insufficient segmentation and isolation of critical internal systems, which allowed attackers to gain administrative access and use it for unauthorized transfers.

This incident highlights the need for centralized crypto exchanges to strengthen their internal operations security, including tight access controls, regular server and protocol security audits, and the use of multi-factor authentication and rapid threat response mechanisms 6 .

What Key CoinDCX Security Vulnerabilities Were Exploited by Hackers

The key security vulnerabilities of the CoinDCX crypto exchange that were exploited by hackers to steal about $44.2 million in July 2025 are related to the platform’s internal infrastructure, namely the transaction account for providing liquidity. The details and facts of the incident are as follows:

  • The attackers gained access to an internal transaction account used to manage liquidity on partner platforms, while users’ wallets in cold storage were not affected. This indicates that the attack was aimed specifically at the exchange’s infrastructure, and not at client assets 6 .
  • The hackers exploited security flaws and errors in the servers’ security settings , and the internal account management system had vulnerabilities that allowed them to gain administrator privileges on the internal account. This allowed them to make transactions from the operating account without permission 8 .
  • The incident is classified as a complex server breach (complex backend hack) using vulnerabilities in control protocols and APIs that were not sufficiently protected from cyber attacks 3 .
  • Analysts attribute the attack to the North Korean hacker group Lazarus Group , which is known for sophisticated and targeted operations involving system reconnaissance, test transactions, and rapid withdrawal of funds. Social engineering, automated transactions, and cryptocurrency mixers (such as Tornado Cash) were used to hide their tracks 8 .
  • The hack affected the “Achilles heel” of centralized crypto exchanges – liquidity management in internal accounts , which confirmed the high vulnerability of such operating systems and the need for their separate protection and segmentation from the main user assets 8 .
  • Following the incident, the exchange quickly isolated the compromised account, began collaborating with international cybersecurity experts, increased auditing and security measures, and announced a bug bounty program for “white hat hackers” to recover funds and prevent similar attacks in the future 10 .

Thus, the main key vulnerabilities of CoinDCX that hackers exploited were:

  • Insufficient level of protection of the internal operating server and administrative protocols.
  • Breach in access control and management of accounts with increased privileges within the exchange infrastructure.
  • Lack of proper segmentation and isolation of critical internal services allowed attackers to conduct rapid and large-scale unauthorized withdrawals of funds.
  • Exploitation of API and smart contract vulnerabilities, as well as insufficient monitoring of risks within the system.

These facts show that it is important for cryptocurrency platforms to strengthen the internal security of not only users’ personal wallets, but also transaction accounts where liquidity and fund management are concentrated.

Why the Internal Operations Account Was Particularly Vulnerable to Attack

The internal transaction account of crypto exchange CoinDCX was found to be particularly vulnerable to attack for several key reasons:

  • Special role and sensitivity of the account . This account is used to provide liquidity between partner platforms and to promptly manage significant amounts of funds. Such an account usually has high privileges and access to large amounts, which makes it an attractive and easy target for cybercriminals.
  • Insufficient infrastructure segmentation and isolation . Internal systems, including transaction accounts, were not sufficiently isolated from other parts of the infrastructure, allowing attackers to gain administrative access through vulnerabilities in account management protocols and server security.
  • Vulnerabilities in access control and server security . The analysis showed that servers and account management systems had insufficient protection, including in terms of security settings, multi-factor authentication, and audit protocols. This made it easier for attackers to bypass controls and conduct unauthorized transactions.
  • Complexity of internal infrastructure and operational processes . Liquidity management requires rapid and frequent interaction with external and internal systems, which creates potential entry points for attacks if processes and interfaces are not sufficiently protected and analyzed from a security perspective.
  • Attack methods based on social engineering and exploitation of internal vulnerabilities . Hackers could use both technical vulnerabilities and deception of employees (social engineering) to gain access to critical credentials and privileges.
  • Lack of or inadequate implementation of modern security methods , such as network segmentation, user rights restrictions, multi-factor authentication, and anomaly monitoring.

Taken together, these factors explain why CoinDCX’s internal transaction account turned out to be the system’s Achilles heel and was successfully attacked, stealing $44.2 million in funds. The incident highlighted the need for increased attention to internal security processes, separate protection of liquidity accounts, and ongoing auditing and updating of access control protocols in centralized cryptocurrency platforms 5 .

How attackers gained access to the platform’s internal accounts

The attackers gained access to internal accounts of the CoinDCX platform through several key vulnerabilities and attack methods related to the infrastructure and liquidity management systems:

  • They exploited vulnerabilities in server security settings and account management protocols to gain administrator privileges on an internal transaction account used to provide liquidity, allowing them to make transactions without permission[answer from history].
  • The attack involved a sophisticated backend breach where the attackers penetrated poorly secured internal systems that managed the exchange’s critical assets and operations[answer from story].
  • The use of social engineering techniques likely allowed hackers to gain access to sensitive employee credentials or systems, making it easier to bypass controls and authentication mechanisms[answer from story].
  • The lack of sufficient segmentation and isolation of the internal systems infrastructure allowed attackers to move within the platform and gain access to highly privileged accounts[answer from history].
  • Once access was gained, the hackers used stealth techniques, including cryptocurrency mixers and cross-chain tools, making it difficult to track and recover the stolen funds[answer from story].

Thus, the key factors for access were technical vulnerabilities in the protection of servers and internal services, errors in managing access rights, and the use of social engineering methods against platform employees.

What measures has CoinDCX taken to protect user funds after the hack?

Following a hack that resulted in the theft of approximately $44.2 million from an internal transaction account used to provide liquidity, crypto exchange CoinDCX has taken the following key measures to protect user funds and improve security:

  • User funds were not affected , as they are stored in separate cold wallets, isolated from operational accounts. Losses are covered exclusively by the corporate reserves of the platform 5 .
  • Rapid incident containment – the compromised internal account was isolated from the main infrastructure, preventing further impact to customers 5 .
  • In an effort to recover the stolen funds, a rewards program for white hat hackers has been launched , offering up to 25% of the amount of money returned to those who help identify and return the assets 2 .
  • CoinDCX is actively collaborating with leading cybersecurity experts and organizations, including Sygnia, zeroShadow, Seal911, Solana Foundation, Superteam, and cross-chain bridge teams Wormhole and deBridge, to investigate the attack, trace and recover the stolen funds 2 .
  • The exchange’s operations (trading, deposits, withdrawals) were maintained and not suspended, thanks to the separation of client assets and strict security measures 5 .
  • Continuous auditing and hardening of the infrastructure is ensured, including enhanced access controls, system segmentation and implementation of modern security protocols to reduce the risk of re-attacks 6 .
  • CoinDCX CEO Sumit Gupta stressed the importance of identifying attackers and preventing similar incidents in the future, not only for the platform but for the entire crypto industry 1 .

Thus, CoinDCX was able to avoid damage to users due to the correct architecture of funds storage and prompt response, and also takes active steps to return the stolen funds and strengthen the platform’s security.

What concealment schemes did hackers use to launder stolen assets?

Hackers, including those behind the major crypto exchange thefts of 2025 (such as the Lazarus groups that attacked Bybit and CoinDCX), used a variety of complex schemes to hide and launder stolen digital assets. The main methods used were:

  • Splitting and distributing funds across multiple wallets. Theft typically involves breaking up large sums into smaller transactions that are transferred to hundreds or even thousands of addresses to obscure the trail and make it more difficult to track 7 .
  • Use of decentralized exchanges (DEX) and token swaps: Attackers convert stolen assets (e.g. unstaked ETH-derived tokens like stETH, cmETH) back into more liquid and mainstream cryptocurrencies via DEXs like Uniswap or Curve, which increases anonymity 7 .
  • Use of crypto mixers (smart contract tunneling), crypto mixers or tomblers. These services mix funds of a large number of users to hide the origin of the cryptocurrency. Hackers use alternatives to Tornado Cash, as well as services with minimal identification (no KYC), such as eXch 6 .
  • Using cross-chain bridges (crypto bridges). Hackers transfer assets between different blockchains via bridges (e.g. THORChain, Chainflip), which makes it even more difficult to track traces and fragments transactions across different networks (BTC, ETH, Solana, etc.) 9 .
  • Creation and sale of meme coins with artificially inflated value. To convert funds, some attackers create meme tokens, attract insider wallets to them, and then drain the stolen funds, quickly exchanging these tokens for “clean” cryptocurrency from ordinary investors 1 .
  • Using advanced social engineering and phishing techniques to gain access to administrative rights, which helps control transfers in the early stages of laundering 7 .
  • Sit and wait strategy: Some wallets with stolen assets are left idle for long periods of time to avoid attracting the attention of security services 7 .

The laundering process takes place in three key stages:

  1. Placement is the formal introduction of stolen funds into the financial system, breaking them down into smaller transactions.
  2. Layering is the multi-level movement of funds across multiple wallets, exchanges and services, including exchanges and mixers, to hide their origin.
  3. Integration is the return of laundered funds to the economy through legal channels or investments 6 .

Thus, the scheme for laundering stolen assets is based on a combination of distribution of funds, exchanges through decentralized services, the use of mixers, the use of bridges between blockchains and, in some cases, the creation of artificially inflated tokens. All these methods are aimed at maximizing the complexity of tracking transactions and complicating the return of stolen funds.

Sources: 9 .

  1. https://vc.ru/crypto/1874039-kak-hakery-otmyvayut-ukradennuyu-kriptovalyutu-cherez-mem-koiny-i-kto-na-etom-zarabatyvaet
  2. https://eurasiangroup.org/files/uploads/files/FATF_documents/Best_practicies/Nezakonnye_finansovye_potoki_ot_kibermosennicestva.pdf
  3. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:APT_-_%D0%A2%D0%B0%D1%80%D0%B3%D0%B5%D1%82%D0%B8%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%BD%D1%8B%D0%B5_%D0%B8%D0%BB%D0%B8_%D1%86%D0%B5%D0%BB%D0%B5%D0%B2%D1%8B%D0%B5_%D0%B0%D1%82%D0%B0%D0%BA%D0%B8
  4. https://www.binance.com/ru/square/post/21121017559737
  5. https://www.block-chain24.com/faq/kriptomiksery-i-krosscheyn-mosty-kak-hakery-otmyvayut-ukradennye-aktivy
  6. https://www.binance.com/ru/square/post/21357641099089
  7. https://ru.beincrypto.com/lazarus-group-otmyvaet-bybit/
  8. https://www.securitylab.ru/news/552270.php
  9. https://infobezopasnost.ru/blog/news/hakery-iz-lazarus-group-otmyli-vse-ukradennye-1-4-mlrd-v-ethereum/
  10. https://amlcrypto.io/ru/analiz-ataki-na-radiant-capital

Sources: Block-Chain24 1 , Bits.Media 2 , CoinDesk 5 , MoneyTimes.Ru 6 .

  1. https://www.block-chain24.com/news/novosti-bezopasnosti/coindcx-obyavlyaet-programmu-voznagrazhdeniy-za-vozvrat-sredstv-posle
  2. https://bits.media/postradavshaya-ot-vzloma-coindcx-obyavila-nagradu-za-poimku-khakerov/
  3. https://phemex.com/ru/news/article/coindcx-suffers-442m-hack-tied-to-tornado-cash-laundering_13186
  4. https://www.binance.com/ru/square/post/27186281413177
  5. https://www.coindesk.com/ru/web3/2025/07/19/indian-crypto-exchange-coindcx-suffers-44m-hack
  6. https://www.moneytimes.ru/news/crypto-exchange-hack/78571/
  7. https://cryptorank.io/news/feed/058a1-coindcx-%D0%BD%D0%B5-%D0%BE%D0%B1%D1%8A%D1%8F%D0%B2%D0%BB%D1%8F%D0%BB-%D0%BE-%D0%B2%D0%B7%D0%BB%D0%BE%D0%BC%D0%B5-%D0%BD%D0%B0-44-%D0%BC%D0%B8%D0%BB%D0%BB%D0%B8%D0%BE%D0%BD%D0%B0-%D0%B4%D0%BE%D0%BB
  8. https://www.coindesk.com/ru/policy/2025/07/12/indian-crypto-exchange-coindcx-denies-moving-user-funds-after-wazirx-allegations
  9. https://dapp.expert/ru/news/woo-x-priostanovila-tranzakcii-posle-xakerskoi-ataki-ubytki-sostavili-14-millionov-1753384297-492272
  10. https://ru.bitdegree.org/crypto/rukovodstvo/kak-kupit-kriptovalyutu-bez-verifikacii
  1. https://safe.cnews.ru/news/top/2024-05-02_platformu_tsifrovyh_podpisej
  2. https://www.vtb.ru/articles/gosuslugi/chto-delat-esli-moshenniki-vzlomali-gosuslugi/
  3. https://xn--90aivcdt6dxbc.xn--p1ai/articles/useful/ataki-khakerov-i-vzlom-akkaunta-ot-gosuslug-kak-zashchitit-dannye-v-internete/
  4. https://plan-bankrotstva.ru/faq/novaya-ugroza-kak-moshenniki-ispolzuyut-akkaunty-na-gosuslugakh-dlya-obmana-grazhdan/
  5. https://tulapressa.ru/2025/01/moshenniki-ispolzuyut-novye-ulovki-dlya-vzloma-akkauntov-gosuslug/
  6. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%9C%D0%BE%D1%88%D0%B5%D0%BD%D0%BD%D0%B8%D1%87%D0%B5%D1%81%D1%82%D0%B2%D0%BE_%D0%BD%D0%B0_%D0%93%D0%BE%D1%81%D1%83%D1%81%D0%BB%D1%83%D0%B3%D0%B0%D1%85
  7. https://www.rbc.ru/life/news/673d7bdc9a794747f00169b0
  8. https://huntflow.media/zashita-ot-moshennikov/
  9. https://www.f6.ru/blog/brute-force/
  10. https://iz.ru/1899737/maria-frolova/snat-nomer-mosenniki-stali-arendovat-akkaunty-rossian-v-messendzerah
  1. https://www.cloudav.ru/mediacenter/security/underestimating-dangers-internal-threats-company/
  2. https://cisoclub.ru/laboratorija-kasperskogo-ujazvimosti-operacionnyh-sistem-stali-glavnoj-celju-hakerov-v-2024-godu/
  3. https://www.anti-malware.ru/analytics/Threats_Analysis/The-bank-is-under-attack
  4. https://learn.microsoft.com/ru-ru/security-updates/security/20212682
  5. https://www.comnews.ru/content/112938/2018-05-07/promyshlennye-predpriyatiya-uyazvimy-dlya-atak
  6. https://ptsecurity.com/ru-ru/research/analytics/cyber-threats-in-the-transport-sector-2023/
  7. https://searchinform.ru/informatsionnaya-bezopasnost/osnovy-ib/ugrozy-informatsionnoj-bezopasnosti/
  8. https://ib-bank.ru/bisjournal/post/1512
  9. https://www.kaspersky.ru/blog/targeted-attack-anatomy/4388/
  10. https://nemesida-waf.ru/articles/1533

Sources: MoneyTimes 1 , Cyvers Alerts and ZachXBT 8 , Binance Square 4 , ForkLog 3 .

  1. https://www.moneytimes.ru/news/crypto-theft-investigation/78576/
  2. https://ru.investing.com/news/cryptocurrency-news/article-2838045
  3. https://ru.tradingview.com/news/forklog:669c2babc67b8:0/
  4. https://www.binance.com/ru/square/post/27384629282929
  5. https://www.binance.com/ru/square/post/27181905450434
  6. https://www.block-chain24.com/news/novosti-bezopasnosti/indiyskaya-kriptovalyutnaya-birzha-coindcx-vzlomana-pohishcheno-44-mln
  7. https://yellow.com/ru/news/%D0%B2%D0%B7%D0%BB%D0%BE%D0%BC-coindcx-%D0%BF%D1%80%D0%BE%D1%81%D0%BB%D0%B5%D0%B6%D0%B5%D0%BD-%D0%B4%D0%BE-%D0%B3%D1%80%D1%83%D0%BF%D0%BF%D1%8B-lazarus-%D0%B8%D0%B7-%D1%81%D0%B5%D0%B2%D0%B5%D1%80%D0%BD%D0%BE%D0%B9-%D0%BA%D0%BE%D1%80%D0%B5%D0%B8-%D1%83%D0%BA%D1%80%D0%B0%D0%B4%D0%B5%D0%BD%D0%BE-44m
  8. https://bits.media/cyvers-nazvala-vzlomavshikh-indiyskuyu-kriptobirzhu-coindcx-khakerov/
  9. https://ru.investing.com/news/cryptocurrency-news/article-2836436
  10. https://www.block-chain24.com/news/novosti-bezopasnosti/coindcx-obyavlyaet-programmu-voznagrazhdeniy-za-vozvrat-sredstv-posle

Sources: Binance Square 1 , CoinTelegraph 2 , Moneytimes.Ru 3 , Cyvers 6 .

  1. https://www.binance.com/ru/square/post/27168554994914
  2. https://ru.cointelegraph.com/news/crypto-exchange-coindcx-hacked-42-million-drained
  3. https://www.moneytimes.ru/news/crypto-exchange-hack/78571/
  4. https://bits.media/vzlomshchiki-indiyskoy-kriptobirzhi-coindcx-vyveli-44-mln/
  5. https://forklog.com/news/bitkoin-birzha-coindcx-poteryala-44-mln-v-rezultate-vzloma
  6. https://cryptorank.io/news/feed/a52bb-cyvers-nazvala-vzlomavshikh-indiyskuyu-kriptobirzhu-coindcx-khakerov
  7. https://www.block-chain24.com/news/novosti-bezopasnosti/coindcx-obyavlyaet-programmu-voznagrazhdeniy-za-vozvrat-sredstv-posle
  8. https://ru.investing.com/news/cryptocurrency-news/article-2836436
  9. https://incrypted.com/byrzha-bigone-poterjala-27-mln-yz-za-hakerskoj-ataky/
  10. https://www.securitylab.ru/blog/company/Rubikon/353450.php