# CoinDCX Breach: Unmasking the Multichain Heist

## Summary [On July 19, 2025, CoinDCX experienced a severe security breach](https://t.me/investigations/264) on the Solana blockchain, resulting in the loss of approximately $44.2 million in cryptocurrency assets, primarily USDT. This occurred due to a sophisticated server-side breach that allowed attackers to exploit internal operational wallets. The attackers swiftly moved these funds to Ethereum, complicating recovery efforts. But what initially appeared as a straightforward hack was, in fact, a complex, multichain setup. [CoinDCX](https://coindcx.com/), an Indian cryptocurrency exchange established in 2018, became aware of the breach after blockchain analyst [ZachXBT](https://x.com/zachxbt) raised alarms, following an alert from [Cyvers](https://x.com/CyversAlerts). CoinDCX officially acknowledged the incident approximately 17 hours after the breach was identified, reassuring users that customer funds were secure, stored separately in cold wallets.

CoinDCX Co-Founder Sumit Gupta acknowledging the exploit after several hours

## Major Addresses and Transactions Primary Exploiter (Solana): `6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n` Exploiter (Solana): `3btch8cSVp3Uh2SiY9DeiRNYUBmFiBNHZQzDyecJs7Gu` Funder Wallet (Ethereum): `0x23d872d2c091438085253787a5c60dc22e6c8c88` Exploiter (Polygon): `0x03cd775859dd64ef956d9f4ebcb45e3d6e355657` Eth Holder Wallet (Ethereum): `0xef0c5b9e0e9643937d75c229648158584a8cd8d2` ## Decoding the Exploit The breach was not a smart‑contract failure but an off‑chain security lapse. In the early hours of July 19, a single liquidity‑provision wallet, used to keep markets liquid, was compromised after attackers obtained server‑level access. Within thirty minutes, the exchange’s internal monitors detected abnormal withdrawals and isolated the affected infrastructure by 04:00 a.m., [as reported by CoinDCX](https://x.com/CoinDCX/status/1947625144379445682), preventing lateral movement to other operational wallets. Internal evidence points to a compromised credential or mis‑configured access policy on the host that signed transactions for the hot wallet. With that foothold, the attackers could sign arbitrary transfers, bypassing on‑chain permission checks. Luckily, no customer funds were ever at risk because the cold‑storage layer requires multi‑party authorisations, a control the attackers could not satisfy. ### A Three‑Day Multichain Warm‑Up * **July 16** – The operation begins with a 1 ETH withdrawal from Tornado Cash that is immediately swapped on FixedFloat, parked briefly on Polygon, and then bridged to Solana via deBridge. This cross‑chain hop primed Solana wallets with SOL for fees and signalled the attacker’s intent to blur provenance across ecosystems. * **July 17** – Infrastructure rehearsal. Nodes, proxy servers, and burner wallets are spun up; small dust movements confirm connectivity while the attackers finalise targets. * **July 18** – A 1 USDT “test” transfer is pushed from the compromised wallet, an on‑chain canary confirming the private key has been fully hijacked and the route back to Tornado Cash is clear. At 22:09 UTC on July 18**,** the siphoning starts. In just five minutes, the attackers execute a sequence of high‑velocity withdrawals, each signed from the same hot wallet, draining roughly $44 million in USDT. Small follow‑up transactions in USDC and USDT sweep residual balances and close the on‑chain loop. Because internal alerting triggered quickly, only a single wallet was drained. All other liquidity wallets were rotated, API keys revoked, and outbound bridges black‑holed. The attackers, however, had already bridged much of the loot back to Ethereum and begun layering via mixers. In short, what looked like a simple private‑key theft was the finale of a carefully choreographed multichain campaign spanning **Tornado Cash →Ethereum →FixedFloat →Polygon →deBridge →Solana →Multiple Bridges →Ethereum**—a playbook reminiscent of state‑sponsored crews who favour long staging windows and surgical execution. ## On-Chain Activity Upon notification by ZachXBT, our team swiftly initiated an extensive backward trace of the stolen funds, starting from Ethereum Wallet `0xef0c5b9e0e9643937d75c229648158584a8cd8d2` . Utilizing Blockscope’s proprietary Tracer tool, the team successfully reconstructed the cross-chain journey of the stolen assets, starting from Ethereum, tracing back to Solana, Polygon, and finally originating again from Ethereum through various protocols like deBridge, Mayan Finance, and FixedFloat. Due to Blockscope’s current limitations in supporting Solana chain visualization, specific Solana activities were documented externally using open source explorers.

Tracer maps the entire CoinDCX exploit across EVM chains in detail

## Timeline and Breakdown ### **July 16, 2025 at 1**:43 UTC Initial funding from Tornado Cash 1 ETH pool to the Exploiter address `0x23d872d2c091438085253787a5c60dc22e6c8c88`, which funnels the funds through two hops before depositing them into Fixed Float. Funding Tx. : `0x8d15cd638675131e40a307e1ec01588f0522f247377151ec1490bab7159cfa99`

### **July 16, 2025 at 2**:09 UTC Polygon Exploiter address `0x03cd775859dd64ef956d9f4ebcb45e3d6e355657` receives funds from FixedFloat from Ethereum in two transactions, which are eventually bridged to Solana. Using Transaction Decoder and [deBridge Explorer](https://app.debridge.finance/orders?s=0x05db2207a176dc71b4156ab04da2f2b551215cbf46f91e02e0b40b695128c979), we were able to find the recipient address on Solana: `GVkoTBDBg9u3PFmgG6rapcizkEg6Bhfk6tBfJqugdFcS` Tx: hashes: • `0x90083b839d093536104efb592aa46847993dca26a9410faac99aad4ec236f41b` • `0x5134ceaabe24a65512c7641849bf3088da151dbbda5bbd499c1a693e7a0c4467`

Tracer indicates that the funds initially landed on Polygon and were subsequently bridged to Solana.

Using Transaction Decoder tool and deExplorer, we were able to trace the receiver address on Solana

### July 16, 2025 at 2:22 UTC Solana Funder Address `GVkoTBDBg9u3PFmgG6rapcizkEg6Bhfk6tBfJqugdFcS` starts to fund the Primary Exploiter Address `6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n` .

On-chain data confirms that wallet `GVkoTB...` received funds through two incoming transactions from deBridge and immediately transferred them to the primary exploiter.

### July 18, 2025 at 21:07 UTC The exploit began with a test transaction involving just 1 USDT, likely to confirm full access to the exchange wallet `Ge8dzF234QHZKFh7TYyZqdipn3BoHyZfoyz9fxEqdTRi`. Once access was verified, the exploiter proceeded to drain large sums from the wallet. The stolen funds were then swapped and bridged to Ethereum through deBridge and Mayan Finance, effectively moving them off the original chain. Test Tx: `5KN91UvSLNR3ygAvXiRRyPofnzDFawT9rxbxSfdg6bai1WwbDizv5nM1etWPR2m7Rg4vTrLmXLEy6CSPcDjGJBQQ`

A series of outflows from the exchange wallet led to the depletion of approximately $45 million in assets.

### July 18, 2025 at 22:50 UTC Bridged funds from Solana were received on Ethereum and were deposited into multiple intermediaries, eventually consolidating in one wallet `0xef0c5b9e0e9643937d75c229648158584a8cd8d2` . As of July 23, all the funds of the exploit are being held by this address on Ethereum.

## Monitoring Blockscope continues intensive real-time monitoring of the Exploiter's wallet `0xef0c5b9e0e9643937d75c229648158584a8cd8d2` , currently holding all the funds. Observations and insights are continuously updated on Blockscope’s public watchtower. Link:

Wallet Profiler shows all the funds resides on one address on Ethereum

## CoinDCX & WazirX: Echoes of Lazarus Group? The striking similarities between the CoinDCX breach and last year’s [WazirX incident](https://research.blockscope.co/blockscope-wazirx-235m-exploit-investigation), both marked by sophisticated intrusions, precise execution, and extensive cross-chain obfuscation, raise serious concerns. Notably, both attacks occurred on the same date, an unusual coincidence that adds to the intrigue. Given the advanced tactics employed in both cases, the potential involvement of North Korea’s Lazarus Group, a threat actor infamous for cyber-espionage and high-profile crypto heists, remains a credible and concerning possibility. Security firm[ Cyvers has also highlighted ](https://cyvers.ai/blog/5-minutes-44m-coindcx-hack-shows-all-the-signs-of-lazarus-involvement)these attack methodologies as indicative of Lazarus Group's known modus operandi, strongly suggesting a targeted focus on India's major cryptocurrency platforms. Enhanced preemptive threat prevention strategies are now essential, as these incidents serve as dire warnings rather than isolated events. ## Conclusion CoinDCX’s response, issued shortly after ZachXBT’s public disclosure, appeared more reactive than coordinated, suggesting internal uncertainty rather than clear communication. The potential involvement of North Korean state-sponsored cyber actors underscores not only a financial risk but also a broader security concern for India's cryptocurrency ecosystem and the global digital asset landscape. To mitigate such threats, exchanges must prioritize robust internal security protocols, implement real-time blockchain monitoring, and actively collaborate with cybersecurity experts. **Investigation by**: [Tushar Tiwari](https://in.linkedin.com/in/tushar-tiwari-1380271b7), Forensics Analyst @ Blockscope For more information, please reach out to us at ****

Disclaimer: Best Effort Investigation This investigation and its findings represent our best effort based on the information available at the time. However, please be aware of the following limitations: * The data used in this investigation may contain inaccuracies, omissions, or errors. * Information sources may be incomplete or subject to change. * New evidence may emerge that could alter the conclusions. * Analysis and interpretations are based on current understanding and may evolve. We have made every reasonable attempt to ensure accuracy, but cannot guarantee that all information is entirely correct or complete. This report should be considered a snapshot of our current knowledge and understanding, subject to revision as new information becomes available. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://research.blockscope.co/coindcx-breach/coindcx-breach-unmasking-the-multichain-heist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.