CoinDCX Breach: Unmasking the Multichain Heist

Summary

On July 19, 2025, CoinDCX experienced a severe security breach on the Solana blockchain, resulting in the loss of approximately $44.2 million in cryptocurrency assets, primarily USDT. This occurred due to a sophisticated server-side breach that allowed attackers to exploit internal operational wallets. The attackers swiftly moved these funds to Ethereum, complicating recovery efforts. But what initially appeared as a straightforward hack was, in fact, a complex, multichain setup.

CoinDCX, an Indian cryptocurrency exchange established in 2018, became aware of the breach after blockchain analyst ZachXBT raised alarms, following an alert from Cyvers. CoinDCX officially acknowledged the incident approximately 17 hours after the breach was identified, reassuring users that customer funds were secure, stored separately in cold wallets.

CoinDCX Co-Founder Sumit Gupta acknowledging the exploit after several hours

Major Addresses and Transactions

Primary Exploiter (Solana): 6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n

Exploiter (Solana): 3btch8cSVp3Uh2SiY9DeiRNYUBmFiBNHZQzDyecJs7Gu

Funder Wallet (Ethereum): 0x23d872d2c091438085253787a5c60dc22e6c8c88

Exploiter (Polygon): 0x03cd775859dd64ef956d9f4ebcb45e3d6e355657

Eth Holder Wallet (Ethereum): 0xef0c5b9e0e9643937d75c229648158584a8cd8d2

Decoding the Exploit

The breach was not a smart‑contract failure but an off‑chain security lapse. In the early hours of July 19, a single liquidity‑provision wallet, used to keep markets liquid, was compromised after attackers obtained server‑level access. Within thirty minutes, the exchange’s internal monitors detected abnormal withdrawals and isolated the affected infrastructure by 04:00 a.m., as reported by CoinDCX, preventing lateral movement to other operational wallets.

Internal evidence points to a compromised credential or mis‑configured access policy on the host that signed transactions for the hot wallet. With that foothold, the attackers could sign arbitrary transfers, bypassing on‑chain permission checks. Luckily, no customer funds were ever at risk because the cold‑storage layer requires multi‑party authorisations, a control the attackers could not satisfy.

A Three‑Day Multichain Warm‑Up

  • July 16 – The operation begins with a 1 ETH withdrawal from Tornado Cash that is immediately swapped on FixedFloat, parked briefly on Polygon, and then bridged to Solana via deBridge. This cross‑chain hop primed Solana wallets with SOL for fees and signalled the attacker’s intent to blur provenance across ecosystems.

  • July 17 – Infrastructure rehearsal. Nodes, proxy servers, and burner wallets are spun up; small dust movements confirm connectivity while the attackers finalise targets.

  • July 18 – A 1 USDT “test” transfer is pushed from the compromised wallet, an on‑chain canary confirming the private key has been fully hijacked and the route back to Tornado Cash is clear.

At 22:09 UTC on July 18, the siphoning starts. In just five minutes, the attackers execute a sequence of high‑velocity withdrawals, each signed from the same hot wallet, draining roughly $44 million in USDT. Small follow‑up transactions in USDC and USDT sweep residual balances and close the on‑chain loop.

Because internal alerting triggered quickly, only a single wallet was drained. All other liquidity wallets were rotated, API keys revoked, and outbound bridges black‑holed. The attackers, however, had already bridged much of the loot back to Ethereum and begun layering via mixers.

In short, what looked like a simple private‑key theft was the finale of a carefully choreographed multichain campaign spanning Tornado Cash →Ethereum →FixedFloat →Polygon →deBridge →Solana →Multiple Bridges →Ethereum—a playbook reminiscent of state‑sponsored crews who favour long staging windows and surgical execution.

On-Chain Activity

Upon notification by ZachXBT, our team swiftly initiated an extensive backward trace of the stolen funds, starting from Ethereum Wallet 0xef0c5b9e0e9643937d75c229648158584a8cd8d2 .

Utilizing Blockscope’s proprietary Tracer tool, the team successfully reconstructed the cross-chain journey of the stolen assets, starting from Ethereum, tracing back to Solana, Polygon, and finally originating again from Ethereum through various protocols like deBridge, Mayan Finance, and FixedFloat. Due to Blockscope’s current limitations in supporting Solana chain visualization, specific Solana activities were documented externally using open source explorers.

Tracer maps the entire CoinDCX exploit across EVM chains in detail
Trace by ZachXBT on his Telegram

Timeline and Breakdown

July 16, 2025 at 1:43 UTC

Initial funding from Tornado Cash 1 ETH pool to the Exploiter address 0x23d872d2c091438085253787a5c60dc22e6c8c88, which funnels the funds through two hops before depositing them into Fixed Float.

Funding Tx. : 0x8d15cd638675131e40a307e1ec01588f0522f247377151ec1490bab7159cfa99

July 16, 2025 at 2:09 UTC

Polygon Exploiter address 0x03cd775859dd64ef956d9f4ebcb45e3d6e355657 receives funds from FixedFloat from Ethereum in two transactions, which are eventually bridged to Solana. Using Transaction Decoder and deBridge Explorer, we were able to find the recipient address on Solana: GVkoTBDBg9u3PFmgG6rapcizkEg6Bhfk6tBfJqugdFcS

Tx: hashes:

0x90083b839d093536104efb592aa46847993dca26a9410faac99aad4ec236f41b

0x5134ceaabe24a65512c7641849bf3088da151dbbda5bbd499c1a693e7a0c4467

Tracer indicates that the funds initially landed on Polygon and were subsequently bridged to Solana.
Using Transaction Decoder tool and deExplorer, we were able to trace the receiver address on Solana

July 16, 2025 at 2:22 UTC

Solana Funder Address GVkoTBDBg9u3PFmgG6rapcizkEg6Bhfk6tBfJqugdFcS starts to fund the Primary Exploiter Address 6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n .

On-chain data confirms that wallet GVkoTB... received funds through two incoming transactions from deBridge and immediately transferred them to the primary exploiter.

July 18, 2025 at 21:07 UTC

The exploit began with a test transaction involving just 1 USDT, likely to confirm full access to the exchange wallet Ge8dzF234QHZKFh7TYyZqdipn3BoHyZfoyz9fxEqdTRi. Once access was verified, the exploiter proceeded to drain large sums from the wallet. The stolen funds were then swapped and bridged to Ethereum through deBridge and Mayan Finance, effectively moving them off the original chain.

Test Tx: 5KN91UvSLNR3ygAvXiRRyPofnzDFawT9rxbxSfdg6bai1WwbDizv5nM1etWPR2m7Rg4vTrLmXLEy6CSPcDjGJBQQ

Test Transcation of 1 USDT
A series of outflows from the exchange wallet led to the depletion of approximately $45 million in assets.

July 18, 2025 at 22:50 UTC

Bridged funds from Solana were received on Ethereum and were deposited into multiple intermediaries, eventually consolidating in one wallet 0xef0c5b9e0e9643937d75c229648158584a8cd8d2 . As of July 23, all the funds of the exploit are being held by this address on Ethereum.

Monitoring

Blockscope continues intensive real-time monitoring of the Exploiter's wallet 0xef0c5b9e0e9643937d75c229648158584a8cd8d2 , currently holding all the funds. Observations and insights are continuously updated on Blockscope’s public watchtower.

Link: https://www.blockscope.co/community/watchtowers/6880179f0d4c4d77d3c6b19d

Wallet Profiler shows all the funds resides on one address on Ethereum

CoinDCX & WazirX: Echoes of Lazarus Group?

The striking similarities between the CoinDCX breach and last year’s WazirX incident, both marked by sophisticated intrusions, precise execution, and extensive cross-chain obfuscation, raise serious concerns. Notably, both attacks occurred on the same date, an unusual coincidence that adds to the intrigue. Given the advanced tactics employed in both cases, the potential involvement of North Korea’s Lazarus Group, a threat actor infamous for cyber-espionage and high-profile crypto heists, remains a credible and concerning possibility.

Security firm Cyvers has also highlighted these attack methodologies as indicative of Lazarus Group's known modus operandi, strongly suggesting a targeted focus on India's major cryptocurrency platforms. Enhanced preemptive threat prevention strategies are now essential, as these incidents serve as dire warnings rather than isolated events.

Conclusion

CoinDCX’s response, issued shortly after ZachXBT’s public disclosure, appeared more reactive than coordinated, suggesting internal uncertainty rather than clear communication. The potential involvement of North Korean state-sponsored cyber actors underscores not only a financial risk but also a broader security concern for India's cryptocurrency ecosystem and the global digital asset landscape. To mitigate such threats, exchanges must prioritize robust internal security protocols, implement real-time blockchain monitoring, and actively collaborate with cybersecurity experts.

Investigation by: Tushar Tiwari, Forensics Analyst @ Blockscope

For more information, please reach out to us at [email protected]

Disclaimer: Best Effort Investigation

This investigation and its findings represent our best effort based on the information available at the time. However, please be aware of the following limitations:

  • The data used in this investigation may contain inaccuracies, omissions, or errors.

  • Information sources may be incomplete or subject to change.

  • New evidence may emerge that could alter the conclusions.

  • Analysis and interpretations are based on current understanding and may evolve.

We have made every reasonable attempt to ensure accuracy, but cannot guarantee that all information is entirely correct or complete. This report should be considered a snapshot of our current knowledge and understanding, subject to revision as new information becomes available.

Last updated