CoinDCX, one of India’s largest cryptocurrency exchanges, suffered a major security breach, which wiped out nearly $44 million (around Rs 378 crore) from the platform, even as the company has said that customer funds remained unaffected and safe.
While the company has said it will cover the exposure entirely from its own reserves, the incident highlights security concerns in the highly volatile cryptocurrency world, and follows one of the biggest security breaches of a similar exchange, WazirX, last year, where hackers stole $230 million of users’ holdings.
What caused the breach at CoinDCX?
According to an incident report published by CoinDCX on Sunday, on July 19, one of its internal operational accounts, used solely for liquidity provisioning on a partner exchange, was compromised due to a “sophisticated server breach”.
Immediate preliminary investigation into the breach showed unauthorised access to CoinDCX’s account on one of its partner exchanges. “The attacker accessed the account used for operational liquidity provisioning by penetrating our liquidity infrastructure,” the report said.
Proceeds (~$44M) were routed through multiple hops and finally landed on 2 wallets, CoinDCX said. The attacker primarily used the Solana-Ethereum bridge via Wormhole, and Jupiter as the swap aggregator. Funds were moved in batches of 1,000-4,000 SOL, indicating “systematic and deliberate behavior,” the report said.
All assets were eventually bridged to Ethereum and consolidated into a single ETH wallet, which currently holds approximately 4,443 ETH (~$15.7 million). As of now, the originating Solana wallet still holds 155,830 SOL ($27.6 million) in dormant assets.
The company said it was carrying out a detailed forensic probe into the incident along with two globally reputed security agencies, and it has also alerted the Indian Computer Emergency Response Team (Cert-In).
Story continues below this ad
What will happen to users’ funds on CoinDCX?
The company said it quickly contained the incident by isolating the affected operational account. “Since our operational accounts are segregated from customer wallets, the exposure is only limited to this specific account and is being fully absorbed by us – from our own treasury reserves,” it said.
It added that all customers’ assets remain secure and fully accessible. CoinDCX said customers’ assets are held in segregated cold wallets, protected by multi-layer custody and offline security controls.
“Our operational accounts are structurally separated from customer wallets, by design. CoinDCX maintains a robust reserve system to absorb such incidents and this reserve is being used to fully cover the loss,” it added.
It added that its services remained fully operational. “Trading activity, INR deposits and INR withdrawals continue. INR withdrawals below Rs 5 lakhs will reflect in your account within 5 hours, while withdrawals above Rs 5 lakhs will be processed within 72 hours. The incident was isolated and has no impact on your portfolio access or operations,” CoinDCX said.
Story continues below this ad
What have been some of the biggest crypto breaches?
Last year, WazirX, one of the country’s major cryptocurrency firms, suffered one of the biggest cyberattacks on an Indian exchange after hackers allegedly stole more than $230 million of users’ holdings, which was nearly half of the platform’s reserves.
2022 was the biggest year for crypto hacks. According to blockchain data platform Chainalysis, over $3.8 billion worth of cryptocurrency was stolen from users in 2022. In 2023, the number came down to about $1.7 billion.
The biggest crypto hack so far took place in March 2022 when hackers attacked the Ronnin network. They stole about $625 million worth of Ethereum and the USDC stablecoin. In August 2021, a hacker exploited a vulnerability in Poly Network’s system, stealing over $600 million in funds, but surprisingly did not leave with the entire amount and returned most of it. In October 2022, the Binance crypto exchange suffered a major security breach, resulting in a loss equivalent to $570 million.
