New Delhi, Jul 20 (PTI) Indian cryptocurrency exchange CoinDCX has suffered a security breach, resulting in theft of USD 44.2 million, or ₹378 crore, even as the founders took to X to reassure that customer funds remained unaffected and safe, with the compromise limited to an internal operational account.
The total exposure is being absorbed entirely by CoinDCX, using the company’s treasury reserves, the company said in a First Incident Report released on Sunday.
According to the report, on July 19, at 4 AM IST, CoinDCX security systems detected an incident involving unauthorised access to one of its accounts on the partner exchange, leading to a financial exposure of about USD 44 million.
The incident once again puts the spotlight on mounting security threats in the highly volatile world of cryptocurrencies. Last year, crypto exchange WazirX faced a hack in India, leading to the loss of more than USD 230 million, and marking one of the biggest such heists in India. The theft had prompted a thorough examination of safety measures and eroded sentiments.
CoinDCX co-founders Sumit Gupta and Neeraj Khandelwal took to the social media platform X to address the situation, confirming that the attack was the result of a sophisticated server breach, targeting an internal wallet, not the ones holding customer assets.
The incident was first flagged by blockchain investigator ZachXBT, following which the exchange made the disclosure public.
“Today, one of our internal operational accounts — used only for liquidity provisioning on a partner exchange — was compromised due to a sophisticated server breach. I confirm that the CoinDCX wallets used to store customer assets are not impacted and are completely safe. This won’t cause any loss to our customers. CoinDCX will be bearing the full amount,” Gupta said.
“The total amount lost was USD 44Mn out of our treasury assets. Coindcx Treasury will be bearing these losses,” Khandelwal wrote.
Following this, users rushed to check their balances, leading to a spike in withdrawal requests. The sudden surge in activity led to CoinDCX’s portfolio APIs, which display user balances and transaction histories, becoming jammed and unresponsive. For several hours, many were unable to even see their holdings on the app, adding fuel to rumours and anxiety online.
The co-founders later updated that Portfolio APIs have been restored.
Affected infrastructure has been completely isolated, and CoinDCX operations continue to run normally, the company said.
CERT-In, or the Indian Computer Emergency Response Team, has been informed about the incident. Detailed forensics with two globally reputed security agencies is being carried out, and reports will be shared for public benefit, it added.
“CoinDCX services remain fully operational. Trading activity, INR deposits and INR withdrawals continue. INR withdrawals below ₹5 lakhs will reflect in your account within 5 hours, while withdrawals above ₹5 lakhs will be processed within 72 hours. The incident was isolated and has no impact on your portfolio access or operations,” the company stated.
Social media is flooded with mixed reactions. While some praised CoinDCX for absorbing the losses and protecting user funds, others criticised the delay in public disclosure and raised concerns over the broader security of crypto platforms in India.
“Coindcx silent for 17 hours? That’s more suspense than a thriller! In crypto, transparency isn’t optional; it’s key. Stay open to keep trust alive!” a user wrote.
“Good to see CoinDCX acting responsibly, assuring user funds are safe, and not passing losses onto customers. Sets a positive precedent for Indian crypto exchanges,” another said.