Ethereum News Today: CoinDCX Loses $44.2 Million in Lazarus Group Cyberattack

Generated by AI AgentCoin World
Monday, Jul 21, 2025 8:16 pm ET2min read
ETH
--
SOL
--
Aime RobotAime Summary

- Indian crypto exchange CoinDCX lost $44.2 million in a cyberattack attributed to North Korea’s Lazarus Group.

- Attackers used Tornado Cash and cross-chain protocols to siphon funds from CoinDCX’s operational wallets, traced to a wallet holding over 12,144 ETH.

- CoinDCX launched a $11M bounty program offering 25% of recovered assets, emphasizing funds came from corporate treasury, not user holdings.

- The incident highlights crypto industry vulnerabilities, with experts urging enhanced security amid sophisticated tactics like API key exploitation and laundering.

The Indian crypto exchange CoinDCX suffered a significant cyberattack, resulting in a loss of $44.2 million. This breach has been attributed to the North Korean Lazarus Group, a notorious hacking collective known for its sophisticated cyber operations. The attack was first detected by a blockchain security platform, which revealed that the hackers siphoned funds from CoinDCX’s internal operational wallets. These wallets were used exclusively for liquidity provisioning on a partner exchange, ensuring that user funds remained unaffected.

The attackers initiated the exploit by transferring 1 ETH through Tornado Cash, a cryptocurrency mixer known for laundering stolen assets. Shortly after this transaction, approximately $15.8 million of the stolen cryptocurrency was bridged to

Ethereum
using cross-chain protocols. Blockchain security experts traced the destination wallet, which has since received over 12,144 ETH, equivalent to more than $46 million at the current price. The hacker’s wallet has conducted at least ten Ethereum transactions since the breach, with significant transfers occurring within a short timeframe.

CoinDCX has launched a formal Recovery Bounty Program, offering a bounty of up to 25% from a pool of $11 million to anyone who helps recover any amount of the stolen digital assets. The exchange’s co-founders, Sumit Gupta and Neeraj Khandelwal, emphasized that the exploited funds came exclusively from CoinDCX’s corporate treasury and not from customer holdings. The exchange has begun overhauling its security frameworks and re-engineering parts of its system architecture to prevent future incidents.

The recovery initiative has received support from various entities, including the

Solana
Foundation, Superteam, and bridge partners Wormhole and deBridge. CoinDCX has also lauded cybersecurity firms and blockchain forensics entities for their assistance in the ongoing investigation. However, there have been questions about the exchange’s transparency, as it was silent for approximately 17 hours after the exploit and gave no public comment during the early window of the attack. During this time, the stolen funds were actively moved across several wallets and networks in calculated transactions.

The incident highlights the ongoing threat of cybercrime in the cryptocurrency industry. The Lazarus Group’s involvement in the CoinDCX heist underscores the need for enhanced security measures and vigilance among crypto exchanges and users alike. The exchange’s proactive steps to recover the stolen funds and improve its security infrastructure are commendable, but the incident serves as a reminder of the persistent risks in the digital asset space.

According to Deddy Lavid, CEO of Cyvers, the attackers acted according to a scheme very similar to previous operations conducted by DPRK (North Korean) hackers. One of the distinctive features of their tactics is the use of the cryptomixer Tornado Cash and cross-chain bridges to conceal the flow of funds. Lavid speculated that the attackers gained access to the backend via open API keys, improper system settings, or vulnerabilities in account permissions. Once inside, they used legitimate account privileges to transfer assets from Solana to Ethereum, subsequently laundering the funds through Tornado Cash.

The sophistication of the attack and in-depth knowledge of liquidity mechanisms on centralized exchanges indicate that highly experienced and well-organized cybercriminals were involved. CoinDCX co-founder Sumit Gupta confirmed that users’ assets were not affected by the hack, and the company has already covered all losses from its own funds. The exchange has announced a bounty program, offering a reward of 25% for any recovered amounts. The team seeks assistance not only in tracing the assets but also in identifying those responsible for the attack.

“More than recovering the stolen funds, what is important for us is to identify and catch the attackers, because such things shouldn’t happen again, not with us, not with anyone in the industry,” Gupta emphasized. The incident serves as a stark reminder of the vulnerabilities within the cryptocurrency ecosystem and the need for continuous improvement in security protocols to safeguard against such sophisticated attacks.