The Indian cryptocurrency exchange CoinDCX has become the latest high-profile target in a growing wave of sophisticated cross-chain heists, with cybersecurity investigators now attributing the $44 million theft on July 19 to the notorious Lazarus Group, a North Korean state-sponsored hacking collective.
The attack, which compromised one of CoinDCX’s operational wallets on Solana, involved rapid, automated siphoning of USDT and USDC tokens, and bears striking similarity to the WazirX breach that occurred exactly one year prior - on July 19, 2023 - resulting in $234 million in losses.
The CoinDCX team has confirmed the breach, assuring that user funds remain secure and that the impacted wallet was part of the platform’s operational infrastructure rather than its user custodial accounts. However, the scale and method of the breach have raised serious concerns about systemic vulnerabilities in Indian crypto infrastructure, particularly in light of repeated attacks targeting the region’s largest exchanges.
According to the cybersecurity firm Cyvers Alerts, which first reported the attack, Lazarus Group carried out a meticulously coordinated operation involving pre-attack reconnaissance, test transactions, and swift asset extraction. The group reportedly initiated a “test transaction” of just 1 USDT on July 16 - likely to validate access and monitor response mechanisms - before executing seven high-speed transactions on July 19 that drained approximately $44.2 million in USDT and USDC from the targeted wallet. The entire operation was completed in under five minutes.
Cyvers’ investigators described the breach as "alarming in its speed, cross-chain sophistication, and timing." The firm emphasized that the same exploit pattern was used in the WazirX breach in 2023, suggesting a persistent and targeted campaign by Lazarus focused on Indian crypto infrastructure. “These are not coincidences, but coordinated operations meant to test and exploit regional exchange vulnerabilities,” Cyvers warned in a public statement. “Lazarus is accelerating its focus on India, and threat prevention is no longer optional - it is the last line of defense.”
Lazarus Group’s Expanding Focus on South Asia
The Lazarus Group, formally tracked by U.S. intelligence and cybersecurity agencies since at least 2014, has been linked to numerous major crypto and fintech heists in recent years, including:
- The $620 million Ronin Bridge hack (Axie Infinity) in 2022
- The $100 million Harmony Horizon Bridge hack
- Multiple wallet-draining campaigns targeting retail and institutional users
Experts believe that the North Korean regime uses these stolen funds to bypass international sanctions and fund its nuclear weapons program. Over the last two years, Lazarus has shifted its focus toward DeFi platforms, cross-chain bridges, and centralized exchanges in Asia, particularly in India and Southeast Asia, where regulatory oversight and cybersecurity investment remain uneven.
In 2023 alone, the group was linked to over $1.8 billion in stolen crypto assets, making it one of the most destructive players in the digital asset space.
CoinDCX Responds: Launches $11M Recovery Bounty Program
In response to the breach, CoinDCX has launched an aggressive recovery and investigation campaign, including a bounty program offering up to 25% of recovered assets - which could amount to over $11 million - for individuals or whitehat teams that assist in tracing and retrieving the stolen funds.
CoinDCX CEO Sumit Gupta issued a public statement on X, vowing to pursue the perpetrators and work with partners across the ecosystem to improve resilience and threat detection.
“This is bigger than a refund - it’s about ensuring this doesn’t happen again, to us or anyone else in the industry,” Gupta said. “We will fight this and make sure the Indian crypto community emerges stronger.”
Gupta emphasized that transparency and cross-industry cooperation will be key to preventing future incidents and reaffirmed the platform’s commitment to compensating affected operations without drawing from user funds.
Growing Calls for National Cyber Defense Coordination
The attack on CoinDCX has renewed calls from industry leaders for centralized cybersecurity coordination, including a potential Indian blockchain threat intelligence center, to monitor exploits, exchange vulnerabilities, and threat actors in real-time.
Crypto exchanges in India currently operate under an evolving regulatory environment with fragmented compliance norms and inconsistent investment in infrastructure security. Analysts argue that this decentralized approach leaves them increasingly vulnerable to well-resourced, state-backed adversaries like Lazarus.
“India’s crypto economy is booming, but its security posture is not keeping up,” said digital security researcher Anshul Arora, who advises several fintech firms. “We need a joint response framework that includes exchanges, law enforcement, and the government’s cybersecurity arm. Lazarus is not operating in isolation, and neither can we.”
Indian exchanges like CoinDCX and WazirX process billions in annual transaction volume and serve millions of users domestically and abroad. As India’s crypto adoption grows, so does its visibility - and vulnerability - on the global stage.
Implications for Crypto Regulation in India
The incident could also reignite policy debates in India, where crypto regulation has remained in flux despite the Reserve Bank of India’s (RBI) push for stricter controls. While the Finance Ministry has clarified that crypto assets will be subject to taxation and anti-money laundering rules, there is no dedicated crypto security law or exchange-specific cybersecurity requirement.
Security experts believe the time has come for India to introduce mandatory crypto infrastructure audits, including:
- Multi-sig and MPC wallet standards
- Real-time on-chain monitoring requirements
- Compulsory whitehat attack simulations (penetration testing)
- Rapid incident response and disclosure rules
Without such proactive measures, they warn, India’s growing Web3 ecosystem could become a preferred target for nation-state actors.
Final thoughts
Despite the severity of the hack, CoinDCX appears to be taking a proactive stance, focusing on containment, transparency, and ecosystem collaboration. The company is reportedly working with chain analytics firms, law enforcement agencies, and international security partners to track the stolen funds, which may have already been bridged to multiple networks and mixed through privacy tools.
Meanwhile, the Indian crypto community has largely rallied behind CoinDCX’s response, recognizing the increasing complexity and geopolitical nature of cybersecurity threats in Web3.
As investigations continue, this latest breach serves as a wake-up call - not only for Indian exchanges but for emerging market crypto platforms globally.
The Lazarus Group’s latest operation reaffirms that Web3 security is now a matter of national interest, and prevention, not just reaction, must become the new standard.