Hack Track: Inside the CoinDCX Exploit

On July 19, 2025, Indian crypto exchange CoinDCX publicly disclosed a security incident involving unauthorized access to one of its operational wallets on the Solana blockchain. While no user funds were affected, approximately $44.2 million in USDC and USDT was siphoned from the wallet and laundered across chains. This article traces the post-exploit fund movements from Solana to Ethereum, outlines the laundering techniques used, and documents CoinDCX’s public recovery and bug bounty response.

CoinDCX Exploit Overview: What Happened 

On July 12, 2025, CoinDCX was the target of a sophisticated infrastructure-level exploit. The attackers penetrated the exchange’s server-side systems, gaining unauthorized access to an internal operational wallet used exclusively for liquidity provisioning on a partner exchange.

Unlike typical exploits that seek access to customer funds or private keys, this incident targeted backend infrastructure. The compromised wallet was internet-connected (ie. a hot wallet) and separate from CoinDCX’s customer wallets and cold storage. It was also excluded from the exchange’s published proof-of-reserves.

According to CoinDCX’s investigation, the attack involved:

1. Server-Side Penetration: Exploitation of backend vulnerabilities to access infrastructure managing liquidity operations.
2. Hot Wallet Compromise: Unauthorized withdrawal access to a live operational wallet connected to external liquidity venues.
3. Partner Exchange Exposure: The wallet was tied to liquidity provisioning on an external exchange, not used in CoinDCX’s customer-facing systems.

CoinDCX disabled the compromised wallet upon discovery, launched an internal investigation, and disclosed the breach publicly on July 19. The company has since initiated a recovery and bug bounty program to address the breach and strengthen its infrastructure.

Merkle Science’s On-Chain Analysis

Merkle Science reviewed the post-exploit movement of funds to understand the CoinDCX attacker's laundering behavior across Solana and Ethereum. The transactions observed suggest a deliberate approach to fragmentation, routing, and eventual consolidation.

Initial Setup and Funding

The attacker received approximately 1 ETH via Tornado Cash shortly before initiating any outbound transactions. This early funding may have been used to cover operational costs such as gas fees and scripting, indicating some level of pre-exploit planning. It also served a critical operational security function by providing clean ETH without revealing the attacker’s original funding source.

The ETH was routed through FixedFloat, a privacy-centric instant exchange, likely swapped for assets compatible with Polygon. These were then bridged to Solana via deBridge, laying operational groundwork on Solana ahead of the exploit.

Outflows From the Compromised Wallet

• Approximately $44.2 million in USDC and USDT was transferred from the compromised Solana wallet. The attacker routed funds through multiple intermediary wallets, initiating transfers in batches,likely to obscure direct traceability from the source.
• The proceeds were converted into SOL and moved in transactions of 1,000 to 4,000 SOL, suggesting some degree of automation or manual scripting. The consistent batch sizing indicates a controlled transfer process rather than ad hoc movement.
• On Solana, the attacker swapped SOL into WETH using Jupiter, a decentralized aggregator that enables access to deep liquidity while fragmenting transaction trails across DEXs. After swap completion, funds were bridged from Solana to Ethereum using the Mayan Bridge, a cross-chain interoperability solution.
• In the hours following the first Ethereum bridge-out, the attacker shifted to using 10,000 SOL transactions, markedly larger than earlier batches, accelerating exit velocity.

As of this update, the entirety of the stolen assets—approximately $44 million—has been consolidated into a single Ethereum address. The address currently holds ~4,443 ETH and remains under monitoring for further movement.

                                                                         Fig 1: Flow of Funds Analysis

‍

This laundering flow, spanning Tornado Cash funding, SOL batch fragmentation, and cross-chain movement via Wormhole and Jupiter, required real-time, multi-chain tracing far beyond what static tools can capture.

Merkle Science’s Tracker Is Built for This Level of Sophistication:

• Cross-Chain Forensics: Tracker decodes transactions across 250+ blockchains and 60+ bridges, enabling real-time visibility into flows like Wormhole → Ethereum or deBridge → Solana, with no indexing lag.
• Auto-Tracing Across All Pathways: Rather than stopping at shortest-path visualizations, Tracker automatically maps all plausible fund flow pathways, ensuring that intermediary wallets, hidden hops, and secondary bridges are not overlooked.
• Real-Time Watchlist Alerts: Investigators can configure alerts tied to high-risk wallets, bridge usage, or transaction patterns (e.g., repeat 10,000 SOL transfers).
• Advanced Filtering: Quickly narrow down searches by transaction type, amount, protocol, and counterparty, cutting through noise to identify high-risk transactions faster.

CoinDCXBug Bounty and Recovery Initiative

In response to the exploit, CoinDCX launched what it described as India’s largest crypto recovery bounty, offering a total reward pool of $1 million. The program aims to encourage ethical disclosures, assist in fund recovery, and strengthen the exchange’s infrastructure security.

Key Details:

• The initiative is open to security researchers, ethical hackers, and white-hat contributors, as well as any individuals or entities with actionable intelligence on the exploit or the attacker’s identity.
• The bounty program is outcome-based, with reward tiers depending on the value and impact of the information provided.
• CoinDCX has committed to providing legal and financial support for individuals who come forward with valid intelligence that can aid in attribution or recovery.

In parallel, CoinDCX is conducting a comprehensive audit of its infrastructure and reviewing access controls and wallet architecture. The exchange has stated that it will publish findings and improvements from this process to improve transparency and raise the bar for infrastructure-level security across the industry.

Final Thoughts: Attacker Behavior Is Shifting Toward Operational Infrastructure

The CoinDCX exploit is part of a growing pattern of security incidents that reveal a clear evolution in how attackers are targeting centralized cryptocurrency exchanges. In the first half of 2025, more than half of the major crypto thefts reported globally have involved centralized platforms. These are no longer just attacks on smart contract code or protocol logic. Instead, they focus on the systems that manage internal liquidity, authorize transactions, and connect backend infrastructure to partner exchanges. Recent breaches at exchanges such as Bybit, Phemex, Nobitex, and BigONE illustrate this shift. 

Further, while the motivations behind each incident may differ, ranging from financially driven theft to politically motivated disruption, the technical vector remains consistent. Attackers are no longer breaching surface-level systems—they are targeting the infrastructure that powers core exchange operations. This includes hot wallet orchestration, backend signing processes, liquidity automation tools, and internal API layers that interface with custodians or liquidity partners. These components, often designed for speed and uptime, have become high-value access points when not adequately segmented, monitored, or secured.

Hot wallet systems have emerged as particularly vulnerable. Incidents involving CoinDCX, BitoPro, and BigONE all exploited moments where internal controls were temporarily relaxed or misaligned with operational needs. These moments often occur during wallet upgrades, maintenance procedures, or automated liquidity provisioning, when internal monitoring may be deprioritized in favor of uptime or performance.

In parallel, attackers are demonstrating a higher degree of strategic planning in how they handle the assets themselves. After gaining access, they are not simply withdrawing funds and bridging them blindly. Instead, they are selecting asset types, swap routes, and bridging pathways with clear intent. Stablecoins such as USDC and USDT are often converted into assets like ETH or DAI, which lack centralized control mechanisms, in order to reduce the risk of issuer-initiated freezes or seizure. Assets are often prepared in advance for compatibility with specific bridges to ensure uninterrupted movement across chains. 

Aggregators like Jupiter and 1inch are frequently used in laundering schemes because they enable deep liquidity access, reduce slippage on large swaps, and fragment transaction trails by splitting a single transaction across multiple DEXs and liquidity pools—complicating forensic tracing by creating dispersed, parallel transaction paths that are harder to correlate across chains.

These trends point to a deeper need for structural reform in how exchanges approach infrastructure security. As attacks continue to shift away from user interfaces and toward backend systems, exchanges must adopt a security posture that treats operational wallets, automated systems, and internal connectivity as first-class risk surfaces. Protecting these systems requires more than additional controls. It requires a complete reevaluation of how centralized platforms design, monitor, and govern the infrastructure that keeps their operations running.

At Merkle Science, we’re continuing to monitor fund movements, support attribution efforts, and collaborate with ecosystem partners on recovery. Our investigations are powered by Tracker, which enables real-time cross-chain tracing, watchlist alerts, and attribution transparency to accelerate response and support containment. Get in touch for a demo today.