CoinDCX launches a Recovery Bounty Program offering up to $11M

Indian cryptocurrency exchange CoinDCX is offering a bounty of up to 25%, from a pool of $11 million, to anyone who helps recover any amount of the $44.2 million drainage from its internal treasury on July 19, 2025. 

As announced by the exchange’s co-founders on X Monday, the company has launched a formal Recovery Bounty Program to recover the stolen digital assets, in addition to identifying and prosecuting those responsible.

The breach was first detected by blockchain security platform Cyvers Alerts, which explained how the hacker siphoned funds from CoinDCX’s internal operational wallets. According to the exchange, these wallets were reportedly used only for liquidity provisioning on a partner exchange. 

Co-founders Sumit Gupta and Neeraj Khandelwal also reiterated that the exploit did not affect user funds.

Hacker funded attack through Tornado Cash

According to Cyvers Alerts, the attacker initiated the exploit by transferring 1 ETH through Tornado Cash, a crypto mixer linked to laundering stolen assets. Shortly after the funding transaction, roughly $15.8 million of the stolen crypto was bridged to Ethereum through cross-chain protocols.

Blockchain security sleuth ZachXBT traced the destination wallet identified on Etherscan as 0xEF0c5b9E0E9643937D75C229648158584A8CD8D2. This wallet has since received over 12,144 ETH, equivalent to more than $46 million at the current price of $3,818 per coin.

Etherscan data reveals the hacker’s wallet has conducted at least ten Ethereum transactions since July 19. Among them, a major transfer of 674.63 ETH took place approximately six hours before the time of writing, originating from address 0xac1891c1…83eC75bEC. 

The same sender also transferred 10 ETH and 7,017 ETH in separate transactions within the same timeframe.

4,443 ETH was transferred to the wallet two days ago, likely as part of the initial exploit. The same sender address was involved in multiple interactions with the wallet now holding the stolen funds.

At press time, the wallet in question holds exactly 12,144.63 ETH, and no other additional tokens have listed under its asset profile. 

CoinDCX transparency questioned

According to a statement released by the exchange earlier today, the exploited funds came exclusively from CoinDCX’s corporate treasury and not customer holdings. “The exposure was from our own reserves, and we have already absorbed it through our corporate treasury,” the press release read.

The trading platform added that it has begun overhauling security frameworks and re-engineering parts of its system architecture.

“Our wallet systems were never compromised, but we’ve still gone deeper, tightening security and redesigning parts of our infrastructure to ensure this never happens again,” it wrote. 

The recovery initiative has received support from the Solana Foundation, Superteam, and bridge partners Wormhole and deBridge.

“Cybercrime is an attack on trust. And when one of us is targeted, all of us feel it,” Khandelwal said in his public address on X. “What is important for us is to identify and catch the attackers, because such things shouldn’t happen again, not with us, not with anyone in the industry.”

CoinDCX lauded cybersecurity firms and blockchain forensics entities, including Sygnia, zeroShadow, and Seal911, for helping in its ongoing investigation. Yet, as reported by ZackXBT on his Telegram channel, its brand marketer, Suchit Karande, was asking community members on Discord to engage with Sumit Gupta’s post thanking him for “transparency.”

CoinDCX was silent for approximately 17 hours after the exploit and gave no public comment during the early window of the attack. In that time, ZachXBT claims, the stolen funds were actively moved across several wallets and networks in calculated transactions.

On his Telegram channel, he shared a TRM Labs flow chart of where the stolen assets were moved to. According to the analysis, there were three addresses involved in the movement of the funds: Solana-based wallet 6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n, Bitcoin address 3btch8cSVp3Uh2SiY9DeiRNYUBmFiBNHZQzDyecJs7Gu, and lastly, Ethereum wallet 0xEF0c5b9E0E9643937D75C229648158584A8CD8D2.

Your crypto news deserves attention - KEY Difference Wire puts you on 250+ top sites