Published on 20/07/2025 06:28 PM
This is a Mint Premium article gifted to you. Subscribe to enjoy similar stories.
On Saturday CoinDCX has become the latest major Indian crypto exchange to suffer a breach, with $44.2 million drained from an internal liquidity account. Such incidents highlight a persistent vulnerability in crypto infrastructure, despite platforms' repeated assurances of security.
What happened and how, and why are crypto platforms especially susceptible to breaches? Mint explains.
On 19 July, CoinDCX, India’s second-largest crypto exchange, suffered a cyberattack that cost it $44.2-million. The breach occurred in an internal operational wallet used to provide liquidity on a partner exchange, and was flagged by ethical hacker ZachXBT and later confirmed by CoinDCX’s CEO Sumit Gupta on X.
According to Gupta, no customer funds were affected. The compromised account was segregated from user wallets, and all assets stored in CoinDCX's cold wallet infrastructure remained safe, he said, adding that trading and INR withdrawals continue to function normally. A cold wallet is a type of cryptocurrency storage that’s not connected to the internet for safety.
CoinDCX attributed the incident to a “sophisticated server breach." The compromised account was used for providing liquidity, which requires funds to be actively available, typically in hot wallets that are more vulnerable to hacks. The breach was contained by isolating the affected wallet.
Even short windows of access to a hot wallet can result in massive losses. The anonymous and irreversible nature of blockchain transactions means funds can be moved and laundered quickly, often before teams can respond.
Though crypto platforms operate in a decentralised ecosystem, liability in India is increasingly being determined based on the custodial nature of the platform. An important but not yet explicitly defined distinction in India’s evolving crypto framework is between custodial and non-custodial platforms. Custodial platforms, such as centralised exchanges like CoinDCX and WazirX, hold users' private keys on their behalf.
“Custodial exchanges—where user funds are stored—are expected to maintain high standards of cyber hygiene and may be held accountable for operational negligence, even if customer funds are unaffected," said Sukrit Kapoor, Partner, King Stubb & Kasiva.
“..the absence of crypto-specific regulations cannot be a defence for poor governance or failure to safeguard digital assets," he added.
The latest incident ocurred almost exactly a year after crypto platform WazirX suffered a $234-million hack.
Crypto platforms remain attractive targets for hackers owing to a combination of technical complexity, regulatory gaps, and limited legal recourse. Crypto firms deal with complex integrations: multiple blockchains, DeFi protocols, third-party custodians, and so on. Each new layer adds more potential vulnerabilities, especially if security isn't uniformly strong across all components.
Also, Once funds are moved from a compromised wallet, there's no central authority—like a bank or regulator—to freeze or recover the stolen assets. Crypto exchanges lack centralized oversight or regulation in India so there’s no way to recover stolen funds.
These repeated incidents underscore the lack of centralised oversight or regulatory protection in India’s crypto landscape. Indian crypto exchanges are not governed by a dedicated RBI or Sebi framework. However, under the IT Act, they must comply with CERT-In (Indian Computer Emergency Response Team) guidelines, which mandate reporting cybersecurity incidents within six hours and maintaining logs and records, said Rahul Hingmire, managing partner, Vis Legis Law Practice.
The lack of crypto-specific laws or regulatory oversight means restitution is highly uncertain, especially when stolen assets are transferred across wallets and jurisdictions, especially offshore. This cauused WazirX to relocate to Panama.
“Panama is a known offshore jurisdiction with weak enforcement channels for foreign judgements, especially in crypto-related matters, making any legal claim from India practically toothless," said Raheel Patel, partner at Gandhi Law Associates. “Indian regulators and courts may issue orders, but compelling a Panamanian entity with no physical or financial footprint in India to comply is near impossible without reciprocal enforcement treaties—which don’t exist here."
Previously, victims of crypto hacks had little recourse due to a lack of regulatory clarity and cross-border complications.
However, in March 2023, the Indian government brought virtual digital assets (VDAs), which include cryptocurrencies, under the purview of the Prevention of Money Laundering Act (PMLA). Crypto exchanges must now register with FIU-IND, follow KYC norms, and report suspicious activity. “While these regulations are primarily aimed at preventing money laundering and terror financing, they indirectly impose a degree of accountability and operational diligence on exchanges," said Rohit Jain, Managing Partner, Singhania & Co.
Nonetheless, recovering lost assets remains unlikely. “Unless the foreign entity has identifiable promoters in India or assets traceable through KYC and banking trails, recovery becomes speculative," said Rishabh Gandhi, Managing Partner at Rishabh Gandhi and Advocates.
Download the Mint app and read premium stories
Log in to our website to save your bookmarks. It'll just take a moment.
You are just one step away from creating your watchlist!
Oops! Looks like you have exceeded the limit to bookmark the image. Remove some to bookmark this image.
Your session has expired, please login again.
You are now subscribed to our newsletters. In case you can’t find any email from our side, please check the spam folder.
This is a subscriber only feature Subscribe Now to get daily updates on WhatsApp