The $44 million exploit targeting India-based crypto exchange CoinDCX has been linked to North Korea’s Lazarus Group, according to blockchain security firm Cyvers.
In a July 21 statement shared with CryptoSlate, Cyvers CEO Deddy Lavid said the attackers followed a pattern reminiscent of previous Lazarus operations. The tactics included using cross-chain bridges and Tornado Cash to conceal fund movements, a hallmark of the notorious hacking group.
North Korea links
Lavid further noted that the centralized exchange exploit and precise understanding of liquidity provisioning strongly indicate the involvement of an experienced and highly coordinated threat actor.
On July 19, the Indian-based crypto trading platform reported that it was exploited after attackers gained unauthorized access to internal accounts used for liquidity provisions with another platform.
Lavid elaborated on the method of attack, suggesting that the hackers likely gained backend access through exposed API keys, system misconfigurations, or overly permissive credentials. Once inside, they used legitimate account permissions to move assets from Solana to Ethereum before laundering the funds through Tornado Cash.
He added:
“Although the compromised account was segregated from user wallets, its operational privileges were sufficient to execute large-scale fund movements without triggering immediate alarms.”
Meanwhile, the sophistication of the attack bears the hallmark of the North Korea-linked group, which continues to dominate the scene for its incessant attacks on the emerging industry.
Notably, the group stole more than $1.6 billion during the first half of the year and was responsible for the Bybit hack.
Bounty offer
In response to the attack, CoinDCX launched a bounty program on July 21, offering up to 25% of any recovered funds as a reward. Depending on the success of recovery efforts, the reward could amount to as much as $11 million.
CoinDCX CEO Sumit Gupta said the initiative aims to incentivize white-hat hackers, researchers, and blockchain firms to assist in tracking and retrieving the stolen assets. He stated:
“More than recovering the stolen funds, what is important for us is to identify and catch the attackers, because such things shouldn’t happen again, not with us, not with anyone in the industry.”
Meanwhile, Gupta also emphasized that the company was covering the loss through its corporate treasury and reiterated that user funds were unaffected.
