- The stolen funds are now sitting in a single wallet.
- Cyvers says the breach echoes tactics used by Lazarus Group.
- CoinDCX claims customer assets are safe.
After days of token swaps and cross-chain movement, the attacker behind the CoinDCX hack has consolidated their haul.
Investigators at Cyvers confirmed to DL News that the hacker bridged the stolen assets from Solana to Ethereum using the Mayan Bridge.
The funds are now consolidated in a single wallet holding nearly 11,460 Ethereum worth just under $46 million at the time of publication.
But CoinDCX may not be out of the woods yet.
“Their top priority should be real-time monitoring and preventing a follow-up attack, especially given the risk that the intruder still has access to internal systems, Deddy Lavid, CEO at Cyvers, told DL News. “We’ve seen it many times — secondary attacks happening days or even weeks later.”
The attack comes as Chainalysis warns that 2025 is on track to become the worst year ever in terms of money stolen from crypto services. Over $2.1 billion in crypto was stolen from such services in the first half of the year.
Incident report
According to CoinDCX’s incident report, released a day after the incident, the exploit targeted a segregated operational account used for liquidity on a partner exchange.
The Indian exchange said the account was isolated soon after the breach, and customer funds remained untouched throughout.
Lavid told DL News the breach likely stemmed from backend misconfigurations and exposed credentials that allowed large-scale transfers to go unnoticed.
He added that the attack bore strong similarities to past exploits attributed to North Korea’s Lazarus Group — including “cross-chain bridging, use of crypto mixer Tornado Cash, and a deep understanding of exchange and liquidity infrastructure.”
Blockchain sleuth ZachXBT, acting on a tip from Cyvers, was the first to publicly flag the suspicious outflows late Saturday, estimating losses of around $44.2 million.
At the time, CoinDCX had yet to comment.
Within hours of his post, the exchange acknowledged the breach and began assuring customers that no user funds were affected.
Kyle Baird is DL News’ Weekend Editor. Got a tip? Email at kbaird@dlnews.com.
