Unveiled: True Cause Behind CoinDCX's $44 Million Hack
In a shocking turn of events, Bengaluru police have identified the possible cause of the $44 million crypto heist at Indian cryptocurrency exchange CoinDCX. The attack, it seems, is linked to North Korea's Lazarus Group, a state-backed hacking organization notorious for carrying out large-scale cyberattacks to generate revenue for the regime, particularly through cryptocurrency thefts.
The compromised device at CoinDCX triggered the breach of the internal wallet systems at Neblio Technologies, the CoinDCX operator. Investigators believe the attackers were able to move funds from the CoinDCX account by using the login credentials of a CoinDCX software engineer, Rahul Agarwal, to access the firm's systems. The hackers reportedly delivered the malware in the guise of a part-time job, which Agarwal allegedly installed on his company laptop.
The attack involved the exploitation of cross-chain bridges and the use of Tornado Cash to obscure fund flows. Lazarus Group, known for their advanced tactics such as deploying malware written in languages like Nim (NimDoor malware), exploiting social engineering, and compromising open-source software supply chains for persistence and credential theft, is a credible suspect due to their historical pattern and advanced capabilities targeting crypto firms.
Despite the suspicions, there is no direct, publicly available confirmation pointing to Lazarus Group's role in the CoinDCX heist. However, their involvement in major crypto thefts, including the $1.4 billion stolen from the ByBit exchange in February 2025, lends credence to the theory.
In a bid to recover the stolen assets, CoinDCX has launched an $11 million bounty initiative. Meanwhile, Agarwal, who has been detained for his alleged link to the hack, and his company-owned device have been confiscated in the investigation.
Contrary to rumors, CoinDCX has refuted claims of a Coinbase buyout, with CEO Sumit Gupta publicly debunking such claims. Hyperliquid, another crypto platform, also clarified that an API outage they recently experienced was due to a spike in traffic, not a hack.
As the investigation continues, the cryptocurrency community awaits updates on the recovery of the stolen assets and the identification of the perpetrators behind this high-profile heist.
Financial investigators are examining the use of Tornado Cash in the CoinDCX heist, given the hackers' advanced tactics, likening them to those previously used by Lazarus Group. The technology involved in the attack, exploiting cross-chain bridges and social engineering to compromise a company laptop, bears similarities to tactic employed by the North Korean cybercrime group.
