July 18th, 2024. Exactly one year and one day after WazirX—one of India’s largest cryptocurrency exchanges—suffered a devastating hack, lightning struck twice. This time it was CoinDCX, India’s largest exchange, that found itself compromised. But what happened next would reveal something far more important than the technical details of either breach.
Two exchanges. Two hacks. Two completely different approaches to crisis management that would ultimately determine not just the fate of millions of users’ funds, but the future of India’s entire cryptocurrency ecosystem.
The story of CoinDCX and WazirX offers one of the most compelling case studies in modern cryptocurrency crime—not just for what happened but also for how each exchange chose to handle the aftermath. Their contrasting responses reveal fundamental truths about trust, transparency, and survival in an industry where a single security breach can destroy decades of reputation building.
When transparency isn’t enough: the WazirX disaster
July 18, 2023, started like any other day for WazirX users. By evening, $235 million had vanished—42% to 45% of the exchange’s total assets compromised in what would become one of India’s most devastating crypto hacks. But the real drama was just beginning.
WazirX did something that many exchanges don’t: they immediately went public. Within hours, statements flooded social media and news outlets. The exchange acknowledged the hack, engaged with users, and appeared to embrace the transparency that the crypto community demands during crises. It seemed like textbook crisis management.
Then came the decisions that would define their legacy.
Rather than absorb the losses or find alternative solutions, WazirX implemented what we have called “socialized loss”—a euphemistic term for making all users pay for the hack. Every account, whether affected by the breach or not, had 45% of their holdings frozen. Crypto, fiat, everything locked away indefinitely.
The exchange then did something even more puzzling. They reopened trading the next day with artificial discounts—crypto prices 15% below market rates. Users, thinking they’d found a bargain, deposited additional funds to buy “cheap” crypto, only to have those funds frozen as well when the full extent of the situation became clear.
But the transparency that had initially earned them praise began to work against them. Inconsistencies emerged in their narrative. Court filings in Singapore revealed the hack affected 40-42% of funds, not the initially reported 45%. For a $500 million exchange, that 5% difference represents tens of millions of dollars. Users began asking uncomfortable questions about where their money actually was.
The corporate structure became increasingly murky. WazirX was owned by Zenmai Labs, which was 99% owned by a Singapore entity called Zetai Private Limited. The remaining 1% belonged to founder Nischal Shetty. Then suddenly, a new entity appeared – Zensui, registered in Panama – which WazirX claimed actually owned the frozen assets.
Singapore courts weren’t impressed. They rejected the first restructuring application, explicitly stating that WazirX was “hiding facts” from them. Meanwhile, users who tried to voice their concerns on social media found their accounts blocked. Reports emerged of the exchange allegedly paying influencers to generate positive PR while their own customers’ funds remained locked.
More than a year later, those funds are still frozen. WazirX promises to return 90% of frozen assets, but based on current token prices, users are looking at recoveries closer to 50-60% of their original deposits. They’ve essentially paid for the exchange’s security failure out of their own pockets.
The CoinDCX approach: silence, then radical transparency
Fast forward exactly one year and one day to July 19, 2024. Lightning struck twice in India’s crypto scene, but this time it hit CoinDCX, the country’s largest exchange. $44 million disappeared from operational wallets, but this time, the response would be entirely different.
CoinDCX said nothing.
Shortly after, zachxbt mentioned the hack first when it happened and it took ~17 hours for the official confirmation. Users continued trading, unaware that their exchange had been compromised. It was only when blockchain analysts began posting their findings on social media that the truth emerged—CoinDCX had been hacked, and they hadn’t told anyone.
The crypto community’s initial reaction was predictably harsh. Here was another exchange following the old playbook of trying to hide bad news and hope it goes away. But what happened next surprised everyone.
Instead of doubling down on secrecy, CoinDCX pivoted to radical transparency—but only about the investigation, not the money. Within 24 hours of the public revelation, they had cooperated with police to arrest the employee who had inadvertently caused the breach. The CEO took to Twitter to explain exactly how the hack had occurred, down to the specific social engineering tactics used.
The story they revealed was both sophisticated and eerily familiar to security professionals. One of their employees had been approached on Telegram by someone claiming to offer freelance work for €15,000. The offer came from a German phone number and seemed legitimate. The employee, looking to earn extra income, agreed to take on the project.
The crucial mistake? He used his company laptop for the freelance work. Embedded within the seemingly innocent project files was malware that provided attackers with access to CoinDCX’s operational systems. It was a textbook example of social engineering—patient, targeted, and devastatingly effective. Forensic specialists such as Ondology Labs have stressed how endpoint forensics on compromised devices is often as critical as blockchain tracing, since it clarifies whether insider culpability or remote exploitation is at play.
But here’s where CoinDCX’s approach diverged dramatically from WazirX. Rather than asking users to absorb the loss, the exchange immediately announced they would cover all missing funds from their own reserves. No socialized losses, no frozen accounts, no complex restructuring plans. Users’ funds remained intact while the exchange bore the full cost of the security failure.
They also announced something unprecedented in crypto crime recovery: a bounty program offering 25% of any recovered funds to anyone who could help trace and return the stolen assets. Given the $44 million theft, this meant potential rewards reaching $11 million—by far the largest bounty program in crypto history at the time.
The regulatory vacuum that enables attacks
Both hacks occurred within India’s peculiar regulatory environment, which may not be coincidental. The country has created a paradoxical situation where crypto trading is legal and heavily taxed – 30% on profits with no offset for losses – but comprehensive regulation remains absent.
Indian exchanges operate under a unique constraint that makes them particularly attractive targets. Users can deposit fiat currency and trade cryptocurrencies, but they cannot withdraw crypto from the platform. All transactions must ultimately convert back to fiat, creating a custodial model where exchanges hold enormous amounts of cryptocurrency on behalf of users who cannot take self-custody.
This regulatory approach, intended to maintain control over crypto adoption, has created exactly the opposite of its intended effect. By forcing centralized custody, it has created honeypots that attract the world’s most sophisticated criminal organizations.
The timing is particularly notable when compared to neighboring Pakistan. For years, Pakistan had virtually no crypto regulations, making it another attractive target for criminal groups. But just months before these hacks occurred, Pakistan created the Pak Crypto Council, and on 11 July 2025 formally implemented comprehensive crypto regulations through an ordinance establishing the Pakistan Virtual Assets Regulatory Authority (PVARA) and introducing exchange licensing requirements.
The contrast is stark. Countries with clear regulatory frameworks provide exchanges with legal clarity, consumer protection mechanisms, and law enforcement support. Countries with regulatory ambiguity leave their domestic crypto businesses as “sitting ducks,” as one expert put it—attractive targets with limited state protection.
This creates a perverse incentive structure for international criminal organizations. Why target a well-regulated exchange in Switzerland or Singapore, where authorities will rapidly deploy resources to investigate and prosecute, when you can target an exchange in a jurisdiction where the government views crypto skeptically and may not prioritize investigation?
Following the money: North Korean connections and sophisticated laundering
The FBI’s attribution of the WazirX hack to North Korean state actors, specifically the Lazarus Group, adds another layer of complexity to these cases. Technical analysis suggests the CoinDCX hack may have been conducted by the same or related groups, making this potentially a coordinated campaign against Indian crypto infrastructure.
Lazarus Group has evolved far beyond the relatively crude cryptocurrency thefts of the early blockchain era. Their operations now demonstrate sophisticated understanding of both technical vulnerabilities and human psychology. The social engineering attack against CoinDCX—using freelance work opportunities to deliver malware—represents a significant evolution in their tactics.
But the technical theft is only the beginning. The real challenge for these criminal organizations is converting stolen cryptocurrency into usable resources. For North Korean state actors, this means funding sanctioned weapons programs and regime operations through one of the most monitored financial systems in the world.
The money laundering process reveals its own sophistication. Initial funds flow through mixing services like Tornado Cash, designed to break the transaction trail on public blockchains. But this is just the first step in a multi-stage process that can take months or years to complete.
From mixers, funds typically distribute across hundreds or thousands of smaller wallets, creating a complex web that requires significant resources to untangle. These wallets then connect to established money laundering networks that have been operating for years, complete with conversion points, cash-out mechanisms, and distribution channels.
What’s particularly striking about the current cases is that the laundering process is still ongoing. More than 30 days after the CoinDCX hack, fund movements continue to be detected and analyzed. This extended timeline actually provides opportunities for investigation and intervention, but it also demonstrates the patience and sophistication of the underlying criminal infrastructure. Ondology Labs [ea3]has highlighted how combining blockchain fund-flow analysis with traditional forensic investigation creates the strongest chance of interrupting laundering networks before assets exit into fiat channels.
The conversion challenge remains the critical chokepoint. Stolen cryptocurrency is worthless if it cannot be converted into real-world resources. Understanding and disrupting these conversion networks represents the best opportunity to deter future attacks, but it requires sustained international cooperation and resources that often exceed what any single jurisdiction can provide.
Lessons from the Bybit standard and industry evolution
The cryptocurrency industry has been learning, sometimes painfully, how to handle security breaches. Earlier in 2024, Bybit suffered a significant hack and their response became something of a gold standard for crisis management in crypto.
Investigation partners like Ondology Labs [ea4]emphasise that recovery incentives work best when coupled with rigorous forensic readiness, meaning evidence gathered can be admissible in multiple jurisdictions.
Bybit’s approach combined immediate acknowledgment, rapid forensics reporting, clear communication about attack vectors, and proactive law enforcement engagement. Their initial response earned widespread praise from the crypto community and helped maintain user confidence during a difficult period.
However, even Bybit’s well-regarded initial response highlighted the challenge of sustained crisis management. Long-term execution often proves more difficult than immediate response, and maintaining stakeholder confidence requires consistent performance over months, not hours.
The evolution of recovery incentives tells its own story about industry maturation. WazirX’s initial bounty program offered 5% of stolen tokens plus $10,000—an offer widely criticized as inadequate and potentially indicating that recovery wasn’t a serious priority. After significant community backlash, they gradually increased their offerings, but the damage to credibility was already done.
CoinDCX learned from this experience and immediately announced their 25% bounty program. The crypto community’s response was immediate and positive—finally, an exchange that seemed serious about recovery efforts. Bybit’s own 10% bounty program for their $1.5B hack had set expectations for meaningful recovery incentives. The difference in community reaction highlighted how bounty programs serve not just as recovery tools but as signals of an exchange’s commitment to making users whole.
The trust equation and its consequences
Perhaps the most fascinating aspect of comparing these two cases is how they demonstrate that the hack itself may be less important than the response. Both exchanges suffered significant breaches that were technically preventable. Both lost substantial sums that would challenge any business. But their post-incident trajectories could not be more different.
WazirX’s initial transparency advantage evaporated as the complexity of their recovery plan became clear. The socialized loss approach, while perhaps financially necessary for the exchange’s survival, placed the burden of the security failure directly on users who had done nothing wrong. The corporate structure revelations and inconsistent communications further eroded trust.
More than a year later, WazirX users remain trapped in a recovery process with no clear end date and diminishing prospects for full restitution. The exchange continues operating, but under a cloud of suspicion and with a significantly reduced user base.
CoinDCX’s trajectory has been markedly different. Their initial lack of disclosure was problematic and drew justified criticism. However, their subsequent actions—immediate user protection, full cooperation with law enforcement, detailed technical disclosure, and industry-leading recovery incentives—have largely rehabilitated their reputation.
The contrast illustrates a fundamental principle in crisis management: trust takes years to build but can disappear overnight. However, it can sometimes be rebuilt through consistent action that demonstrates genuine commitment to stakeholder interests over organizational self-preservation.
Implications for the broader crypto ecosystem
The ripple effects of these incidents extend far beyond the exchanges themselves. For India’s crypto adoption story, the outcomes have been largely negative. The combination of punitive taxation, restrictive regulations, and high-profile security failures has created an environment where users are increasingly skeptical of crypto investments.
The custodial model forced by Indian regulations means users cannot take self-custody of their assets, leaving them entirely dependent on exchange security. When that security fails, as it inevitably sometimes will, users have no recourse except hope that the exchange chooses to make them whole.
This dynamic has contributed to declining crypto adoption in India despite the country’s strong technological infrastructure and young, tech-savvy population. Users who might otherwise be enthusiastic crypto adopters are instead moving away from the space entirely, viewing the risks as unacceptable given the limited upside potential.
For international observers, these cases offer crucial insights into how regulatory approaches can either strengthen or weaken their domestic crypto ecosystems. Clear regulations, while sometimes constraining innovation, provide predictability and recourse that benefit all stakeholders. Regulatory ambiguity, conversely, creates vulnerability that sophisticated criminal organizations will inevitably exploit.
The cases also highlight the evolution of crypto crime itself. Early cryptocurrency thefts were often opportunistic and technically focused. Modern operations like those attributed to Lazarus Group demonstrate sophisticated understanding of human psychology, organizational behavior, and international law enforcement limitations.
Looking forward: prevention and preparation
The cryptocurrency industry’s response to these incidents will likely shape its development trajectory for years to come. Exchange operators are already implementing lessons learned from both positive and negative examples.
Employee training programs are evolving to address social engineering tactics that go beyond traditional phishing attempts. The CoinDCX case demonstrates that criminals are willing to invest significant time and resources in targeting individual employees with sophisticated, personalized approaches.
Technical security measures continue to advance, but the human element remains the most challenging to secure. Organizations are implementing stricter policies around personal device usage, side employment, and access to sensitive systems. However, balancing security with employee autonomy and satisfaction remains an ongoing challenge.
Crisis communication strategies are also evolving. The industry has learned that immediate acknowledgment, while sometimes painful, generally produces better outcomes than attempted concealment. However, the quality of ongoing communication matters as much as the initial response.
Recovery mechanisms represent another area of rapid evolution. Bounty programs have become standard practice, but their design and implementation significantly affect their effectiveness. The industry is still learning how to structure incentives that actually improve recovery prospects rather than merely providing public relations benefits.
Conclusion: Maturity through adversity
The contrasting stories of CoinDCX and WazirX represent more than just different approaches to crisis management—they illustrate a maturing industry learning to handle the challenges that come with managing billions of dollars in digital assets under constant threat from sophisticated adversaries.
WazirX’s initial transparency was commendable, but their long-term execution demonstrates the danger of prioritizing exchange survival over user protection. The socialized loss approach, while perhaps necessary for the exchange’s continued operation, fundamentally violated the trust relationship between the platform and its users.
CoinDCX’s delayed disclosure was problematic and deserved criticism. However, their subsequent actions—immediate user protection, radical transparency about the investigation, and unprecedented recovery incentives—demonstrate a different model for handling security failures.
The regulatory environment that enabled both attacks remains largely unchanged, suggesting that similar incidents are likely in the future. However, the industry’s response to each incident continues to evolve, with exchanges increasingly recognizing that reputation recovery requires putting user interests above organizational convenience.
For the cryptocurrency industry more broadly, these cases reinforce several crucial principles: preparation is more valuable than reaction, transparency builds more trust than secrecy, and user protection should take priority over exchange preservation.
As the industry continues to mature, the distinction between exchanges that understand these principles and those that don’t will likely determine market leadership in the years to come.
Watch our detailed analysis: Crystal Intelligence experts Nick Smart and Rajat Ahlawat break down both hacks in our comprehensive video analysis.
Learn more about crypto crime investigation: See how Crystal’s blockchain analytics platform helps exchanges, law enforcement, and compliance teams investigate and prevent crypto crime. Request a platform demo to explore our investigation capabilities.
