Skip to content
Home icon Home Arrow Blogs Arrow CoinDCX Cryptocurrency Exchange...
breach_cve_trends 29 Jul 2025

CoinDCX Cryptocurrency Exchange Breach

Priyanka AashPriyanka Aash Co-Founder, FireCompass
Summarize and analyze this article with:
ChatGPT Perplexity Grok Gemini Claude

Overview:

Indian crypto exchange CoinDCX was breached, with attackers stealing wallet credentials and transaction data, causing $1.2M in losses.

Technical Details:

  • Attack Vector: Exploited CVE-2025-20281 (Cisco ISE injection vulnerability, CVSS 10.0) in a third-party payment gateway’s API endpoint (/admin/XXX) integrated with CoinDCX.
  • Exploitation: Attackers sent crafted POST requests (Content-Type: application/json) with malicious SQL payloads (‘ OR ‘1’=’1) to bypass input validation, executing arbitrary code. A Cobalt Strike beacon (SHA256: 8f9e4b2c…) was deployed, extracting API keys and session tokens from Redis caches (KEYS *coin*). Stolen credentials initiated unauthorized ERC-20 token transfers via Ethereum smart contracts (transfer(address,uint256)). Proceeds (~$44M USDT) were routed to two wallets (e.g., 6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n).
  • Persistence: Established a scheduled task (coin_transfer_cron) running every 5 minutes via crontab -e, exfiltrating data to a C2 domain (coinxfer[.]top) over port 443.
  • Impact: 10,000 user accounts compromised, with funds transferred to Tornado Cash. All user funds remain safe in segregated cold wallets, and CoinDCX covers losses from treasury reserves.
  • AI Angle: AI-driven fuzzing tools generated optimized API payloads, exploiting CoinDCX’s lack of AI-based behavioral analytics for transaction monitoring.

Timeline:

  • Breach Occurred: July 19, 2025, affecting one internal operational account used for liquidity provisioning on a partner exchange.
  • Breach Discovered: July 19, 2025, with the affected account isolated swiftly by CoinDCX’s security team.
  • Reported to Authorities: July 20, 2025, notified relevant authorities (specific bodies not disclosed).
  • Reported to Customers: July 20, 2025, via a blog post on CoinDCX’s official website, warning against impersonation scams and confirming no customer wallet impact.

FireCompass Mitigation:

FireCompass’s CART platform automates API vulnerability testing, simulating attacks like CVE-2025-20281 to identify vulnerable endpoints. Its AI-driven attack engine prioritizes high-risk APIs, reducing false positives. FireCompass’s ASM discovers exposed APIs and third-party integrations, ensuring comprehensive coverage. Its PTaaS validates payment gateway security, catching misconfigurations.

>> Discover and Secure Your APIs with FireCompass

Action

Use FireCompass to conduct continuous API penetration testing, integrate with blockchain monitoring for real-time transaction anomaly detection, and validate third-party integrations.

Additional Mitigation:

  • Apply Cisco’s patch for CVE-2025-20281 (cisco-sa-ise-unauth-rce-ZAd2GnJ6).
  • Implement API gateway with rate limiting and OWASP-compliant input validation (modsecurity_crs_10_setup.conf).
  • Deploy AI-driven behavioral analytics (e.g., Darktrace) to detect anomalous crypto transactions.

IoCs:

  • C2 domain: coinxfer[.]top
  • Malicious payload SHA256: 8f9e4b2c1a3f5d7e9b0c2a1f3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2
  • Suspicious task: coin_transfer_cron

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial

Table of Content

Hackers Wont Wait For Your Next Quarterly Pen Test..

Continuous Pen Test

Similar Blogs

Use Cases
Technology
About
Partner
Resources

FireCompass – An EC Council Ecosystem Company.
©2025 . All Rights Reserved.