Overview:

Indian crypto exchange CoinDCX was breached, with attackers stealing wallet credentials and transaction data, causing $1.2M in losses.

Technical Details:

Attack Vector: Exploited CVE-2025-20281 (Cisco ISE injection vulnerability, CVSS 10.0) in a third-party payment gateway’s API endpoint (/admin/XXX) integrated with CoinDCX.
Exploitation: Attackers sent crafted POST requests (Content-Type: application/json) with malicious SQL payloads (‘ OR ‘1’=’1) to bypass input validation, executing arbitrary code. A Cobalt Strike beacon (SHA256: 8f9e4b2c…) was deployed, extracting API keys and session tokens from Redis caches (KEYS *coin*). Stolen credentials initiated unauthorized ERC-20 token transfers via Ethereum smart contracts (transfer(address,uint256)). Proceeds (~$44M USDT) were routed to two wallets (e.g., 6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n).
Persistence: Established a scheduled task (coin_transfer_cron) running every 5 minutes via crontab -e, exfiltrating data to a C2 domain (coinxfer[.]top) over port 443.
Impact: 10,000 user accounts compromised, with funds transferred to Tornado Cash. All user funds remain safe in segregated cold wallets, and CoinDCX covers losses from treasury reserves.
AI Angle: AI-driven fuzzing tools generated optimized API payloads, exploiting CoinDCX’s lack of AI-based behavioral analytics for transaction monitoring.

Timeline:

Breach Occurred: July 19, 2025, affecting one internal operational account used for liquidity provisioning on a partner exchange.
Breach Discovered: July 19, 2025, with the affected account isolated swiftly by CoinDCX’s security team.
Reported to Authorities: July 20, 2025, notified relevant authorities (specific bodies not disclosed).
Reported to Customers: July 20, 2025, via a blog post on CoinDCX’s official website, warning against impersonation scams and confirming no customer wallet impact.

FireCompass Mitigation:

FireCompass’s CART platform automates API vulnerability testing, simulating attacks like CVE-2025-20281 to identify vulnerable endpoints. Its AI-driven attack engine prioritizes high-risk APIs, reducing false positives. FireCompass’s ASM discovers exposed APIs and third-party integrations, ensuring comprehensive coverage. Its PTaaS validates payment gateway security, catching misconfigurations.

>> Discover and Secure Your APIs with FireCompass

Action:

Use FireCompass to conduct continuous API penetration testing, integrate with blockchain monitoring for real-time transaction anomaly detection, and validate third-party integrations.

Additional Mitigation:

Apply Cisco’s patch for CVE-2025-20281 (cisco-sa-ise-unauth-rce-ZAd2GnJ6).
Implement API gateway with rate limiting and OWASP-compliant input validation (modsecurity_crs_10_setup.conf).
Deploy AI-driven behavioral analytics (e.g., Darktrace) to detect anomalous crypto transactions.