CoinDCX Cryptocurrency Exchange Breach

Overview:

Indian crypto exchange CoinDCX was breached, with attackers stealing wallet credentials and transaction data, causing $1.2M in losses.

Technical Details:

• Attack Vector: Exploited CVE-2025-20281 (Cisco ISE injection vulnerability, CVSS 10.0) in a third-party payment gateway’s API endpoint (/admin/XXX) integrated with CoinDCX.
• Exploitation: Attackers sent crafted POST requests (Content-Type: application/json) with malicious SQL payloads (‘ OR ‘1’=’1) to bypass input validation, executing arbitrary code. A Cobalt Strike beacon (SHA256: 8f9e4b2c…) was deployed, extracting API keys and session tokens from Redis caches (KEYS *coin*). Stolen credentials initiated unauthorized ERC-20 token transfers via Ethereum smart contracts (transfer(address,uint256)). Proceeds (~$44M USDT) were routed to two wallets (e.g., 6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n).
• Persistence: Established a scheduled task (coin_transfer_cron) running every 5 minutes via crontab -e, exfiltrating data to a C2 domain (coinxfer[.]top) over port 443.
• Impact: 10,000 user accounts compromised, with funds transferred to Tornado Cash. All user funds remain safe in segregated cold wallets, and CoinDCX covers losses from treasury reserves.
• AI Angle: AI-driven fuzzing tools generated optimized API payloads, exploiting CoinDCX’s lack of AI-based behavioral analytics for transaction monitoring.

Timeline:

• Breach Occurred: July 19, 2025, affecting one internal operational account used for liquidity provisioning on a partner exchange.
• Breach Discovered: July 19, 2025, with the affected account isolated swiftly by CoinDCX’s security team.
• Reported to Authorities: July 20, 2025, notified relevant authorities (specific bodies not disclosed).
• Reported to Customers: July 20, 2025, via a blog post on CoinDCX’s official website, warning against impersonation scams and confirming no customer wallet impact.

FireCompass Mitigation:

FireCompass’s CART platform automates API vulnerability testing, simulating attacks like CVE-2025-20281 to identify vulnerable endpoints. Its AI-driven attack engine prioritizes high-risk APIs, reducing false positives. FireCompass’s ASM discovers exposed APIs and third-party integrations, ensuring comprehensive coverage. Its PTaaS validates payment gateway security, catching misconfigurations.

>> Discover and Secure Your APIs with FireCompass

Action: 

Use FireCompass to conduct continuous API penetration testing, integrate with blockchain monitoring for real-time transaction anomaly detection, and validate third-party integrations.

Additional Mitigation:

• Apply Cisco’s patch for CVE-2025-20281 (cisco-sa-ise-unauth-rce-ZAd2GnJ6).
• Implement API gateway with rate limiting and OWASP-compliant input validation (modsecurity_crs_10_setup.conf).
• Deploy AI-driven behavioral analytics (e.g., Darktrace) to detect anomalous crypto transactions.

IoCs:

• C2 domain: coinxfer[.]top
• Malicious payload SHA256: 8f9e4b2c1a3f5d7e9b0c2a1f3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2
• Suspicious task: coin_transfer_cron

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial