Post-₹378 cr cyberattack, CoinDCX launches bug bounty program offering over ₹94 cr reward

Following the $44.2 million (around ₹378 crore) cyberattack on its operational account, crypto exchange CoinDCX has announced a 'bug bounty program', offering up to 25% of the recovered assets or $11 million as a reward for anyone providing actionable information to recover the stolen funds.

In a call to all ethical hackers, white-hat researchers, and partners across the ecosystem, CoinDCX said those helping it recover the funds will receive up to $11 million (over ₹94 crore) if the full amount is recovered. "Bug Bounty Program Details: 25% of all successfully recovered funds will be awarded to partners who play an active role in retrieving the stolen cryptocurrency from the incident and assist in the identification and conviction of the attackers. Bounty Pool Potential: Up to $11 million in the scenario of a full recovery."

The company said its program is not just about recovering funds, but also about rallying the Web3 community in the fight against cybercrime. "This is not just about us. This is about standing up for what’s right, for the safety, transparency, and future of the entire Web3 ecosystem. It’s a war against cybercrime," says the company.

“CoinDCX is committed to using this incident to strengthen defences, reinforce transparency, and work with the best minds in the industry to make recovery real and replicable,” said Neeraj Khandelwal, Co-founder, CoinDCX. “We are collaborating with the exchange partner to block and recover assets. At the same time, we are launching a bounty program,” he added.

As an update, the Mumbai-based exchange said most of its funds reside in two wallets: one holding 155,830 SOL (~$27.6M USD) and the other (View Wallet ETH) holding ~4,443 ETH (~$15.7M USD).

CoinDCX's cybersecurity partners, including Sygnia, zeroShadow, and Seal911, are helping it trace the funds. "We are also appreciative of the collaborative approach from Solana Foundation, Superteam, and our bridge partners Wormhole and deBridge."

Those interested in participating in the recovery bounty program can contact the company via email at bountyprogram@coindcx.com. "We will continue publishing verified updates as new traces and patterns emerge."

Almost exactly a year after India's then-largest crypto exchange WazirX was hacked, resulting in the theft of crypto assets worth $235 million, CoinDCX on Sunday confirmed one of its internal operational accounts was compromised by a cyberattack, though it clarified that customer funds were completely safe and all trading activity and ₹ withdrawals were fully operational.

The Mumbai-based crypto exchange also said the compromised account was used "exclusively" for liquidity provisioning on a partner exchange. The incident was also flagged by an ethical hacker, ZackXBT, on a forum, saying CoinDCX was drained for around $44.2 million almost 17 hours ago. CoinDCX said its treasury will bear these losses. Khandelwal also assured yesterday that the CoinDCX team was working tirelessly to firefight the situation and would get to the depths of the incident.