In July 2024, India’s largest crypto exchange lost nearly half of everything it held in a single afternoon. Almost exactly a year later, CoinDCX, the country’s largest exchange by volume, watched roughly $44 million drain out of an internal wallet in minutes. Both attacks bore the hallmarks of the same North Korea–linked threat actor. Both became case studies in how centralised crypto infrastructure fails.
The instinctive question is whether Indian exchanges are uniquely unsafe. They are not; Coinbase, the benchmark this piece uses, has been breached too. The more useful question is what separates an exchange that survives a breach with its users whole from one that leaves customers in bankruptcy court. The answer comes down to four things: security architecture, the enforceability of accountability, operational transparency, and the financial capacity to absorb a loss.
And it produces an uncomfortable finding for the “buy local” instinct: on the dimension that matters most — accountability you can verify rather than take on trust — the structural advantage belongs not to whichever exchange is most Indian, but to whichever one is most exposed to enforceable public disclosure. As it happens, that is the foreign, publicly listed one.
The baseline: how India’s two biggest exchanges got hacked
WazirX: The ~$234.9 million multisig failure (July 2024)
On July 18, 2024, WazirX — then India’s largest exchange — disclosed that one of its multisig wallets had been compromised. The loss of roughly $234.9 million amounted to about 45% of the exchange’s holdings.
The attack was not crude. The wallet used a multisignature arrangement administered through third-party custody provider Liminal, requiring multiple WazirX signatories plus a Liminal signature. The attackers, funded via the Tornado Cash mixer eight days earlier, engineered a discrepancy between what signatories saw on the interface and what they were actually approving — and used it to push through a malicious upgrade to the wallet’s underlying smart contract. Once the contract was hostile, the wallet was drained.
Two caveats matter for accuracy. First, attribution: forensic firms including Elliptic linked the heist to the Lazarus Group, but the public attribution rests on tactical similarities and on-chain tracing, not a confession or indictment — it should be read as a strong, evidence-based inference, not a settled fact. Second, the custody failure point is contested: an independent audit by Grant Thornton later concluded the breach did not originate from Liminal’s own infrastructure, and the precise root cause remains disputed.
What followed was not a quick reimbursement. WazirX entered a court-supervised restructuring through its Singapore parent, Zettai. An initial creditor vote held between 19-28 March 2025 saw 93.1% of voting creditors (representing 94.6% in value) approve the original scheme, but the Singapore High Court rejected it in June 2025 over compliance concerns under Singapore’s Financial Services and Markets Act 2022. The court ordered a revote on an amended scheme. In August 2025, 95.7% of voting creditors (representing 94.6% in value) — roughly 149,559 creditors holding $206.9 million in approved claims — backed the amended scheme. The Singapore High Court sanctioned the scheme in October 2025.
Under the creditor-approved scheme, affected users are due 85.5% of their balances within ten business days of the scheme taking effect, with the remaining 14.5% addressed through recovery tokens, and Indian entity Zanmai Labs taking over distribution. Trading resumed in late 2025. For customers, the practical outcome was more than a year of frozen funds and legal uncertainty.
CoinDCX: The ~$44.2 million server breach (July 2025)
On July 18–19, 2025, CoinDCX disclosed that roughly $44.2 million had been taken from an internal operational wallet used for liquidity provisioning on a partner exchange.
The mechanics differed from WazirX’s. This was an infrastructure-level compromise: attackers reached an internal hot wallet, ran a small test transaction, then moved roughly $44 million in stablecoins across Solana before bridging to Ethereum — within minutes. (CoinDCX described it as a “sophisticated server breach”; some forensic reporting points to social engineering of an employee device as the entry vector.) As with WazirX, the trail began with Tornado Cash and the tactics were linked to Lazarus.
Here the outcome was materially better on the dimension that counts: no customer funds were lost. CoinDCX’s architecture kept customer assets in segregated cold storage; the breach hit only a company-funded operational account, and CoinDCX absorbed the loss from its own treasury, kept the platform running, and opened a recovery bounty of up to 25% (worth approximately $11 million) of any funds recovered through information provided.
It drew fair criticism on one axis — disclosure speed. The breach surfaced not from CoinDCX but from on-chain investigator ZachXBT, roughly 17 hours after the fact. For an exchange built on a transparency brand, the gap between detection and disclosure became part of the story.
The false comfort: everyone’s parent is offshore
Here is the fact that reframes the entire “local versus foreign” debate. None of India’s three leading exchanges is, at the level where value and control actually sit, an Indian company.
- CoinDCX’s brand, technology and intellectual property are owned by DCX Global Limited, incorporated in Mauritius — the entity in which Coinbase is taking a minority stake. The Indian company, Neblio Technologies, is the operating arm.
- CoinSwitch reports through Chain Labs Pte Ltd in Singapore (under the PeepalCo brand, which also houses the equities platform Lemonn). Its Indian presence runs through Bitcipher Labs LLP and Nextgendev Solutions.
- WazirX is a two-entity structure — Zettai Pte Ltd in Singapore and Zanmai Labs in India — with its ownership history (and a disputed Binance acquisition) still unresolved.
So when an Indian user “chooses local,” they are usually choosing an Indian operating company sitting beneath a Mauritius or Singapore parent. Coinbase, for its part, is a US parent operating in India through a local, FIU-registered footprint. Once you see this clearly, “Indian versus foreign” stops being the meaningful axis. All four are foreign-parented. What differs is something else entirely.
The real divide: enforceable disclosure versus voluntary disclosure
The distinction that survives scrutiny is corporate, not national: Coinbase is a publicly listed company (Nasdaq: COIN); the others are private. That single difference cascades into everything users care about after a breach.
Because it is public, Coinbase is legally compelled to disclose material incidents, on a clock, in filings anyone can read. It did exactly that on May 15, 2025, when it filed a Form 8-K describing a data-theft incident. The same regime makes the cost of that incident verifiable rather than self-reported: Coinbase’s Q2 2025 quarterly filing booked roughly $307 million in platform-related incident expense for the first half of the year — voluntary customer reimbursements plus legal costs — a number sitting in an SEC document, not a blog post.
A private exchange, however well run, cannot offer this. Its disclosures are discretionary; its incident costs are whatever it chooses to publish; its reserves are attested when and how it decides. India’s exchanges register with the Financial Intelligence Unit (FIU-IND), comply with anti-money-laundering rules, and report incidents to CERT-In — WazirX did notify both after its breach — but there is no Indian equivalent yet to a continuous, enforceable, public-market disclosure regime.
This is the honest version of the argument: Coinbase’s edge here is structural, not a moral virtue. It is not that Coinbase is more honest by character; it is that it operates inside a system where honesty is compelled and verifiable. Being public cuts both ways, too — Coinbase’s own regulatory disputes and losses also play out on the public record, where a private firm’s would not. The point for a user is simply that verifiable beats voluntary when your money is on the line.
Financial resilience: Where the numbers say something surprising
“Can the company eat the loss and keep you whole?” is a question hard figures can answer — and the answer contains a twist.
| Latest full-year figures (FY25, ended March 2025) | CoinDCX (Neblio, India) | CoinSwitch (Chain Labs, Singapore) | WazirX |
|---|---|---|---|
| Operating revenue | ₹559.6 Cr (+43% YoY) | ₹129.5 Cr (+219%, off a small base) | No clean figure; in restructuring |
| Net result | Profit ₹1.7 Cr | Loss ₹333.1 Cr (more than doubled); group profitable in Q2 FY26 | Court-supervised recovery |
| Breach exposure / outcome | Absorbed ~$44M; customers untouched | Own systems not breached; absorbed ~$7.6M of user assets stuck on WazirX | Could not absorb ~$234M; users in court |
The twist sits in CoinDCX’s own accounts. The Indian operating entity earned a net profit of just ₹1.7 crore in FY25. A company making ₹1.7 crore cannot absorb a roughly ₹370-crore ($44 million) loss out of that entity. It absorbed it at the group and treasury level — annualised group revenue of around ₹1,179 crore ($141 million), assets under custody above ₹10,000 crore ($1.2 billion), and a valuation near $2.45 billion.
In other words, the financial resilience that protected CoinDCX’s users lives offshore, in the Mauritius-anchored group, not in the Indian company on the FIU register. That does not diminish the achievement; the architecture worked and customers lost nothing. But it underlines the theme: even the resilience users are trusting is a function of the broader corporate structure, not of an exchange’s Indian-ness.
WazirX sits at the opposite pole; a loss it could not absorb, resolved through years of court process. CoinSwitch sits in between. Its own systems were not breached, but it held user assets on WazirX when that exchange was hacked: it recognised a loss of roughly $6.4 million (with a further provision), absorbed the hit rather than passing it to users, launched a ₹600 crore “CoinSwitch Cares” recovery programme, and secured court approval to pursue recovery of funds stuck on WazirX. In October 2025, the Bombay High Court directed Zanmai Labs to provide a bank guarantee of approximately ₹45 crore (~$5.4 million) to protect CoinSwitch’s claim against the WazirX restructuring’s collective loss-sharing. Financially it ran a widening loss in FY25 before stating it returned to group-level profitability in Q2 FY26; so its balance-sheet resilience is improving but, on a breach of its own, genuinely untested.
Where India’s exchanges win, even after Coinbase’s June 2026 reentry
A benchmark that ignored product experience would be both incomplete and dishonest, because this is where the home-market platforms lead.
Coinbase launched directly in India on 1 June 2026 with IMPS-based INR rails, a local order book, spot trading, and perpetual futures, closing what had been the single largest product gap separating it from the home-market platforms. An Indian retail user with rupees in an Indian bank account can now actually use Coinbase as their primary on-ramp, which was not true until two days before publication. That is the most consequential development in this comparison since the events it benchmarks.
But INR rails are necessary, not sufficient. The Indian exchanges have spent years building advantages that survive Coinbase’s arrival. CoinDCX and CoinSwitch are built for India in ways Coinbase is not. Both offer direct INR deposits and withdrawals through the rails Indians actually use, both have built tax-reporting tooling tailored to the 30% crypto tax and 1% TDS regime, and CoinSwitch’s aggregator-style interface is among the most beginner-friendly on-ramps in the market. CoinSwitch is ISO/IEC 27001:2022 certified and FIU-IND registered, and its most recent proof-of-reserves disclosure showed the large majority of crypto assets held in custodial or in-house wallets, with a small fraction on partner exchanges. On localisation, payment rails, cost for the local market and India-specific compliance tooling, the Indian exchanges lead. Coinbase will need time in India to match the operational depth that comes from years of FIU-IND engagement.
Both statements are now true at once: Coinbase leads on enforceable accountability and institutional-grade custody and, as of June 1, 2026, on direct INR access; the Indian exchanges lead on India-specific product maturity, tax tooling, beginner UX, and the operational depth that comes only from years of local market presence. A reader should weigh them according to what they are optimizing for, and recognize that the gap on local fit has narrowed, while the gap on enforceable accountability remains structural.
Coinbase under fire: An honest record, not a clean one
A benchmark has to examine the standard-bearer under stress, not in theory. Coinbase has been breached at least twice, and it is important not to call its record “clean.”
In 2021, attackers exploited a flaw in its SMS account-recovery flow to reach at least 6,000 customer accounts; Coinbase patched the flaw and reimbursed affected customers. In May 2025, overseas support contractors were bribed to pull customer data — names, contact details, masked Social Security and bank identifiers, government-ID images, and balance snapshots. Critically, by design, the breach reached no passwords, private keys or funds; the personnel involved never had access to funds in the first place.
What distinguishes the response is the combination, not any single act: Coinbase had already detected and removed the personnel through its own monitoring; it refused the attackers’ ransom demand (reported at $20 million); it disclosed via SEC filing; it committed to reimburse customers tricked into sending funds; and it stood up a US-based support hub to reduce reliance on the contractors who were the attack vector.
Its custody posture is the architectural backdrop to all of this: Coinbase holds approximately 98% of customer funds in offline cold storage; Coinbase Custody Trust Company is a fiduciary under New York State banking law and a Qualified Custodian, and maintains SOC 1 Type II and SOC 2 Type II audits by Deloitte & Touche. It was also the first crypto custodian to deploy defence-grade Cross Domain Solution systems.
The fair comparison is careful. CoinDCX, like Coinbase, kept customer funds safe and absorbed its loss — a strong outcome on its own terms, and arguably better fund-protection than WazirX achieved. Where Coinbase pulls ahead is that all of it — funds protected, rapid disclosure, verifiable cost, reimbursement — is enforceable rather than discretionary.
What this means for an Indian user
Most Indians will not self-custody their crypto. Running your own keys is unforgiving, and for the majority the practical choice will remain a custodial exchange. That makes the relevant question not “decentralized versus centralized,” but which custodian’s accountability you can actually verify.
On that test, a publicly listed, continuously audited operator carries a different risk profile than a privately held one — its disclosures are compelled, its incident costs are on the public record, and its custody sits within a regulated fiduciary structure. With Coinbase’s direct INR rails now live in India (launched June 1, 2026 via IMPS, alongside spot and perpetual-futures trading and a local order book, though on a phased rollout that some users initially could not access), that framework is, for the first time, available to Indian retail users with rupees in an Indian bank account.
Two honest caveats belong here. No operator is breach-proof; the case is about what surrounds a breach, not its impossibility. And the home-market exchanges retain real advantages in local product, fees and tax tooling that a security-and-accountability lens does not capture. The realistic conclusion is not “abandon local exchanges,” but: for a user who weighs verifiable accountability and regulated custody above local-product maturity, a publicly listed operator is now a credible primary option in India — provided their account has full access.
The bottom line
When Coinbase is breached, customer funds sit untouched by design, disclosure is compelled and prompt, the financial impact is publicly auditable, and reimbursement runs through a regulated framework. India’s exchanges have closed part of this gap — CoinDCX’s segregated cold storage worked, and its users lost nothing, which is meaningful progress and the opposite of WazirX’s outcome.
But the full package — architecture plus enforceable accountability plus verifiable transparency plus financial resilience — is where the standard still sits with the public-company model. For the Indian industry, the path to closing the remaining gap runs less through better technology, which is largely a solved lesson, and more through accountability infrastructure: independent continuous audits, enforceable disclosure timelines, and a regulated-custody framework that turns “trust us” into “verify us.”
That is the standard worth benchmarking against.
Disclosure: Coinbase is an investor in CoinDCX, holding a minority stake in CoinDCX’s parent entity, DCX Global Limited (a transaction approved by the Competition Commission of India in December 2025). Coinbase Ventures has also previously invested in CoinSwitch. Readers should weigh this when assessing a comparison that names all three.
Disclaimer: This article is for informational purposes only and does not constitute financial, investment, or legal advice. Comparisons reflect publicly available information as of the publication date; exchange security postures and regulatory standings evolve. Always do your own research. The Crypto Times does not endorse any specific exchange.
