Coinbase in talks to acquire CoinDCX amid aftermath of $44 million hack: Report

CoinDCX has been under scrutiny since 19 July, when it disclosed a $44 million crypto theft stemming from a hack that targeted an internal account responsible for providing liquidity

US-based cryptocurrency giant Coinbase is in advanced negotiations to acquire Indian crypto exchange CoinDCX, which is recovering from a recent $44 million security breach, a Mint report said on Tuesday. Two individuals familiar with the matter told Mint that the potential acquisition would value CoinDCX—one of India’s leading exchanges—at below $1 billion, a steep drop from its $2.2 billion valuation in 2021.

Mint’s sources, who requested anonymity, said Coinbase already holds equity in both CoinDCX and its key competitor, CoinSwitch, and views this move as a long-term strategic investment. “Buying CoinDCX at this discounted valuation is essentially a low-cost gamble—positioning itself for potential upside if India’s crypto market eventually matures," one of the individuals told Mint.

While Coinbase did not confirm any acquisition plans to Mint, a company spokesperson said, “We have a bold mission to increase economic freedom globally, and continuously explore opportunities around the world.”

Mint also reported that a plan b is also in action: this means clubbing Coinbase’s investments in CoinDCX and CoinSwitch. Although there are no active discussions yet, one of Mint’s sources suggested that a merger could be on the horizon. CoinSwitch, however, told Mint that it is not engaged in any talks of this nature.

Coinbase, which registered with India’s Financial Intelligence Unit (FIU) in March 2025, is preparing to launch its retail crypto trading operations in India. “India represents one of the most exciting market opportunities in the world today,” John O’Loghlen, Coinbase’s Asia-Pacific Managing Director, told Mint in an earlier interview.

CoinDCX has been under scrutiny since 19 July, when it disclosed a $44 million crypto theft stemming from a hack that targeted an internal account responsible for providing liquidity. While no customer assets were affected, Mint noted that the breach was publicly acknowledged nearly 17 hours after suspicious activity was first flagged by blockchain investigators—unlike global peers such as Binance or Bybit, which usually act within hours.

Defending the delay, CoinDCX wrote in its blog—quoted by Mint—that it prioritised thoroughness over speed: “We chose to be thorough first, then transparent. Once we had a clear picture and had taken all necessary steps to secure the platform, we communicated the facts to our community.”

In response to the breach, the company launched a recovery bounty programme offering up to 25%—about $11 million—of any recovered funds. A similar initiative was launched last year by WazirX after it suffered a $235 million hack, but Mint noted that no user refunds have been issued so far as legal proceedings continue.

Mint cited a forensic analysis by London-based crypto journalist Giuseppe Ciccomascolo, published on CCN.com, which concluded that the attackers likely gained access through backend systems or credentials, not via blockchain-level exploits. The stolen funds were quickly laundered through multiple networks and mixing tools, making recovery extremely challenging.

According to Ciccomascolo, CoinDCX’s reliance on “hot wallets”—internet-connected wallets that provide liquidity but are more vulnerable—was a central factor in the breach. “Hot wallets remain disproportionately used to enable 24/7 liquidity, but these are precisely the assets that get hit,” he noted in the article referenced by Mint. The breach, he argued, exposed weak wallet segregation and an apparent absence of “continuous red-teaming,” a cybersecurity strategy where simulated attacks are used to probe defenses.

Public filings reviewed by Mint reveal that CoinDCX, operated by Neblio Technologies in India, posted profits of Rs 15.5 crore in FY24 and Rs 28 crore in FY23. However, a majority of revenues—approximately 60% in FY24 and 80% in FY23—came from related-party transactions with entities in Singapore (Primestack Pte) and Mauritius (DCX Global). Excluding these, Mint reported, CoinDCX would have been in the red both years.

The company's transparency practices also diverge from international standards. Mint noted that while major global exchanges like Coinbase, Binance, and Kraken now publish third-party verified proof-of-reserves (PoR), CoinDCX’s PoR audits are self-scoped—meaning the company defines what gets audited. This practice drew criticism from fintech expert Jayjit Biswas, who told Mint, “There’s no reason the scope of a reserve audit should be controlled by the company being audited... That’s exactly what’s happening across most Indian exchanges.”

CoinDCX’s latest disclosure from April 2025, reviewed by Mint, revealed that about 28% of assets—roughly $158 million—are held in hot wallets or externally as “partner funds.” This is well above the global benchmark of under 5% for hot wallet exposure, Biswas said, adding, “Such high hot wallet usage would not pass any institutional risk test.”

Mint also revisited last year’s massive WazirX hack, where $235 million was reportedly stolen by North Korean attackers. Investigations by Indian and international agencies—including the FIU, CERT-In, and the Intelligence Bureau—revealed around $41 million in related-party transfers linked to the company’s founders. Mint reported that the Enforcement Directorate froze WazirX’s assets and banks cut off access, effectively crippling its operations.

The broader implication, Mint concluded, is that India's crypto sector continues to suffer from weak governance, transparency gaps, and insufficient security protocols. Pranesh Prakash, principal consultant at Anekaanta and a Yale Law School fellow, told Mint that the core issue is the lack of dedicated consumer protection regulation. “The transparency norms established by regulators like Sebi and RBI are notably absent in India’s crypto sector,” Prakash said.

He emphasised the need for outcome-based regulation rather than the current compliance-focused approach. “Right now, regulators are mostly focused on anti-money laundering, know-your-customer, and tax enforcement,” Prakash told Mint. “But that’s not enough. You need investor protection at the core—whether through insurance, capital buffers, third-party audits, or strict wallet segregation.”

CoinSwitch’s Singhal also highlighted the structural challenges in the sector. In a July 27 post cited by Mint, he said that high taxation and regulatory ambiguity hinder Indian platforms from operating with robust security and compliance. “Security needs serious money,” Singhal wrote. “You need top talent, world-class partners, and you need to stay paranoid every day.”