CoinDCX Recovery Bounty Program: Program info

On July 19, 2025, CoinDCX confirmed that one of its internal operational hot wallet accounts was compromised through a server‑side breach, resulting in an unauthorized withdrawal of approximately $44.2 million USDC/USDT . All customer funds remained fully secure in segregated cold wallets. The team has launched an $11 million recovery bounty program offering up to 25% of any recovered funds for actionable intelligence leading to asset recovery or vulnerability remediation.

For full details, read the incident report here: https://coindcx.com/blog/announcements/incident-report-july-19-2025/

This bounty program, launched in the aftermath of the July 19, 2025 CoinDCX exploit, offers a reward of up to $11 million USD ~ upto 25% of any recovered funds—for actionable intelligence that directly contributes to the freezing or recovery of stolen assets.

The bounty is open to security researchers, blockchain analysts, white‑hat hackers, and community members worldwide. Submissions will be eligible for rewards only if the provided information leads to successful recovery. Publicly available data, speculative reports, or generic wallet addresses without actionable follow‑up will not qualify. Read the full bounty program details

here: https://coindcx.com/blog/announcements/coindcx-launches-indias-largest-recovery-bounty-in-crypto/

Program Details

Bounty Reward: Up to 25% of all successfully recovered funds.

Potential Pool: Up to $11 million, if full recovery is achieved.

Objective: Reward program participants who assist in locating, securing, and retrieving these funds back to CoinDCX.

This is open to ethical hackers, white-hat researchers and anyone committed to making crypto safer.

Qualification details

12.5% to the entity that assists in freezing the funds. To qualify for the reward, the freeze must be the first effective and sustained restriction that remains active until the funds are successfully recovered.

12.5% to the first reporters who helped trace the funds up to the stage of successful freezing.

Please note that the bounty will be paid once select/all frozen assets have been recovered. A participant can fulfil both roles and be eligible for the bounty reward.

All balances of wallets as of 9:40 AM IST , 30 July 2025

0xEF0c5b9E0E9643937D75C229648158584A8CD8D2 :$46,214,573.8 : https://intel.arkm.com/explorer/address/0xEF0c5b9E0E9643937D75C229648158584A8CD8D2

FjHQU798zWpUUQ3J3U2dadc6xSgsoJx61skyKLQNrkme : $1.19 : https://intel.arkm.com/explorer/address/FjHQU798zWpUUQ3J3U2dadc6xSgsoJx61skyKLQNrkme

6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n : $2.17 : https://intel.arkm.com/explorer/address/6peRRbTz28xofaJPJzEkxnpcpR5xhYsQcmJHQFdP22n

Cmb8R9Zuo3SBt6PBNoYLtMrTtrMGm2k6xJeYs68pdXfg : $58.15 : https://intel.arkm.com/explorer/address/Cmb8R9Zuo3SBt6PBNoYLtMrTtrMGm2k6xJeYs68pdXfg

CFyirkSrwxmtGYM1AYJkexrcNmGfYLZnjwbJwvs3AvcZ : $174.42: https://intel.arkm.com/explorer/address/CFyirkSrwxmtGYM1AYJkexrcNmGfYLZnjwbJwvs3AvcZ

E48J4WuXAxfp76KVsSb7J7C4jQEdfp5HMvfnFE9v62FU : $1.61 : https://intel.arkm.com/explorer/address/E48J4WuXAxfp76KVsSb7J7C4jQEdfp5HMvfnFE9v62FU

3btch8cSVp3Uh2SiY9DeiRNYUBmFiBNHZQzDyecJs7Gu : $2.59 : https://intel.arkm.com/explorer/address/3btch8cSVp3Uh2SiY9DeiRNYUBmFiBNHZQzDyecJs7Gu

Reward Range: upto $11,000,000 (success-based)

Reward Criteria:

• Rewards are paid only after actionable information results in a successful fund freeze/recovery.
• Reports or screenshots without actionable next steps will not be eligible. This will be at the discretion of CoinDCX.
• 12.5% ($5.5 M) to the entity that assists in freezing the funds. To qualify for the reward, the freeze must be the first effective and sustained restriction that remains active until the funds are successfully recovered.
• 12.5% ($5.5 M) to the first reporters who helped trace the funds up to the stage of successful freezing

Example Impact (Reward (USD)) Major asset recovery and/or freezing of stolen funds (Up to $11,000,000)

• Avoid actions that disrupt CoinDCX operations or services
• No denial-of-service, spam, or social engineering attacks
• Perform testing within defined scope only
• Do not target unrelated systems or user accounts
• All reports must include clear steps, links, or data to validate claims
• Rewards are issued only after successful outcome of provided intelligence
• Bounties will be paid proportionate to the amount recovered, and out of those returned funds only.
• Payouts will be made directly to the contributor’s wallet address within 2-4 weeks.
• Bounty payouts are not automatic and will be done on request.
• Each request is audited and verified.
• "Proof/Evidence" for bounty allocation means the final wallet address belonging to the party that executed the freezing of assets.
• The value of frozen funds is calculated based on the hourly opening price on CoinDCX (UTC+ 5:30) at the exact hour the asset was frozen.

• Do not disclose any vulnerabilities or bounty submissions publicly without explicit CoinDCX approval
• No partial or full public discussion of ongoing cases
• All communication must remain private via HackenProof platform

• Only the first valid reporter of a unique finding will be rewarded
• All submissions must be reported exclusively via HackenProof
• Must include all supporting details (transaction hashes, logs, technical reproduction, etc.)
• Must comply with applicable laws during research and submission

• First Response: 2 days (By Triage)
• Triage Time: 1 week (7 days)
• Resolution Time: 6-8 weeks (dependent on freeze/recovery/verification action) — 60 days
• Reward Time: 4 weeks after resolution (90 days in total)