A deal may value CoinDCX, one of India’s largest crypto exchanges, at less than a billion dollars, sharply below its peak valuation of $2.2 billion three years ago, the people cited above said on the condition of anonymity. If completed, the acquisition would mark a deeper push by Coinbase into India, where it already owns stakes in CoinDCX and rival CoinSwitch.

“Coinbase sees this as a long-term strategic bet,” one of the two people cited above said. “Buying CoinDCX at this discounted valuation is essentially a low-cost gamble—positioning itself for potential upside if India’s crypto market eventually matures.”

Coinbase declined to comment specifically on the acquisition talks. “We have a bold mission to increase economic freedom globally, and continuously explore opportunities around the world to build, buy, partner, and invest to accelerate our roadmap,” a spokesperson said in response to a query.

A second option under consideration involves combining Coinbase’s stakes in both CoinDCX and CoinSwitch, India’s most valuable crypto exchange. While no formal talks are underway, the person cited above said a merger of the two portfolio companies “is likely, but not yet on the table.”

CoinSwitch said it is not in active talks about a merger with CoinDCX. “We don’t have active conversations in this regard at this time,” co-founder Ashish Singhal said. “We believe competition is good and it will ultimately benefit users.”

Coinbase, which registered with India’s Financial Intelligence Unit in March this year, is preparing to roll out retail crypto trading in the country. “India represents one of the most exciting market opportunities in the world today,” John O’Loghlen, Coinbase’s Asia-Pacific managing director, said in March. If the CoinDCX deal closes, it would mark the company’s most significant bet yet on India.

Crypto theft

On 19 July, CoinDCX reported a crypto theft of $44 million, after hackers targeted an internal account used to provide liquidity to customers. No customer funds were lost.

Though blockchain sleuths had noted suspicious activity soon after the breach, CoinDCX disclosed the matter nearly 17 hours later, unlike global firms like Binance and Bybit which have disclosed such incidents instantly. According to the company’s own incident blog, the breach occurred on 19 July and was publicly confirmed at 2:30pm IST the next day.

On the delay in reporting, this company blog said: “We chose to be thorough first, then transparent. Once we had a clear picture and had taken all necessary steps to secure the platform, we communicated the facts to our community.”

In response, CoinDCX launched a recovery bounty programme, offering up to 25%—about $11 million—of any funds recovered. The company stressed its intent to rebuild trust after the breach.

Crypto exchange WazirX which was hacked last year too had announced a $23 million bounty to recover stolen assets. But users are yet to receive any of their assets, as court proceedings drag on.

A forensic analysis by Giuseppe Ciccomascolo, a London-based crypto and finance journalist, published on CCN.com, said attackers had likely compromised backend servers or internal credentials, rather than exploiting blockchain-level vulnerabilities. The stolen funds were then moved rapidly across blockchain networks and put through mixing services to obscure their trail, complicating recovery efforts.

“Hot wallets remain disproportionately used to enable 24/7 liquidity, but these are precisely the assets that get hit,” said Ciccomascolo. A hot wallet is a crypto wallet that is connected to the internet, which makes it convenient for frequent transactions, but also makes it more susceptible to online threats. The breach, Ciccomascolo wrote, was not just a technical lapse but indicative of “weak segregation practices” and a broader absence of “continuous red-teaming”—a standard cybersecurity approach where simulated attacks are used to identify weaknesses before real ones are exploited.

Finances

Public filings by Neblio Technologies, which operates CoinDCX in India, show reported profits of ₹15.5 crore in FY24 and ₹28 crore in FY23; however, a significant portion of its revenues —around 60% in FY24 and 80% in FY23— are derived from services provided to its affiliated entities—Primestack Pte in Singapore and DCX Global in Mauritius. If these are excluded, Neblio would have posted losses in both years.

CoinDCX’s reporting practices differ from global norms on crypto exchange transparency. Major international players like Coinbase, Kraken, and Binance have moved toward regular third-party proof-of-reserves (PoR) disclosures, auditor-reviewed liabilities, and open wallet attestations. In contrast, CoinDCX’s PoR reports follow a format where the scope of the audit is defined by the company itself.

“There’s no reason the scope of a reserve audit should be controlled by the company being audited,” said fintech and crypto expert Jayjit Biswas. “The moment you do that, you eliminate any pretence of independence. And that’s exactly what’s happening across most Indian exchanges.”

CoinDCX declined to comment beyond its public blog posts. “We have already shared all the details of the incident as well as our financial health transparently through our blogs,” a company spokesperson said.

CoinDCX’s April 2025 disclosure said that roughly 28% of assets, or about $158 million, were held externally, classified as “partner funds” or hot wallets. According to Biswas, that figure stands far above the global best practice of sub–5% exposure for internet-connected wallets. “Such high hot wallet usage would not pass any institutional risk test,” Biswas said.

Broader concerns

In July 2024, WazirX—then the country’s largest crypto exchange—suffered a massive $235 million hack attributed to North Korean cybercriminals. The attack triggered investigations by the FIU, CERT-In, the Intelligence Bureau, and even drew judicial scrutiny in Singapore. Investigations uncovered approximately $41 million in related-party payments linked to founder-controlled entities, raising questions about internal controls and corporate governance, according to Reuters. The Enforcement Directorate froze its assets, and the exchange faced banking restrictions, paralyzing large parts of its operations.

These breaches in these exchanges have triggered broader concerns about the governance, transparency, and security practices of Indian crypto platforms.

Pranesh Prakash, principal consultant at Anekaanta and an affiliated fellow at Yale Law School’s Information Society Project, argued that the heart of the problem lies in the absence of clear consumer protection regulation. “The transparency norms established by regulators like Sebi and RBI are notably absent in India’s crypto sector,” Prakash said. “There is currently no framework focused specifically on investor safety and disclosure standards.” Prakash suggested a more outcomes-based approach to oversight.

Security analysts say both incidents point to the same foundational problem: liquidity is being managed with high-risk practices.

Prakash called for a complete philosophical reorientation of crypto regulation. “Right now, regulators are mostly focused on anti-money laundering, know-your-customer, and tax enforcement,” he said. “But that’s not enough. You need investor protection at the core—how it’s achieved can vary: through insurance, minimum capital buffers, third-party audits, or strict wallet segregation. But unless you define outcomes, you’ll never fix inputs,” he said.

CoinSwitch co-founder Singhal has been among the most vocal about the structural handicaps facing Indian crypto firms. In a 27 July post, he argued that excessive taxes and regulatory uncertainty have made it nearly impossible for Indian platforms to operate with the same security and compliance rigour as their global counterparts. “Most startups don’t have the luxury of funding, high margins, or scale, and it affects the ecosystem’s ability to invest in security and grow,” Singhal wrote. “Security needs serious money. You need top talent, world-class partners, and you need to stay paranoid every day.”