Stolen $44 million from CoinDCX: employee under arrest

Related

Share

In India, the security breach on CoinDCX on July 19 led to the arrest of its staff engineer after the theft of $44 million in digital assets.

How did the 44 million theft on CoinDCX occur?

The night between the 18th and 19th of July, an unauthorized access hit the CoinDCX systems. An unknown actor first transferred 1 USDT to an external wallet, then proceeded to the real heist: $44 million moved to six different wallets. Internal sources confirm that the attack was carried out using the credentials of Rahul Agarwal, an engineer hired in May 2023 and promoted to staff engineer in April 2025.

coindcx hack x thread
The CoinDCX team published a thread of 9 tweets explaining in detail how the $44 million hack occurred. Source: X

The operation was made possible by the installation of malware on Agarwal’s company laptop, presumably hidden in files from collateral work activities. CoinDCX indeed found that the employee had been engaged as a freelance for four private clients, despite the policy prohibiting extra use of company devices.

Who is Rahul Agarwal and why did the police arrest him?

Rahul Agarwal, 30 years old, worked as a DevOps engineer for CoinDCX for over two years, based in Bengaluru. His promotion to staff engineer was very recent, but the police stopped him in the hours following the case.

“`html

rahul agarwal esperienza coindcx
Rahul Agarwal had become Staff Engineer at CoinDCX for only a few months. Source: Linkedin

“`

The investigators have seized his work laptop and initiated digital searches. Agarwal denied any direct involvement in the theft, but admitted to using the company computer for extra activities, crucial for the compromise via social engineering.

CoinDCX, through the CEO, has not publicly confirmed the arrest, but has issued a statement explaining that the investigations into a sophisticated social attack are still ongoing and prevent more specific statements to the press.

“`html

What happened technically? Why is it an unprecedented case?

“`

According to information gathered by Neblio Technologies, operator of CoinDCX, the attack exploited a “classic” social engineering technique: the criminals convinced Agarwal to install malicious software, probably in exchange for a fake freelance service or through phishing emails. Subsequently, the malware provided full access to an internal server account dedicated to liquidity towards another exchange.

The exchange explained that no user funds were affected; the loss concerns corporate reserves for inter-exchange liquidity management. However, the reputational damage and the amount at stake serve as a significant warning about how hackable even a major operator can be.

What are the implications for CoinDCX, users, and the crypto sector?

According to the CEO of CoinDCX, this crisis highlights the very high risk of attacchi mirati ai dipendenti, often underestimated. 

“Many of the most modern threats target engineers and system administrators, not just centralized IT structures,”

he stated. The breach did not compromise the users’ crypto positions, but it affected resources used for the management of the platform (for example, exchanges between exchanges).

According to CoinDCX, the consequences will be vast: a review of all IT policies, temporary suspension of some functionalities, and certainly, a phase of re-crediting the lost resources. If the exclusive malware-social engineering route is confirmed, it will be a precedent for the entire Indian crypto ecosystem.

What does CoinDCX say after the 44 million theft?

The official communication is exceedingly cautious. The security team of the exchange has initiated, in collaboration with the authorities, massive internal audits and investigations into individual and process responsibilities. The company emphasized that the private keys and users’ assets have always remained protected, although the incident forces the entire sector to “radically rethink” defense strategies against human risks.

According to what was reported by the CEO:

“the attack is of high complexity and follows an international trend of violations induced through social engineering and imprudent management of workstations.”

How are the authorities moving and what are the future risks?

Bengaluru City police and representatives of Neblio are still analyzing the seized devices. There are currently no direct links between Agarwal and the hackers, but the compromised access chain originates from unauthorized activity on the employee’s laptop. An official report has been filed for aggravated theft and unauthorized access to banking computer systems.

On the systemic level, this case requires exchanges to review: permissions, monitoring, device policy, and habits of their teams, with particular attention to freelance activities, plug-ins, extensions, and shared files with employees. An alert that also impacts the new compliance rules required by the Indian government.

What happens now: impact, prospects, and tension in the crypto world

The future of CoinDCX remains dependent on the outcomes of the investigation and especially on the reputational impact on the users. In the short term, no user funds appear to be compromised, but the loss of trust could lead to mass movements towards other services. The crypto sector must now deal with the “human” risk as the main attack vector. The CoinDCX case shifts the focus from automated systems to individuals and processes.

It will be interesting to see – and the authorities know it – which policies will strengthen exchanges and DeFi companies after this wave of massive social engineering. Follow the developments, both on the official X profile and in the main Telegram channels for updates and insights.