Although initially concealed by sophisticated tactics, the recent $44 million hack of CoinDCX has been traced to an internal breach involving a software engineer, Rahul Agarwal, whose arrest has shed light on the vulnerabilities inherent in employee-targeted cyberattacks. Agarwal, a 30-year-old with over two years of tenure at CoinDCX, was found to have had access to critical internal systems. The Bengaluru police apprehended him following an internal investigation initiated by Neblio Technologies, the operator behind CoinDCX. While Agarwal denied direct participation in the hack, he acknowledged undertaking freelance assignments from unknown clients, raising questions about potential external influence. Suspicious deposits totaling roughly $17,000 into his bank account further intensified the inquiry. An FIR was filed with Karnataka Police regarding the security breach.
The breach method employed by the perpetrators combined a nuanced social engineering strategy with malware deployment. Attackers masqueraded as recruiters offering freelance work, successfully deceiving Agarwal into installing malicious software on his company laptop. This infiltration enabled unauthorized access to CoinDCX’s internal ecosystem, exploiting Agarwal’s compromised credentials to execute illicit transactions. CoinDCX characterized the incident as a “sophisticated social engineering attack,” underscoring the heightened threat posed by employee-targeted cyber intrusions. The initial test transaction was recorded at 2:37 AM on July 19, 2025, involving a nominal transfer of one USDT token, likely to verify access and evade early detection. The theft targeted CoinDCX’s operational wallet used for trading, separate from customer funds. CoinDCX’s CEO has urged the public and media to avoid speculation while the investigation remains ongoing.
Within hours, by 9:40 AM the same day, the assailants had exfiltrated approximately $44 million, dispersing the assets across six distinct cryptocurrency wallets. This rapid execution and asset fragmentation complicated traceability and recovery efforts. Neblio Technologies’ internal probe swiftly identified Agarwal’s compromised device as the breach vector, prompting formal complaints and law enforcement involvement. The company’s CEO highlighted the ongoing risks posed by advanced social engineering techniques, emphasizing the need for rigorous employee credential monitoring and enhanced cybersecurity protocols. Although the full scope of asset recovery remains unclear, this incident marks one of India’s most significant crypto thefts, illustrating critical challenges in securing digital asset platforms against insider threats.
