CoinDCX hack: Freelance job offer may have delivered malware

An employee of CoinDCX, one of India’s major cryptocurrency exchanges, has been arrested after hackers stole $44 million from the platform earlier this month.

Bengaluru City police have detained 30-year-old Rahul Agarwal, a software engineer at CoinDCX, after investigators linked the breach to his office laptop.

The theft took place on 19 July and caused serious disruption to the exchange’s operations. Investigators say that Agarwal’s login credentials were used to access CoinDCX’s internal systems and move large amounts of digital assets into external wallets.

CoinDCX is operated by Neblio Technologies, which filed a complaint with local authorities and conducted an internal review.

The internal investigation found that Agarwal’s laptop had been compromised. This allowed hackers to gain access to company servers and drain funds. While being questioned by police, Agarwal denied being involved in the theft.

However, he admitted that he had been working part-time for multiple private clients while still employed full-time at CoinDCX.

He also said he had received files from people he worked for as part of these freelance jobs. One of these clients contacted him through a German phone number and sent files over WhatsApp. Agarwal believes that one of these files may have contained malware that infected his device.

According to local media outlet The Times of India, the laptop used in the hack had been issued to Agarwal strictly for office use.

“Rahul was on the permanent rolls of the company and had been given a laptop strictly for office work”, a company spokesperson reportedly told the outlet.

CoinDCX has declined to make direct comments on the arrest. In a statement posted to X, CEO and co-founder, Sumit Gupta, said the company was investigating a “sophisticated social engineering attack”.

He then added that it would not provide further comment during the ongoing police investigation.

How the hack took place

The hack unfolded in two key phases. At 2:37 am on 19 July, an unusual transfer of 1 USDT (a dollar-pegged stablecoin) raised early suspicions. 

By 9:40 am, hackers had already moved $44 million into six separate wallets, according to police and company sources.

The stolen funds were not linked to customer accounts. Instead, the hackers accessed an internal operational wallet used by CoinDCX to manage liquidity with another exchange. 

Gupta later confirmed that no user funds were impacted and that the company would cover the losses from its own reserves.

The breach was first noticed publicly by blockchain researcher and investigator, ZachXBT, who pointed out that CoinDCX had not yet disclosed the hack nearly 17 hours after it occurred. 

Soon after his post, CoinDCX acknowledged the incident and thanked its marketing manager, Suchit Karande, for his efforts in communicating the situation transparently.

After tracing the transactions and examining internal activity logs, the company determined that Agarwal’s account had been used in the unauthorised activity. His laptop, once seized by police, became a central piece of evidence in the case.

Police also found that Agarwal had received around Rs 15 lakh (about $17,000) in unexplained deposits from unknown sources. 

He admitted to working with “three to four private parties” but said he did not know who they were or where the payments had come from.

Investigators now suspect that Agarwal was lured into a trap through what appeared to be a part-time job opportunity. Police believe the attackers posed as clients and convinced him to download malware, which gave them remote access to his device and login credentials.

Agarwal told police that he did not know the files were malicious. However, he admitted to using his office-issued laptop to perform freelance tasks, which was against company policy. CoinDCX confirmed that the laptop had been assigned to him for work purposes only.

What security experts think

The arrest has led to wide debate within the cryptocurrency community. Some people blamed the engineer for his actions, calling his behaviour careless. 

Others argued that Agarwal may have been a victim of a growing problem in the tech world: credential theft through phishing and malware disguised as job offers.

One X user commented, “In that case… he’s the victim, not the villain. Credential theft is real – and so are the gaps in access controls. Let’s fix the system, not just blame the user”.

On the other hand, ZachXBT criticised the engineer for using a company laptop to open files from unknown sources. “Negligence like this should not be tolerated at crypto exchanges handling large funds”, he said.

A report from blockchain security firm, Halborn, also weighed in on the breach. The firm said the CoinDCX hack was “a classic example of an exchange hack likely involving a compromised private key”. 

According to the report, such backend infrastructure attacks are often overlooked during regular security audits, making them attractive to hackers.

A separate post from SlowMist founder warned that this type of phishing scam is becoming more common. In a Chinese-language message, he described a scam where hackers post fake job ads and send candidates a “project template” that contains hidden malware. 

If executed, the malicious files can infect devices and steal sensitive data, including login credentials and crypto wallet access.

CoinDCX’s Gupta said that social engineering is one of the most difficult forms of attack to prevent, especially in industries where employees are constantly online and may be contacted by outside parties. 

“We urge the media and the public to avoid speculation or the circulation of unverified information, as it may impede the ongoing investigation”, the company said in a statement.

The company has also launched a Recovery Bounty Programme, offering 25% of the stolen amount – about $11 million – as a reward for anyone who can help track down the stolen funds.

Broader impact and potential buyout

The CoinDCX breach is the second major hack of an Indian crypto exchange in the past year. In July 2024, WazirX lost $230 million in a separate incident that investigators linked to North Korea’s Lazarus Group. 

That attack caused major setbacks for WazirX, which is still struggling to recover after a Singapore court rejected its restructuring plan earlier this year.

Now, CoinDCX is also under pressure. The incident has affected the company’s reputation and dropped its valuation to below $1 billion. 

This has reportedly caught the attention of global exchange Coinbase, which is said to be in talks to acquire CoinDCX as part of its expansion into the Indian market.

According to media reports, Coinbase sees this as a strategic opportunity to enter India by partnering with or buying an already established platform. 

While no deal has been confirmed, the timing suggests that the hack may have triggered fresh discussions around CoinDCX’s future and its ability to continue independently.

As for Agarwal, he remains in police custody as investigations continue. His LinkedIn profile shows that he joined CoinDCX in May 2023 as a senior software engineer, working remotely from Bengaluru. He was promoted to staff engineer in April 2025 and began working on-site.

Authorities are now examining all of his devices and communications to determine whether he knowingly assisted the hackers or was simply a victim of a sophisticated cyberattack. 

The Rs 15 lakh payment and his contact with a German number remain key points of interest for investigators.

As the case unfolds, CoinDCX and law enforcement are urging crypto users and employees to stay alert and avoid opening suspicious files.

 The case has already sparked new conversations about security awareness and the risks of unauthorised access in the crypto industry.