Employee Arrested After $44M Stolen in CoinDCX Hack

A major internal security breach at CoinDCX, one of India's leading cryptocurrency exchanges, has led to the arrest of a 30-year-old software engineer after nearly $44 million was stolen from the company's internal liquidity wallet. The suspect, Rahul Agarwal, was part of the firm's DevOps team and is alleged to have been the entry point for the cyberattack.

The breach occurred in the early hours of July 19. Investigators discovered that the attackers initially tested access by transferring a small amount of cryptocurrency, just 1 USDT at around 2:37 a.m. Later that morning, at approximately 9:40 a.m., they executed a large-scale unauthorized withdrawal, diverting the equivalent of $44 million across multiple wallets.

The breach was traced back to the compromised credentials of Agarwal, whose company-issued laptop is believed to have been infected with malware. According to investigators, the malware was likely delivered through a sophisticated social engineering attempt, possibly disguised as a freelance work offer sent via a messaging app. The attackers reportedly gained full access to internal systems using authentication tokens extracted from Agarwal's compromised device.

During questioning, Agarwal denied any involvement in the theft itself but admitted to moonlighting for external clients and using his office laptop for freelance development work, something that violated the company's internal IT policies. Authorities noted that his bank records showed a suspicious deposit of ₹15 lakh, raising further questions about possible payments received during the lead-up to the breach.

Investigators also confirmed that the attack did not affect customer assets. The wallet that was targeted belonged to CoinDCX's internal liquidity pool, which is used for corporate trading and reserve operations. Despite the significant financial impact, the exchange reassured its users that their funds remained secure and untouched.

CoinDCX has since initiated a full-scale review of its security infrastructure, focusing especially on endpoint vulnerabilities, internal access policies, and employee device management. The firm's leadership emphasized that even advanced digital systems are vulnerable when endpoint devices are misused or improperly monitored.

The arrest has renewed attention on insider threats and the growing sophistication of attacks that rely on human error or manipulation rather than technical flaws. Industry analysts warn that similar attacks are likely to increase, especially as cybercriminals develop more convincing tactics to target individuals within companies who have privileged access.

Authorities continue to investigate the malware's source, the identity of the individual who contacted Agarwal with the freelance offer, and any potential accomplices. Efforts are also underway to trace the stolen funds and recover assets using blockchain analytics, although the use of decentralized platforms and privacy tools may complicate the recovery process.

This incident serves as a stark reminder of the urgent need for stronger internal cybersecurity practices, especially in the high-risk world of digital finance. CoinDCX's ability to contain the damage and rebuild trust will be closely watched by regulators and the crypto community in the weeks ahead.