On July 26, 2025, Bengaluru’s Whitefield CEN Crime Police arrested Rahul Agarwal, a 30‑year‑old software engineer employed at CoinDCX, one of India’s largest cryptocurrency exchanges. He lives in Carmelaram, Bengaluru, and originally hails from Haridwar, Uttarakhand The Indian Express+8The Financial Express+8Indiatimes+8.
Agarwal joined CoinDCX over two years ago. Initially working remotely in the DevOps domain, he was promoted in April 2025 to the role of Staff Engineer, operating onsite from Bengaluru Cointelegraph.
The Heist: ₹384 crore (≈ $44 million) Crypto Theft
In the early hours of July 19, 2025, a suspicious transfer of 1 USDT (stablecoin worth about $1) occurred at 2:37 AM, triggering internal alarms at CoinDCX AInvest+10Binance+10www.ndtv.com+10.
By around 9:40 AM, the attackers had siphoned off approximately $44 million (≈ ₹379–₹384 crore), moving assets across six separate wallets CoinDesk+15Binance+15The Times of India+15.
CoinDCX later clarified that the funds came from an internal operational wallet used for liquidity coordination, not from customer accounts—so user holdings remained uncompromised The Indian Express+4Binance+4Brave New Coin+4.
How Did the Intrusion Happen?
Investigators and company officials highlighted that hackers gained access by compromising login credentials tied to Agarwal’s company‑issued laptop Indiatimes+14The Financial Express+14Binance+14. The breach reportedly originated through a social‑engineering attack that convinced Agarwal to install malware disguised as files for freelance work Cointelegraph+4Binance+4Brave New Coin+4.
Freelancing, a German WhatsApp Call & Suspicious Deposit
During police questioning, Agarwal denied knowing about the heist but confirmed he had been doing freelance work for three to four private clients, whom he didn’t personally know or verify Brave New Coin+8The Financial Express+8Moneycontrol+8.
He also disclosed having received a WhatsApp call from a German number, allegedly instructing him to complete and send back certain files—one of which may have contained malware Binance+8The Financial Express+8Indiatimes+8.
Separately, police found a ₹15 lakh (~$17,000) deposit in his bank account from an unknown source, raising questions about possible collusion or manipulation Binance+3The Financial Express+3AInvest+3.
Company & Law Enforcement Response
Neblio Technologies—CoinDCX’s operator—filed a formal complaint once internal audits found that only Agarwal’s machine had been compromised, leading to the unauthorized transactions via his credentials CryptoPotato+9Cointelegraph+9Moneycontrol+9.
Sumit Gupta, CoinDCX’s CEO, labeled the incident a “sophisticated social engineering attack” and discouraged speculation during the ongoing inquiry Binance+4Cointelegraph+4AInvest+4.
Police registered a First Information Report (FIR) under multiple sections of India’s IT Act and penal provisions including theft, cheating, criminal breach of trust, and identity theft The Indian Expresswww.ndtv.com.
Larger Context: Crypto Industry Fallout & Global Concern
This breach is one of the largest crypto heists in India’s history, injecting alarm across the blockchain ecosystem.
Authorities are exploring whether North Korean hackers or similar advanced actors were involved, given prior global patterns Indiatimes+4Brave New Coin+4The Times of India+4CoinDesk+1The Times of India+1.
Experts warn the attack underscores growing threats from insider targeting and social engineering, often bypassing technical defenses BinanceBrave New Coin.
Ongoing Efforts & Challenges Ahead
CoinDCX launched a recovery bounty program, offering up to 25% (~$11 million) of recovered funds for credible tracing leads The Indian Express+1Brave New Coin+1.
However, investigators face steep difficulties: the funds were dispersed across multiple decentralized chains and likely laundered, and Indian regulation around cryptocurrency remains underdeveloped, complicating tracing or prosecution The Indian Express.
Legal Position of Rahul Agarwal
Agarwal currently maintains he had no direct involvement in the heist. He portrays himself as an unwitting victim used as a conduit. Nonetheless, police and prosecutors are examining whether this involvement was coerced, complicit, or purely accidental under duress The Financial ExpressThe Times of India.
Important open questions include:
Who sent the malware‑infected files?
Did Agarwal knowingly facilitate access?
Was there coordination with foreign threat actors?
And critically: can the stolen crypto be traced and recovered?
Why This Case Matters
Internal Risk Exposure: Even privileged internal roles can become vulnerabilities if access controls aren’t strictly layered or monitored.
Freelance Work Risks: Accepting unknown assignments—even via remote messaging—can expose devices to malware or phishing.
Audit & Compliance Gaps: The industry may now face stronger pressure for regulated frameworks, mandatory cybersecurity audits, and stricter employee vetting.
Profile Snapshot: Rahul Agarwal
| Detail | Information |
|---|---|
| Name | Rahul Agarwal |
| Age | ~30 years |
| Location | Carmelaram, Bengaluru (originally from Haridwar, Uttarakhand) |
| Role | Staff Engineer, CoinDCX (joined in ~2023; promoted April 2025) |
| Arrest Date | July 26, 2025 (Whitefield CEN Police) |
| Allegation | Compromised credentials used to siphon ≈₹379–₹384 crore (~$43–44M) from internal wallets |
| Modus Operandi | Malware installed via social engineering from German call; freelancing for unknown clients |
| Money Trail | ₹15 lakh deposit of unclear origin |
| Defense Claim | Denies knowing involvement; claims unwitting victim of malware attack |
| Company View | Confirmed breach via his device; internal wallet only; customer funds safe |
| Broader Concern | Signals need for stronger insider access controls and regulatory oversight |
Timeline Recap
July 19, early hours: 1 USDT test withdrawal at ~2:37 AM; escalates to $44M within hours (by ~9:40 AM) www.ndtv.comIndiatimesThe Financial Express+1AInvest+1The Times of India+4Medium+4Indiatimes+4CryptoPotato+11Binance+11Moneycontrol+11CoinDesk+1Binance+1Moneycontrol+1Indiatimes+1.
July 22: Neblio files complaint with Karnataka Police after forensic confirmation of credential compromise AInvest+2Cointelegraph+2CryptoPotato+2.
July 26: Agarwal arrested by Bengaluru police; laptop seized for forensic analysis Moneycontrol.
Late July – early August: Arrest coverage highlights potential North Korean hacker involvement and industry reaction The Times of IndiaCoinDesk.
