- CoinDCX employee arrested after hackers installed malware via fake job offer
- Rahul Agarwal unknowingly compromised company systems through work laptop
- Police struggle with cryptocurrency money trail across international wallets
Rahul Agarwal, an employee of CoinDCX, has been taken into custody by Indian authorities in relation to the $44 million cryptocurrency theft that attacked the exchange in July.
Investigators determined that hackers installed malware on Agarwal’s company laptop through a sophisticated social engineering scheme disguised as part-time employment opportunities.
The 30-year-old software engineer fell victim to cybercriminals who offered him freelance work writing reviews and completing online tasks for payment as per The Indian Express.
Agarwal first carried out these tasks on his home laptop before switching to his work laptop, which unintentionally let hackers install malicious software that gave them access to CoinDCX servers.
Social Engineering Attack Exploits Employee Trust
Police investigations revealed that hackers targeted Agarwal specifically due to his position within the company and access to internal systems.
The criminals spent time building trust by providing legitimate payments for completed tasks before deploying malware through their work laptop.
Agarwal earned approximately Rs 15 lakh ($18,000) from the supposed part-time work over several months. When CoinDCX management confronted him about the additional income during their internal investigation, he explained it as legitimate freelance earnings from external clients.
The employee, who had worked at CoinDCX for over three years in DevOps roles, was promoted to staff engineer in April 2025. His career progression and trusted position within the organization made him an attractive target for the sophisticated attack.
$44 Million Transferred to Six International Wallets
The security breach occurred on July 19 at approximately 2:37 AM when hackers gained access to CoinDCX’s internal liquidity account. The cybercriminals transferred $44 million worth of cryptocurrency to six separate wallets located outside India.
CoinDCX Vice President Hardeep Singh filed a police complaint on July 22, detailing how the attack compromised the exchange’s wallet systems.
The company’s internal investigation traced the breach to Agarwal’s infected laptop, which provided unauthorized access to company servers.
Police officers stated that Agarwal remained unaware of his role in facilitating the theft until confronted by investigators. The employee had no knowledge that his laptop activities were being monitored and exploited by cybercriminals to access company systems.
International Nature Complicates Recovery Efforts
Law enforcement faces challenges tracking the stolen cryptocurrency due to limited international cooperation and regulatory frameworks. Police officers noted that traditional banking money trails are impossible to establish when dealing with cryptocurrency transactions across multiple jurisdictions.
The difficulty increases because the destination wallets appear to be registered outside India, making it nearly impossible to trace ownership or recover funds without cooperation from foreign cryptocurrency exchanges.
Officers expressed frustration that crypto platforms may not share wallet ownership data necessary for investigations.
CoinDCX has launched a Recovery Bounty Programme offering 25% of recovered funds, approximately $11 million, to anyone who helps retrieve the stolen cryptocurrency.
Co-founder Neeraj Khandelwal described the initiative as a fight against bad actors affecting the entire industry.
Legal Charges Filed Under Multiple Acts
Whitefield CEN police have registered cases under various sections of the Information Technology Act, including computer-related offenses, identity theft, and cheating by impersonation. Additional charges under the Bharatiya Nyaya Sanhita cover theft, criminal breach of trust, and cheating.
The case highlights vulnerabilities in cryptocurrency exchange security where employee access credentials can be compromised through social engineering. CoinDCX CEO Sumit Gupta described the incident as a sophisticated social engineering attack targeting employees.
Despite the internal system breach, the company maintained that no customer funds were affected by the exploit. The hackers specifically targeted internal accounts used for liquidity provision services with other exchanges rather than customer deposit wallets.
The arrest shows how cybercriminals exploit human psychology and trust to gain access to secure systems, using legitimate-seeming opportunities to compromise employee devices and ultimately breach organizational security infrastructure.
