India Crypto Firm CoinDCX Loses $44M in Social Engineering Attack

Generated by AI AgentCoin World
Thursday, Jul 31, 2025 8:12 am ET2min read
Aime RobotAime Summary

- Indian crypto exchange CoinDCX lost $44M in a social engineering/malware attack exploiting employee Rahul Agarwal's compromised credentials.

- Agarwal, arrested for enabling the theft, admitted freelance work on company devices but denied knowing about the breach until contacted.

- CoinDCX launched a 25% recovery bounty program and confirmed losses came from corporate funds, not customer assets.

- The incident highlights insider risks and operational vulnerabilities, drawing parallels to the 2024 WazirX heist using similar tactics.

- Cybersecurity experts warn of growing threats in crypto, emphasizing the need for stronger internal controls and employee vigilance.

India's cryptocurrency sector faced a major cybersecurity breach when Rahul Agarwal, a 30-year-old software engineer at CoinDCX, was arrested for allegedly enabling a $44 million theft from the platform. The incident, which unfolded on July 19, involved a highly coordinated social engineering and malware attack that compromised Agarwal’s login credentials, allowing hackers to access internal liquidity wallets [2]. Within less than seven hours, the attackers moved the funds into six separate cryptocurrency wallets, starting with a test transfer of 1 USDT before initiating the large-scale exfiltration [1].

Agarwal reportedly received a suspicious WhatsApp call from a foreign number prior to the breach, which may have led to his device being infected with malware. CoinDCX’s internal investigation revealed that Agarwal had been using his company-issued laptop for freelance work, raising concerns about the potential vulnerabilities introduced through such activity. During police interrogation, he admitted to moonlighting but denied any knowledge of the theft until contacted by his employer [2].

The breach was first flagged by on-chain investigator ZachXBT, who traced the unusual transactions and alerted the public. CoinDCX CEO Sumit Gupta confirmed the incident and emphasized that customer funds were not affected, with the losses drawn from the company’s corporate treasury. He also dismissed rumors of a potential acquisition by Coinbase, stating the company is “not up for sale” and remains focused on its operations in India [2].

CoinDCX has launched a “Recovery Bounty Programme” offering a 25% reward for any returned funds, amounting to a potential $11 million in incentives. The company also reiterated its commitment to cooperating fully with law enforcement and stated that the breach was the result of a “sophisticated social engineering attack” [2]. The incident is being investigated under multiple sections of the Indian Information Technology Act, with an FIR filed by CoinDCX’s parent firm, Neblio Technologies [2].

The breach has drawn comparisons to the 2024 WazirX heist, where $234 million was stolen using similar tactics. Cybersecurity experts have pointed to the increasing threat of insider risks and the vulnerabilities in employee endpoint security and operational wallet management [2]. The case serves as a cautionary tale for the crypto industry, highlighting the need for stronger internal security protocols, especially for firms handling large volumes of digital assets [2].

As the global crypto market cap rose to $3.89 trillion in the wake of the incident, Bitcoin gained over 30% in the past 30 days and traded above $118,000, while Ethereum surged 57% in the same period [2]. The event underscores the growing sophistication of cyber threats in the crypto space and the critical importance of robust internal controls and employee vigilance [2].

Source: [1] Bengaluru Employee Arrested After $44M Crypto Theft – https://www.deccanherald.com/india/karnataka/bengaluru/employee-arrested-in-bengaluru-after-crypto-exchange-loses-44-million-in-major-hack-3656861

[2] CoinDCX Staff Held for $44M Heist, Hackers Exploit Login ... – https://cryptonews.com/news/coindcx-staff-held-for-44m-heist-hackers-exploited-login-credentials/

Comments



Add a public comment...
No comments

No comments yet