Bengaluru City police arrested Rahul Agarwal, a software engineer at CoinDCX, in connection with the $44 million hack that hit the exchange on July 19, 2025, according to The Times of India. The police acted after a complaint from Neblio Technologies, which operates CoinDCX.
Investigators said hackers compromised Agarwal’s login credentials and accessed the company’s internal servers. Neblio determined this breach occurred through Agarwal’s work-issued laptop, which gave hackers entry into CoinDCX’s systems. Authorities seized his laptop and questioned him.
Agarwal denied involvement in the theft but admitted he worked for four private clients part-time while still employed at CoinDCX. Police said this activity may have exposed his credentials to external risks.
CoinDCX Probes Sophisticated Social Engineering Attack
CoinDCX referred media queries to an X post by co-founder and CEO Sumit Gupta. He said the incident appeared to be a “sophisticated social engineering attack” aimed at exploiting employee access.
“Employees are often targeted in such attacks,” Gupta posted, while urging people to avoid speculation that could affect the ongoing probe. CoinDCX also confirmed it is cooperating with authorities.
Details of the $44M Exploit and Timeline
According to police and Neblio’s internal report, hackers first breached CoinDCX’s system during the night of July 19. At that time, they transferred 1 USDT to a test wallet. Hours later, they executed a larger theft, siphoning $44 million to six separate wallets.
Police said hackers tricked Agarwal into installing malware on his office laptop, which facilitated server access. This malware reportedly enabled unauthorized control over CoinDCX’s internal account, which was linked to liquidity provisions with another exchange, according to CEO Gupta.
Despite the exploit, Gupta clarified in his post that no user funds were affected, as the breach targeted internal operational accounts.
Employee Profile and Internal Investigation Findings
Neblio’s vice president for public policy, Hardeep Singh, confirmed that Agarwal was a permanent staff member and received a dedicated laptop for his role. Singh emphasized that the compromised device played a central role in the breach.
According to Agarwal’s LinkedIn profile, he joined CoinDCX in May 2023 as a senior software engineer and worked remotely from Bengaluru, Karnataka. In April 2025, he transitioned to on-site work after his promotion to staff engineer.
Police connected the breach to Agarwal’s freelance work and stated that his additional projects exposed his company laptop to unverified networks.
Ongoing Investigation Into CoinDCX Hack
The Indian Express reported that investigators believe hackers targeted and planned the attack by exploiting Agarwal’s access. They seized his laptop for forensic analysis to trace the malware and identify the attackers.
The incident came days after Gupta confirmed the hack publicly. He said the hackers compromised an internal liquidity account, reiterating that CoinDCX is working with law enforcement to trace the stolen funds transferred to six identified wallets.
