The breach unfolds
Investigators traced the intrusion back to July 19, 2025, when hackers extracted a single USDT token from CoinDCX’s corporate reserves. Within hours, they escalated their access and drained roughly $44 million into six external wallets. CoinDCX’s security team flagged the anomaly later that morning and immediately seized the suspect’s company laptop, which forensic analysis revealed as the attack’s entry point.
• July 19, 2025: First USDT transfer detected
• Several hours later: $44 million siphoned into six wallets
• Security alert: rapid response and device seizure
• Forensics: only one device showed signs of compromise
Investigation details
Police arrested Rahul Agarwal on July 26 in Whitefield, Bengaluru, following a complaint and an internal probe by Neblio Technologies, CoinDCX’s parent firm. Agarwal joined CoinDCX as a senior engineer in May 2023 and earned a promotion to staff engineer in April 2025. During questioning, he denied orchestrating the theft but confessed to working freelance projects on the side. He also admitted receiving an unexplained deposit of ₹15 lakh into his personal account.
Investigators uncovered chat logs showing a WhatsApp call from a German number. During that call, Agarwal was instructed to install and run files—later identified as malware—on his work laptop. Authorities now coordinate with international cybercrime units to trace the German connection and follow blockchain trails obscured by crypto mixers.
Industry implications and next steps
This incident highlights how social-engineering tactics can penetrate corporate systems when organizations lack strict segmentation and robust endpoint security. CoinDCX has pledged to reimburse affected users and is reviewing its security protocols. Experts stress the importance of insider-threat monitoring, regular security audits, and employee training on phishing and suspicious attachments.
Meanwhile, law enforcement continues to map fund flows and identify possible accomplices. Until those hackers’ wallets are traced, much of the stolen $44 million remains hidden.
