The apparent calm of the Indian crypto market has been violently shaken. CoinDCX, one of the country’s largest exchanges, fell victim to an internal hack resembling an international thriller. The amount of the damage: $43.4 million.
And at the heart of the investigation, a name: Rahul Agarwal, a 30-year-old developer and employee of the platform.
An internal flaw, a massive transfer, six targeted wallets
On July 19, 2025, without a sound, 3.79 billion rupees (approximately $43.4 million) were transferred from CoinDCX’s systems to six external wallets. No ransomware, no frontal attack. Just access… from the inside.
According to the Bengaluru police, it was Rahul Agarwal’s professional credentials, provided by CoinDCX, that allowed access to the exchange’s sensitive systems. The transfer? Perfectly executed. Like an inside job.
However, the individual denies any direct involvement.
Freelance, WhatsApp, and suspicious connections
Interrogated by the police, Agarwal claims not to have orchestrated anything. However, he admits to having worked freelance for unidentified “foreign clients.” And a few days before the theft, he receives two suspicious items:
- a transfer of 1.5 million rupees to his bank account
- a WhatsApp call from a German number
Enough to arouse all hypotheses. Especially that of an indirect hack: compromised credentials via a freelancing session, a machine infected with malware, or access granted to a third party through negligence.
Investigators do not rule out anything. And especially not the involvement of foreign actors.
The North Korean trail resurfaces
Indian authorities mention a possible connection with hacker groups linked to North Korea (perhaps Lazarus again?). Similar methods have been spotted in other cases: infiltration through freelance employees, takeover of internal access, use of cascading transit wallets.
No formal evidence at this stage. But in the crypto world, precedents are numerous… and well-documented.
CoinDCX reassures: clients will not lose anything
Despite the magnitude of the loss, CoinDCX wanted to reassure its users. The parent company, Neblio Technologies, confirmed that client funds are intact. The losses will be fully covered by the company’s cash reserves.
A rare and costly gesture aimed at preserving trust in a market already weakened by several similar incidents.
A new red alert for exchange security
This theft once again raises the question of the internal security of crypto platforms. At a time when Indian regulation struggles to take shape, the CoinDCX case highlights the vulnerability of exchanges to internal threats.
And this time, it’s not a technical flaw, but a human flaw that seems to have triggered everything.