CoinDCX hack: $44M gone after dev opens file from side gig

The $44 million hack of Indian crypto exchange CoinDCX has been traced to a compromised laptop belonging to a software engineer at the company, who has been arrested in Bangalore.
The Times of India reports that Rahul Agarwal had used his laptop, which had been provided “strictly for office work” to carry out side gigs for “three to four private parties without being aware of their credentials.”
Agarwal suspects that files sent to him as part of this work “could have been a bait,” allowing the hacker to compromise his login credentials which were later used in the heist.
An internal investigation found that Rs 15 lakh (approximately $17,000) had been paid to Agarwal “from an unknown source.”
According to police, he’d been in contact with a German number about the work.
The hack took place on July 19, and was flagged by online sleuth ZachXBT who pointed out that the theft had taken place “almost 17 hours ago and [CoinDCX] has yet to disclose the incident to the community.”
Less than two hours later, the company officially acknowledged the hack, also encouraging “maxis” to interact with the post on X to thank marketing manager Suchit Karande for his “transparency.”
Responses to Agarwal’s arrest have ranged from incredulity at the “negligence” of an engineer at a crypto exchange opening “random” files on a work laptop, to suspicions as to whether he is “a victim or culprit” attempting to camouflage a role in the heist as carelessness.
Read more: Crypto exchange Bybit hacked for over $1.4 billion
CoinDCX attack a classic example of ‘developer-phishing’
Blockchain security firm Halborn published an explainer on the hack, which it called “a classic example of an exchange hack likely involving a compromised private key.”
The report underlines “the importance of implementing strong security controls for backend infrastructure” which security audits often don’t cover.
As such, these attack vectors are increasingly targeted by would-be hackers.
A recent example of this developer-phishing technique was highlighted earlier this week by the founder of SlowMist, another security audit firm, who goes by @evilcos on X.
Read more: Tornado Cash user hacks SuperRare staking contract, steals $730K in RARE
In a Chinese-language post, he warned of the threat of hackers conducting “fake job recruitment on V2EX,” a Chinese tech and developer community platform.
The sting involves candidates using “a pre-prepared, malicious repository provided… as the project template” which, if run, will infect their device and could steal “cryptocurrency and account credentials.”
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.