India’s Criminal Investigation Department (CID) has revealed that the accused in one of the largest crypto crimes in the nation’s history, the $44 million CoinDCX hack in early 2025, served as a bait for the real perpetrators to get access to the crypto exchange.
The Karnataka state police arrested Rahul Agarwal, a 30-year-old freelance developer who had been working at the company since May 2023, in July 2025, on suspicion that he was involved in the fraud. However, it has now been revealed that Agarwal was hired as a part-timer without a contract by the fraudsters and had no knowledge that he was being used as a pawn.
CoinDCX Funds Moved to Single Wallet, Owner Yet to Be Identified
A senior CID officer told Indian media outlet “The Hindu” that the fraudsters assigned him a genuine project, made him work on it diligently, and paid him regularly, intending to win his trust before they could execute the meticulously planned operation.
Agarwal, a native of Uttarakhand, was taken into custody by Bengaluru’s Whitefield CEN Crime Police on July 26, 2025, after investigators found that a confidential login credential linked to his office laptop had been used during the security breach.
Agarwal was first contacted by a person named Sarah Ferguson on a professional networking site in March 2024, enquiring whether he was willing to take up a freelance assignment to help set up a website for an Indian crypto exchange. He accepted the offer after being offered an attractive fee. Once he agreed, the conversation moved to another platform, where the fraudster explained the project in more detail, granting him access to the code repository. All the while, Agarwal was using his work laptop to carry out freelance projects.
The fraudsters were making Agarwal do genuine website development work, held regular meetings to review updates, suggested edits, and sent various files. They even paid him a healthy figure of roughly $16,500 per project, leaving him with no reason to suspect that he was being exploited for over a year.
During a regular discussion in July 2025, the fraudsters suggested a few changes and sent the developer a slew of files. While this was a routine for Agarwal, this time the perpetrators had loaded the files with a bug, and when he opened it, the Trojan was able to breach security firewalls and compromise his laptop. This gave the hackers complete access to the device, without Agarwal being aware of the consequences.
The scammers soon learnt that Agarwal had admin access to CoinDCX’s servers, allowing them to exploit the security vulnerability to steal private keys and siphon users’ funds. The CID said that initially, the hackers transferred a small amount out of the exchange, and once that worked, they went on to drain the platform’s entire digital asset treasury. The cryptocurrencies were first moved to the company’s internal wallet and routed through a network of crypto wallets before reaching a single address. While the CID was able to trace the transactions and identify the wallet where all the stolen assets are currently stored, they have yet to determine its owner.
CoinDCX Funds Moved to Single Wallet, Owner Yet to Be Identified
The officer said,
“That is the level of sophistication involved in crypto-related investigation. We can trace transactions, but not the wallet owner,”
He also added that efforts are ongoing to take the probe forward, while noting that CoinDCX has since strengthened its security measures. The CID officer also warned that there have been similar cases in Bengaluru, India’s Silicon Valley, which has prompted the agency to improve its monitoring mechanisms to prevent breaches.
The CoinDCX hack was meticulously planned and executed without any hiccups due to insiders being used as bait. The CID has cautioned tech sector employees to be aware of various “moonlighting” schemes, such as part-time job scams, employment frauds, investment frauds, and gambling frauds, if they also take up freelance projects.
