Crypto’s weakest link? It might be your own team. The CoinDCX insider theft highlights a growing threat that can’t be patched with firewalls.
A major Indian crypto exchange faces internal sabotage
The crypto world is no stranger to hacks — but this time, the enemy came from within. CoinDCX, one of India’s largest crypto exchanges, recently suffered a loss of ₹379 crore (approximately $45 million) in what is now confirmed to be an insider breach.
A former employee allegedly exploited internal systems to siphon funds over several weeks, sending shockwaves through the digital asset community.
While most attention often focuses on external hacks, the CoinDCX case raises a more complex and increasingly urgent question: What happens when the biggest risk to user funds is inside the company walls?
What happened at CoinDCX?
On July 26, Bengaluru police arrested a 27-year-old software engineer in connection with the theft. Reports suggest the employee had access to an internal wallet integration tool used for liquidity provisioning with external exchanges.
Using his privileged login credentials, he allegedly transferred customer and company funds to private wallets, cleverly avoiding detection by blending in with regular exchange activity.
Agarwal was arrested following a complaint from Neblio Technologies, the parent company of CoinDCX. The police report that Agarwal’s compromised work laptop was how hackers managed to access CoinDCX’s internal servers and conduct the transaction.
Agarwal has so far played the victim. He has admitted to using the compromised work laptop while moonlighting with other crypto companies apart from CoinDCX. This was illegal under the exchange’s employee policy.
The police believe that Agarwal had been lured into a “task fraud” job, which involved completing basic tasks such as writing Google reviews for a set amount of money. It is believed that by employing Agarwal, hackers managed to gain access to his systems. Investigators believe the theft was conducted without sophisticated malware or phishing. It was, at its core, an abuse of internal trust and infrastructure.
The police also report —“If it were a regular bank transfer, the accounts could’ve been frozen. In this case, there is no regulation on cryptocurrency, and it is close to impossible to trace its trail.”
Despite the reports that Agarwal was exploited, he was arrested and sent to judicial custody. Agarwal is currently in police custody for further probe.
What makes this case especially concerning is not just the amount stolen, but the method — an insider with trusted access abusing system weaknesses and oversight gaps.
Are crypto companies prepared for insider threats?
The CoinDCX case is not isolated. A recent Brave New Coin investigation into insider risk highlights how internal actors now represent a growing segment of crypto security breaches — especially as platforms scale and grant access to more technical employees, vendors, and third-party service providers.
The article explains — “Their method of entry relies on being handed the keys to the castle, not through brute-force hacks or zero-day exploits, but by securing legitimate access as trusted team members.”
Unlike external attacks that rely on breaching defenses, insider threats often bypass them altogether. Once inside, these actors can:
- Misuse of admin tools to withdraw funds
- Alter audit logs to hide their tracks
- Exploit bugs in internal transfer systems
- Leak sensitive user or company data
Even firms with robust external security postures often lag when it comes to access control, internal audits, and monitoring of privileged users.
What could CoinDCX — and the industry — do differently?
This breach has prompted calls for better internal governance within crypto exchanges. Here’s what experts recommend:
- Zero trust architecture: All internal actions, even by employees, must be verified and logged.
- Segregation of duties: Critical wallet functions should require multi-party approval.
- Proactive audits: Regular internal audits can help catch abnormal transactions early.
- Access minimization: Limit employee access to only what they need — and nothing more.
- Bug bounty programs: Encourage white hat hackers to find flaws before insiders do.
For CoinDCX, rebuilding trust means implementing these guardrails quickly, communicating transparently, and potentially submitting to third-party audits.
What users should ask before choosing a crypto exchange
The CoinDCX incident raises new questions for users and institutional clients:
- Does your exchange use multi-sig wallets and external custodians?
- Are internal processes reviewed by a third party?
- Do they publish any security transparency reports?
- Is there insurance or a recovery plan in place if internal fraud occurs?