The accused in one of Karnataka’s costly cybercrime cases, in which a cryptocurrency exchange lost nearly ₹368 crore, had been moonlighting for a year. Though he merely served as bait, he became a crucial entry point for the fraudsters, a probe by the Criminal Investigation Department (CID) has revealed.
In July 2025, a Bengaluru-based cryptocurrency exchange firm reported that its wallets were hacked into and cryptocurrency worth ₹368 crore was stolen. Police arrested an employee of the firm on suspicion that he was involved in the fraud.
Investigations have now revealed that the accused, Kiran (name changed), a 30-year-old techie who had been working since May 2023 at the cryptocurrency exchange located in Bellandur in East Bengaluru, was hired as a part-timer without a contract by the fraudsters, according to a senior CID investigator.
“The fraudsters assigned him a genuine project, made him work diligently, and paid him regularly, just to win his trust before executing the fraud,” the officer told The Hindu.
How it unfolded
In March 2024, Kiran received a message on a professional networking site from a person named Sarah Ferguson, enquiring whether he was willing to take up a freelance assignment to help set up a website for a crypto exchange, offering an attractive sum. When he agreed, the conversation moved to another platform, where the fraudster explained the project and granted him access to the code repository. Kiran used his full-time work company’s laptop to carry out this work as well.
According to the investigation, the fraudsters made Kiran undertake genuine website development work, held regular meetings online to review project updates, and suggested changes by sharing files. The fraudsters paid Kiran ₹15 lakh, leaving him with no reason to suspect he was being exploited for over a year until July 2025.
After one such meeting in July 2025, during which the fraudsters suggested changes, they sent Kiran a slew of files. “For Kiran, this was routine. But this time, the fraudsters had slipped in a bugged file. He opened it without any knowledge of fraud, but it appeared to be a dummy, so he closed it,” the officer said. “However, it had already opened in the background, breached the security walls, and compromised the laptop. The fraudsters now had complete access to the device, with Kiran still unaware,” he added.
Siphoning
The fraudsters learnt that Kiran had admin access to the company’s servers and stole all the private keys. Using these, they accessed the company’s systems and exploited the vulnerability.
“Initially, they transferred a small amount, and once that worked, they went on to drain the entire treasury. The cryptocurrencies were first moved to the company’s internal wallet and then routed through a conduit of crypto wallets before reaching a single wallet,” the officer told The Hindu.
While the CID has traced the transaction trail of the stolen cryptocurrencies and identified the wallet where the funds are stored, investigators have been unable to determine its owner. “That is the level of sophistication involved in crypto-related investigations. We can trace transactions, but not the wallet owner,” the officer said, adding that efforts are ongoing to take the probe forward. He also noted that the company has since strengthened its security measures.
Pitfalls of moonlighting
According to the officer, there have been similar cases in the city, prompting agencies to improve monitoring mechanisms for such breaches.
In this case, the fraudster could even be a legitimate entrepreneur who spotted an opportunity and exploited it to siphon off the funds. However, it is more likely that the fraud was meticulously planned and executed without any hiccups.
“Moonlighting may seem like the easiest way to make quick money, but it can go terribly wrong when high-profile fraudsters are involved,” the officer said. He cautioned tech professionals to be aware of the various modus operandi linked to moonlighting, including part-time job scams, employment frauds, investment frauds, and gaming frauds.
Published – January 18, 2026 09:12 pm IST
