Mumbai: In the wake of multiple cyber heists, the government has directed all cryptocurrency exchanges, custodians, and intermediaries to undergo cyber security audits.
They would have to hire a security auditor empanelled with the Indian Computer Emergency Response Team (Cert-In)-a body under the ministry of electronics and information technology which aims to secure the country’s cyber space- for the job.
This would be a mandatory requirement for the registration of virtual digital asset (VDA) service providers with the country’s anti-money laundering agency Financial Intelligence Unit (FIU).
Web3 entities handling VDAs are covered under the Prevention of Money Laundering Act, 2002, placing them on the same compliance level as banks.
In recent years, cryptocurrency-related crimes have surged, accounting for nearly 20-25% of all cybercrime in India, said a report by the local crypto platform Giottus.
While a cyber hack in a crypto platform or vault is treated as an underlying offence the transfer of the digital coins through multiple, complex entities which could be located abroad, to mask the trail constitute laundering.
“The introduction of cyber security audits in all likelihood is triggered by recent crypto thefts in a few exchanges. At the same time, strict compliance with the CERT-in directions dated 28th April 2022, such as log maintenance and retention of subscriber data for prescribed period, would aid investigative agencies in tracing funds layered and obscured through cryptocurrency transactions,” said Harshal Bhuta, partner at the CA firm P. R. Bhuta & Co.
All designated directors, principal officers, and chief compliance officers of the reporting entities are required to comply with the direction on immediate basis, says a FIU letter dated September 15, 2025 to the registered VDA service providers.
There are around 55 entities in India engaged in exchange, transfer, safekeeping, and financial services involving VDAs.
In hiding the movement of stolen cryptos, cyber hackers across markets often resort to myriad transactions. They may park a chunk of the digital booty in accounts spread over various darknet markets and exchanges with low reporting requirements. Many scammers convert the robbed VDAs like Bitcoins into privacy-enhancing coins to preserve anonymity and reduce traceability. Some cyber criminals use mixers or tumblers that pool together coins from various wallets and combine them with the stolen coins before randomly redistributing them to hide the origin as well as destination of stolen cryptos.
The key question however is whether the cyber security auditors examining systems of banks and brokerages are adequately equipped to spot the security gaps in a crypto platform. For the platform one of the main security measures is protecting the ‘private key’, the alphanumeric code from hackers. Any agency auditing a VDA service provider will have to evaluate among other things how and where the keys are stored.
Nonetheless, mandating cybersecurity audit report is a step in the right direction to strengthen safeguards for users, said Purushottam Anand, Advocate and Founder of Crypto Legal. “Notably, the FIU communique has also replaced the earlier ‘Fit & Proper’ certificate (that a new applicant had to obtain from an existing partner) with a ‘Partner Accreditation for Compliance & Trust’ (or PACT) certificate, though the circular does not clarify how this differs from the previous regime. While Fit & Proper was a wide and subjective term, use of the expression accreditation for ‘compliance and trust’ indicates the intent to restrict the scope of assessment to compliance related aspects. It is expected that FIU will provide additional guidance to registered entities on the scope and parameters for such assessments,” said Anand.
FIU has the right to deny or cancel registration if a reporting entity violates the PMLA. While the government has put in anti-money laundering rules for VDA service providers, the trade is dogged by steep taxes and a regulatory void. A recent report by Mudrex, a crypto platform, suggests that the government could consider a nuanced approach, under which stablecoins, Bitcoin, and utility-based tokens, each serving distinct purposes, are regulated as separate segments.
