Mumbai: In the wake of multiple cyber heists, the government has di-rected all cryptocurrency exchang-es, custodians, and intermediaries to undergo cyber security audits.
They would have to hire a security auditor empanelled with the Indi-an Computer Emergency Response Team (Cert-In)-a body under the ministry of electronics and infor-mation technology which aims to secure the country’s cyber space-for the job.
This would be a mandatory requi-rement for the registration of vir-tual digital asset (VDA) service pro-viders with the country’s anti-mo-ney laundering agency Financial Intelligence Unit (FIU).
Web3 entities handling VDAs are covered under the Prevention of Money Laundering Act, 2002, pla-cing them on the same compliance level as banks.
In recent years, cryptocurrency-related crimes have surged, accoun-ting for nearly 20-25% of all cyber-crime in India, said a report by the local crypto platform Giottus.
While a cyber hack in a crypto platform or vault is treated as an
underlying offence the transfer of the digital coins through multiple, complex entities which could be lo-cated abroad, to mask the trail constitute laundering.
In recent years in India, crimes linked to digital currency have surged, accounting for nearly 20-25% of cybercrime in the country
“The introduction of cyber securi-ty audits in all likelihood is trigge-red by recent crypto thefts in a few exchanges. At the same time, strict compliance with the CERT-in direc-28th tions dated April 2022, such as log maintenance and retention of subscriber data for prescribed period, would aid investi-gative agencies in tracing funds laye-red and obscured through cryptocur-rency transac-tions,” said Harshal Bhuta, partner at the CA firm P. R. Bhuta & Co.
All designated directors, principal officers, and chief compliance offi-cers of the reporting entities are re-quired to comply with the direction on immediate basis, says a FIU let-ter dated September 15, 2025 to the registered VDA service providers.
There are around 55 entities in In-dia engaged in exchange, transfer,
safekeeping, and financial services involving VDAs.
In hiding the movement of stolen cryptos, cyber hackers across mar kets often resort to myriad transac tions. They may park a chunk of the digital booty in accounts spread over various darknet markets and exchanges with low reporting requ-irements. Many scammers convert the robbed VDAs like Bitcoins into privacy-enhancing coins to preser ve anonymity and reduce traceabi-lity. Some cyber criminals use mix ers or tumblers that pool together coins from various wallets and combine them with the stolen coins before randomly redistributing them to hide the origin as well as
destination of stolen cryptos.
The key question however is whet her the cyber security auditors ex amining systems of banks and bro-kerages are adequately equipped to spot the security gaps in a crypto platform. For the platform one of the main security measures is pro-tecting the ‘private key‘, the alpha-numeric code from hackers. Any agency auditing a VDA service pro-vider will have to evaluate among other things how and where the keys are stored.
Nonetheless, mandating cyberse curity audit report is a step in the right direction to strengthen safe guards for users, said Purushot tam Anand, Advocate and Founder
of Crypto Legal. Notably, the FIU communique has also replaced the earlier ‘Fit & Proper’ certificate (that a new applicant had to obtain from an existing partner) with a ‘Partner Accreditation for Compli-ance & Trust’ (or PACT) certifica-te, though the circular does not cla-rify how this differs from the pre-vious regime. While Fit & Proper was a wide and subjective term, use of the expression accredita-tion for ‘compliance and trust’ in-dicates the intent to restrict the scope of assessment to compliance related aspects. It is expected that FIU will provide additional gui-dance to registered entities on the scope and parameters for such assessments,” said Anand.
FIU has the right to deny or cancel registration if a reporting entity violates the PMLA. While the go-vernment has put in anti-money la-undering rules for VDA service pro-viders, the trade is dogged by steep taxes and a regulatory void. A re-cent report by Mudrex, a crypto platform, suggests that the govern-ment could consider a nuanced app-roach, under which stablecoins, Bitcoin, and utility-based tokens, each serving distinct purposes, are regulated as separate segments.