The Indian government has brought in mandatory cybersecurity audits for cryptocurrency exchanges, custodians, and other intermediaries in response to a surge in crypto cybercrimes.
As per a report from The Economic Times, a newly hired security auditor under the Indian Computer Emergency Response Team (CERT-In) will conduct these audits. CERT-In, which functions under the IT ministry, is responsible for overseeing the country’s cyberspace.
The new requirement is tied to registration with the Financial Intelligence Unit (FIU), India’s anti-money laundering agency. Since virtual digital asset (VDA) firms are already covered under the Prevention of Money Laundering Act (PMLA), they are expected to meet compliance standards similar to banks.
In a letter dated September 15, 2025, the FIU asked VDA service providers to ensure that designated compliance officers and directors take immediate action. Currently, India has around 55 entities involved in crypto trading, custody, and related services. The FIU retains the power to deny or cancel registrations if firms fail to meet anti-money laundering requirements.
Why is it necessary?
Cryptocurrency crimes are on the rise in India. As per the Economics Times, local exchange Giottus reported that cryptocrimes account for nearly 20–25% of all cybercrime cases in India.
Recent hacks have seen criminals exploit loopholes to steal digital assets. They then route the stolen funds through complex global networks, darknet markets, privacy coins, and coin-mixing services to erase transaction trails.
In the previous month, the Indian Parliament’s Standing Committee on Home Affairs released its 254th Report titled “Cyber Crime – Ramifications, Protection and Prevention.” The report highlights how cryptocurrencies are increasingly being exploited in financial frauds, money laundering, ransomware attacks, and human trafficking. The term “crypto” appears repeatedly throughout the report, consistently in a negative context.
Questioning the cybersecurity audits
Functioning these audits is a step forward. However, the main question is whether cybersecurity auditors, who usually review banks and brokerages, can spot security gaps in crypto platforms.
One key measure for these platforms is protecting the ‘private key,’ the alphanumeric code that controls access to funds. Auditors will need to check how and where these keys are stored.
Still, industry voices see this as a positive step. “The introduction of cyber security audits in all likelihood is triggered by recent crypto thefts in a few exchanges,” said Harshal Bhuta, partner at CA firm P. R. Bhuta & Co. He also mentioned the CERT-In directions from April 28, 2022, require keeping logs and storing subscriber data for a set period. This will help authorities track funds hidden through cryptocurrency transactions.
Purushottam Anand, Advocate and Founder of Crypto Legal, expressed that the FIU has also replaced the earlier “Fit & Proper” certificate with a new accreditation called “Partner Accreditation for Compliance & Trust” (PACT).” He noted, “It is expected that FIU will provide additional guidance to registered entities on the scope and parameters for such assessments.
Crypto regulation needed in India
India has imposed strict reporting rules for crypto. Due to this setback, the industry continues to face challenges such as high taxes and a lack of a dedicated regulatory framework.
Recently, Mudrex, one of India’s largest crypto investment platforms, surveyed 9,352 people on crypto regulation, taxation, and investment trends. The study found that 93% of respondents support regulation. Of these, 56% want full investor-protection frameworks, 24% prefer lighter oversight to encourage innovation, and 13% favor regulation limited to taxation.
Some industry reports suggest the government could adopt a segmented approach to regulation, treating Bitcoin, stablecoins, and utility tokens differently based on their use.
Also Read: Indian Politician Says Digital Rupee Could Lower Remittance Costs
