Adoption of cryptocurrency in India has significantly increased in the last few years. What began as a very niche hobby for enthusiasts, speculators, and early adopters has grown to include thousands of retail investors, fintech startups and even institutional players exploring the potential for digital assets. While the number of users, volumes, and innovation grow, so do the risks, including hacks, security breakdowns and operational issues.
Recent hacks on Indian exchanges in the spotlight- in particular, the WazirX hack and the CoinDCX hack have eroded the trust of many investors who had previously adopted the platforms as somewhere to hold their funds. Now, investors who put their investments into the exchange in good faith are asking the question: What can Indian law do to protect me? Will I be able to recover my funds?
Let’s reflect on the WazirX and CoinDCX hack, discuss the impact on investors and explore what forms of relief under Indian law exist for investors. We will examine how the situation in India compares to other jurisdictions, we offer practical steps to users who have been impacted by these events, and we look ahead to what future regulation could bring.
WazirX Hack: What We Know
WazirX, founded in 2018, became one of the principal cryptocurrency exchanges in India, garnering millions of customers and significant volumes of trade. By 2022 and 2023, they reportedly had multiple vulnerabilities and unauthorized access to some accounts and wallets in the exchange.
What went wrong?
As per reports, hackers had exploited weak protections and were able to authorize accounts with the help of API keys. This led to the compromise of customer funds that were stored in hot wallets and all the sensitive information related to the transaction.
WazirX initially resorted to freezing any compromised accounts and requested a full-fledged investigation. They assured customers that they held reserves to cover any potential. However, its disclosure published on the website about the magnitude of losses was limited and did not give a clear picture to the users.
Even though WazirX’s platform seems to still be active, the user trust was diminished significantly. WazirX’s security practices continue to be under scrutiny
CoinDCX Security Breach: What is Happening?
Another leading player and home to millions of Indian users, CoinDCX also fell victim to a serious breach. Hackers took advantage of weaknesses in the custodial wallet systems that made it possible for them to withdraw funds without authorization. CoinDCX noted that only a minuscule amount of its assets were stolen and emphasized that the company had excellent reserves and insurance to protect customer funds.
Even with these assurances, many users struggled to withdraw their funds, which raised serious questions regarding the platform’s transparency and future. Due to low levels of public disclosures provided by the company, investors had no way to ascertain the full extent of the breach or even whether there were other breaches.
Both the WazirX breach and the CoinDCX breach pointed to systemic vulnerabilities in the Indian cryptocurrency ecosystem. Both hacks underscored the massive need for regulation, improved cybersecurity systems and transparency from crypto exchanges to restore investor confidence.
What Impact Did These Hacks Have on Investors?
For both retail and institutional investors, the hacks impacted them significantly.
Financial Losses
Many users complained that their balances were simply gone in exchange wallets. Some customers said that they received either partial or no reimbursement.
Data Breach
Once API keys were compromised, hackers may have gained access to trading history, linked bank accounts, and KYC data. This exposes a risk of identity theft and further fraud.
Loss of Confidence
Investor confidence plummeted. People complained on social media about not receiving clear information from exchanges. There were concerns that Indian exchanges wholly lack the capacity to handle large-scale security breaches.
Withdrawal Limitations
After the hacks, exchanges instituted freezes or delays on withdrawals to govern liquidity. This left many individuals for weeks unable to gain access to their own deposits.
These factors together damaged the faith of Indian exchanges and fuelled calls for regulatory protections.
Are Indian Crypto Exchanges Liable in The Eyes of the Law?
1. Absence of Crypto-Specific Legislation
Currently, India lacks a substantive law with respect to cryptocurrencies or exchanges. They are not governed by specific legal duties directed at investor protection, unlike banks or broker-dealers. As it stands, exchanges are operating in a gray area without specific statutory obligations in the name of investor protection.
2. Exchanges as Private Companies
WazirX, CoinDCX, and others are established as private companies. Their user agreements often include:
- General disclaimers allowing them to deny liability for hacking by any third party.
- Acknowledgements of risk that shift responsibility to users.
- Clauses for arbitration that limit the user from taking legal action.
3. Consumer Protection Act (CPA, 2019)
In theory, investors may assert that exchanges have a service obligation and failing to keep accounts safe indicates “deficiency of service.” Since there is no settled law on crypto, the question remains whether the consumer courts will accept jurisdiction.
4. IT Act, 2000 and Data Protection
Exchanges have obligations under the Information Technology Act to protect sensitive personal data. If KYC records or user data are not protected, liability may exist, but it is currently untested in the case of crypto assets.
5. Regulated vs. Unregulated Entities
While banks are regulated by the RBI and brokers by SEBI, there is no such supervision over crypto exchanges. They are therefore not required to contribute towards investor protection or have any statutory insurance.
What Legal Remedies Do Indian Crypto Investors Have?
Filing a Complaint or FIR
Jurisdictional issues: If servers are outside of India, the police have no authority to act.
Cybercrime cells: Investors can file under Sections 43, 65, and 66 of the IT Act.
Limitations: Investigation is often stuck due to technical complexity, not being able to enforce any crypto-specific provisions.
Remedies in a Consumer Court
When is it available: If an exchange is regarded as a “service provider,” users are entitled to make a filing under the Consumer Protection Act.
Barriers: Proving damages in the context of volatile and unpredictable crypto prices will be challenging. Courts may defer to other avenues, citing a lack of clarity in the law.
Civil Case Litigation
Contractual liability: If exchanges fail to provide secure services, they could be sued for breach of contract.
Burden of proof: Investors will need to prove negligence, which will require technical forensics.
Costs: Civil litigation can be costly and take a substantial amount of time.
Filing Under the IT Act, 2000
Applicable provisions: Section 43- compensation for unauthorized access and Section 66- penalty for hacking.
Practical limitations: There is weak enforcement, and a crypto fraud case will likely be new and untried territory for courts in India.
Function of Indian Regulatory Authorities
RBI: Holds a conservative position, consistently warning investors but not regulating.
Finance Ministry/MeitY: Investigating a framework, but has not yet introduced legislation.
SEBI: Has not asserted jurisdiction over crypto; tokens have not been defined clearly as securities.
The absence of regulation is the key factor why Indian investors lack recourse.
Worldwide Comparison
United States
Exchanges are required to register with FinCEN (Financial Crimes Enforcement Network) and abide by AML / KYC responsibilities.
Some U.S. states, most notably New York’s BitLicense, require exchanges to go through cybersecurity audits, capital requirements, and to maintain either insurance or reserve buffers.
U.S. investors typically engage in class-action lawsuits for negligence, breach of duty or misrepresentation when exchanges do not manage risks to protect these investors’ assets.
United Arab Emirates
In the UAE, the regulation of virtual assets is evolving at the federal and local levels. For example, in Dubai, virtual asset regulation is overseen by the Virtual Assets Regulatory Authority (VARA), Dubai (excluding DIFC).
Pursuant to Law No. 4 of 2022 Regulating Virtual Assets in Dubai, any activity involving a virtual asset service must be licensed by VARA.
Exchanges in the UAE are subject to AML / KYC compliance, cybersecurity measures, transaction monitoring procedures, and a licensing regime.
Crypto operators working in regulatory zones or markets in the UAE, such as ADGM, DFSA, or SCA, must also address custody, audit and compliance expectations.
Moreover, in the UAE, guidance has been announced and informed licensed financial institutions that they should complete enhanced due diligence of customers and interactions with virtual asset service providers.
European Union
Under the Markets in Crypto Assets Regulation (MiCA), exchanges and custodians will be required to meet strict custody, capital and risk management standards.
Exchanges must segregate client assets (i.e., keep them distinct from proprietary assets) and may be regulated to reimburse users in certain breach or insolvency scenarios.
MiCA will also create mechanisms for enhanced transparency, disclosures, governance, and operational protections to ensure client interests.
Singapore
The Monetary Authority of Singapore (MAS) licenses digital asset exchanges and establishes regulatory standards for custody, capital, and operational resilience.
Operators must hold client assets in trust accounts, have periodic audits and be subjected to robust cybersecurity and operational risk standards.
Singapore has also introduced a standard regulatory regime for stablecoins, requiring that issuers maintain a reserve of assets backing issuances.
Case Studies: International Lessons
Mt. Gox Collapse (Japan, 2014)
850,000 bitcoins were lost in total. In response, Japan developed a complete set of regulations on crypto with investor safeguards in addition to a licensing requirement.
KuCoin Hack (Singapore, 2020)
Hackers stole $280 million from KuCoin. KuCoin took the action of shipping funds even though it was stolen since it had insurance and the regulatory scrutiny for reimbursement.
FTX Collapse (2022)
Although not specifically a hack, the collapse of FTX highlighted the pitfalls of unregulated exchanges and wiped out investors in a matter of hours. Consequently, many regulatory jurisdictions implemented or reinforced regulations as they had seen the loss of funds.
What Should Indian Crypto Investors Do Next?
Step 1: Register Complaints
- Go to the National Cybercrime Reporting Portal and register cases.
- File FIRs with local police to create records.
Step 2: Keep Track of Your Losses
- Take screenshots of your balances.
- Keep track of deposits and withdrawals, and records of conversations.
Step 3: Check for Consumer Options
- If you have evidence of a deficiency of services, submit to consumer forums.
Step 4: Self-Custodian
- If you are holding for the long term, hold in hardware wallets.
- Only use exchanges to trade.
Step 5: Carefully Vet Exchanges
- Look for independent audits and proof-of-reserves.
- Read the terms of service for liability protection.
Step 6: Diversify
- Do not have all crypto on one platform.
- You should have assets in exchanges as well as wallets.
The Future of Regulation in Crypto in India
Draft Crypto Bill
The draft cryptocurrency bill in India has been a subject of discussion for several years. Initial drafts proposed an outright ban on private cryptocurrencies, which created a state of uncertainty in the market. The tone of the discussion, however, has shifted from a potential ban to the use of regulation instead. Decision makers are now aware that outright bans are hard to monitor and can drive innovation and investment into other economies. The conversation has now shifted to designing a framework to provide for innovation while considering investor protection and financial stability.
Probable Components of Future Regulation
While the finalized text has yet to be published, based on conversations, reports issued by government committees and global trends, the future crypto regulation in India is likely to consist of:
Licensing of exchanges: Exchanges are likely to be required to obtain approval from a respective regulator, restricting exchanges to only those in compliance with the regulation.
Insurance requirements: Exchanges may be required to purchase professional indemnity or custodial insurance to protect investors against hacks and fraud.
Investor protection fund: Similar to deposit insurance provided through banks, a pool of money may be created to compensate investors if there is a breach of security or financial distress on the part of the exchange.
Mandatory disclosures for hacks: Exchanges may be obliged to publicly disclose any hacks, losses, or breaches of security to the public (within a certain time) so that investors are aware of the possible risks associated with a specific exchange.
AML and KYC provisions: More rigorous due diligence and reporting standards in line with product requirements set by FATF.
Industry Demands
Exchanges, investor groups and trade associations are lobbying for regulatory clarity. The argument is clear, regulation will provide consumer protection and engage institutional capital, global partnerships and innovative technology. Without legal certainty, global investors see no benefit to engage in Indian crypto projects and businesses.
Stakeholders in the industry are also wanting:
Tax clarity: The existing 30% tax on crypto gains with an additional 1% TDS should be simplified, as some believe it stifles genuine trading.
Recognising crypto as a digital asset class not associated with gambling or other speculative activities: The industry wishes to see crypto recognised as a digital asset class with intrinsic economic value.
Collaborating and working with regulators: There are several exchanges that would like to collaborate with regulators to construct compliance frameworks, transparency reports, and share best practices from other global markets.
The overall sentiment is that a transparent and defined regulatory framework will rejuvenate investor confidence, lower fraud, and ultimately see India as a leader in the digital asset economy.
Broader Legal Analysis: Would the Indian Courts Act?
Indian courts have stepped in during the past when consumer rights are in question, but when threatened. For example:
In ICICI Bank v. Shanti Devi Sharma (2008), the Supreme Court held that banks are to safeguard customers against fraud, i.e., banks have a duty of care towards their customers. This principle could similarly apply to exchanges if the courts determine that crypto custody is deemed to be a financial service.
However, at this point, those arguments are mere speculations as there have been no legislative measures introduced to formally extend a new legal regime of consumers or a duty of care to custody.
Investor Safety Checklist
- Do not keep your funds on exchanges for an extended period of time.
- Store your crypto assets on a hardware wallet.
- Enable two-factor authentication and anti-phishing codes.
- Periodic secruity audit reports of exchanges
- Use multiple exchanges to diversify value.
The WazirX and CoinDCX hacks highlighted the vulnerability of India’s crypto ecosystem. Presently, the law on crypto in India affords minimal investor protection. Those victimized by the hack can register complaints under the Information Technology Act, seek consumer protections or institute civil proceedings, but the outcome is still uncertain.
Globally, there are examples we can look to for stronger regulation. Mandatory insurance, proof-of-reserves, and investor protection funds can encourage trust in the market. Until then, we have arrived at the state of crypto investor protection in India being primarily left to individual caution and exchange goodwill.
The touchstone, therefore, is simple: being literate in the law and self-protection is a must for all investors in crypto in India.
