In a decisive response to mounting crypto security incidents, the Indian government has issued a directive requiring all cryptocurrency exchanges, custodians, and related intermediaries to undergo external cybersecurity audits. The move comes after several high-profile hackings rattled trust in the sector, and reflects a growing determination in New Delhi to bring crypto platforms under stricter oversight.
Under the new rules, any enterprise operating in the virtual digital assets space must now employ security auditors who are officially recognized by CERT-In, the national cybersecurity agency. Audits will evaluate IT infrastructure, controls, vulnerability assessments, and readiness to deal with cyber threats. Noncompliance could affect a platform’s ability to register or operate under India’s anti-money-laundering regime.
This requirement is not just aspirational — it is being tied to registration with the Financial Intelligence Unit (FIU-IND), the body overseeing compliance with India’s Prevention of Money Laundering Act (PMLA). Platforms that fail to undergo approved audits may lose their FIU registration, effectively cutting them off from legal status.
This policy is a reaction, in part, to a string of painful breaches that exposed systemic vulnerabilities in Indian crypto infrastructure. Most notably, one of India’s top exchanges, CoinDCX, reportedly lost the equivalent of ₹384 crore (tens of millions of dollars) in a cyberattack after hackers gained access to an internal account.
That incident echoed an even larger hack earlier: in mid-2024, WazirX, then a marquee name in Indian crypto, suffered a massive breach losing over $230 million in assets. That attack added urgency to regulatory calls for stronger safeguards.
Regulators also point to studies and industry data suggesting that crypto-related crimes make up as much as 20–25 percent of total cybercrime in India. With user assets increasingly moving through digital platforms, the government sees exposure growing.
The new rule demands that exchanges and custodians hire cybersecurity auditors who are empanelled or approved by CERT-In. These auditors must check system architecture, encryption practices, access controls, incident response plans, and resilience under attack.
Platform leadership — including designated directors, chief compliance officers, and principal officers — must immediately comply, as the directive attaches to their fiduciary responsibilities.
Beyond the first audit, platforms may be subject to ongoing checks, re-certifications, and live inspections. The government expects documentation of remedial work, proof of compliance, and transparency in dealing with vulnerabilities discovered.
Importantly, exchanges must complete these audits to maintain or obtain FIU registration. That makes the audits a compliance gate rather than a voluntary upgrade. Without it, an exchange could effectively be barred.
For large, well-capitalized exchanges, the new obligations are significant—but manageable. They will need to invest in cybersecurity tooling, audit consultants, governance documentation, and possibly revamp systems. But the more serious burden may fall on smaller or newer platforms with limited resources and less mature infrastructure.
Some exchanges will likely need to refactor or redesign underlying architecture to meet audit findings. That means downtime, technical risk, hiring specialists, and budget allocation—disruptions that many growing firms may struggle to absorb.
On the positive side, stronger audits and oversight could increase user confidence. In a field where trust is often fragile, visible compliance might encourage new users, institutional participants, and capital inflows. International investors tend to see auditability and security as essential preconditions.
Another real effect is consolidation risk. Some smaller players may find compliance too costly or operationally infeasible, making them acquisition targets or forcing them out of the market. The regulation could shrink the field toward well-resourced, regulated exchanges.
Finally, this audit regime shifts India’s crypto narrative. It signals that regulators are ready to treat crypto platforms more like financial institutions rather than fringe tech firms. Platforms now operate in a hybrid world of technology, finance, and regulation, with rising expectations for accountability.
Despite the clear logic behind the move, there are concerns and unanswered questions.
One issue is whether traditional auditors or security consultants can meaningfully assess crypto platforms. Crypto’s infrastructure (smart contracts, wallets, on-chain logic) differs from conventional IT systems. Auditors must develop specialization or risk superficial assessments. Some fear audits becoming check-the-box affairs rather than deep security reviews.
Another challenge is jurisdiction and offshore operators. Many platforms or service providers are based overseas or use distributed infrastructure. The Indian audit mandate cannot easily reach infrastructure components outside of India’s regulatory control. Exchanges may respond by shifting parts of operations offshore—though that risks running afoul of local rules.
The timeline and clarity of enforcement will matter greatly. If enforcement is inconsistent, regulators may inadvertently create legal uncertainty. Platforms will want clear guidance on deadlines, standards, and consequences for noncompliance.
Critics may argue that audits alone don’t guarantee security. Even well-audited platforms have been hacked. The real test lies in active defense, secure codings, incident response, and ongoing vigilance. Mandating audits is necessary, but not sufficient.
Moreover, compliance cost is real and rising. Overregulation could stifle innovation, especially for new entrants, and push development to more lax jurisdictions. The regulation must strike a balance: strong safety without killing startup dynamism.
This policy shift is a milestone. It shows the Indian government transitioning from skepticism or ambivalence toward crypto to a more engaged, oversight-oriented stance. Regulators now emphasize that crypto platforms must meet security and financial standards just as banks and intermediaries do.
It also positions India closer to regulatory norms seen in advanced markets. Many jurisdictions are exploring or already require cybersecurity assessments or audits for financial platforms. India’s step ensures its crypto ecosystem aligns with global expectations.
For investors and users, the shift may raise confidence—and participation—if audits prove meaningful and enforcement credible. Over time, exchanges complying with rigorous standards could come to enjoy a “seal of security” advantage in user acquisition.
The policy also strengthens the backbone of India’s digital finance ambitions. Together with taxation, AML laws, KYC regimes, and stablecoin scrutiny, this audit mandate helps knit crypto activity into the broader legal and financial fabric.
Finally, over time, it may lead to further regulatory evolution. As platforms mature in security, the government might layer in requirements on disclosure, operational resilience, incident reporting, or even oversight of protocol risks.
India’s decision to mandate cybersecurity audits for crypto exchanges and custodians is a watershed moment in its regulatory evolution. Triggered by serious hacks and systemic risk concerns, the move compels platforms to prove they meet security standards or face deregistration.
While the burden will be real—especially for smaller players—this policy could elevate the credibility of Indian crypto markets. Its success depends not only on the rules themselves, but on how rigorously they are enforced, how well auditors adapt to crypto’s technical complexity, and whether India maintains the right balance between safety and innovation.
If done well, India may strengthen trust in its crypto infrastructure, attract more serious capital, and build a healthier ecosystem. If done poorly or unevenly, audits risk becoming checkbox rituals—or worse, driving crypto activity underground or abroad.