India Mandates Cybersecurity Audits for Crypto Firms
The Indian government has made cybersecurity audits mandatory for cryptocurrency exchanges, custodians, and intermediaries. This move responds to a rise in crypto-related cybercrimes.
According to a report by The Economic Times, a new security auditor under the Indian Computer Emergency Response Team (CERT-In) will conduct these audits. CERT-In operates under the Ministry of Electronics and Information Technology and oversees India’s cyberspace security.
The audits are linked to registration with the Financial Intelligence Unit (FIU), India’s anti-money laundering agency. Virtual digital asset (VDA) firms must comply with standards similar to banks, as they fall under the Prevention of Money Laundering Act (PMLA).
In a letter dated September 15, 2025, the FIU instructed VDA service providers to ensure compliance officers and directors act promptly. India currently has about 55 entities involved in crypto trading, custody, and related services. The FIU can deny or cancel registrations if firms fail to meet anti-money laundering rules.
Rising Crypto Cybercrimes Drive New Rules
Cryptocurrency crimes are increasing in India. Local exchange Giottus reported that crypto-related crimes make up 20–25% of all cybercrime cases in the country.
Recent hacks exploited security gaps to steal digital assets. Criminals then launder funds through global networks, darknet markets, privacy coins, and coin-mixing services to hide transaction trails.
In August 2025, the Indian Parliament’s Standing Committee on Home Affairs released its 254th Report titled “Cyber Crime – Ramifications, Protection and Prevention.” The report highlights how cryptocurrencies are used in financial fraud, money laundering, ransomware, and human trafficking. The term “crypto” appears repeatedly in a negative context.
Industry Views on Cybersecurity Audits and Regulation
The new audits are a positive step but raise questions. Cybersecurity auditors usually review banks and brokerages. It is unclear if they can fully assess crypto platforms’ unique risks.
Protecting private keys, which control access to funds, is a key concern. Auditors must verify how these keys are stored and secured.
Harshal Bhuta, partner at CA firm P. R. Bhuta & Co., said, “The introduction of cyber security audits is likely triggered by recent crypto thefts.” He added that CERT-In’s April 2022 directions require firms to keep logs and subscriber data, aiding authorities in tracking illicit funds.
Advocate Purushottam Anand, founder of Crypto Legal, noted that the FIU replaced the “Fit & Proper” certificate with “Partner Accreditation for Compliance & Trust” (PACT). He expects FIU to provide more guidance on audit scope and parameters.
India’s crypto industry faces challenges like high taxes and no dedicated regulatory framework. A recent Mudrex survey of 9,352 Indians found 93% support crypto regulation. Among them, 56% want full investor protection, 24% prefer lighter oversight for innovation, and 13% favor regulation limited to taxation.
Some reports suggest the government may regulate Bitcoin, stablecoins, and utility tokens differently based on their use.
