27 Crypto Exchanges in Govt Crosshairs: Over 2800 Victims, Rs 600 crore Laundered in 21 Months

Overview of Findings

Between January 2024 and September 2025, India’s Ministry of Home Affairs (MHA) identified 27 virtual asset service providers (VASPs) — including top exchanges like CoinDCX, WazirX, Giottus, ZebPay, Mudrex, and CoinSwitch — that were allegedly used by cybercriminals to launder ₹623.63 crore obtained from 2,872 victims.

The data came from the National Cybercrime Reporting Portal (NCRP) and was analyzed by the Indian Cyber Crime Coordination Centre (I4C), marking one of the most substantial crypto-related money-laundering cases uncovered in India.

Key Trends and Patterns

·         Laundering channels: Victims were duped through fake investment apps; their funds were funneled into crypto, passed through multiple wallets, and layered across platforms.

·         Domestic vs. foreign exchanges: ₹200 crore went through Indian exchanges and ₹423.91 crore through others, revealing both local and cross-border misuse.

·         Growing sophistication: Officials described this as the most advanced crypto-laundering model yet seen in India’s cybercrime ecosystem.

·         Fake trading fronts: Many scams posed as legitimate trading or investment portals before routing deposits into digital assets.

Regulatory and Industry Response

Crypto platforms responded cautiously yet defensively:

·         CoinSwitch and CoinDCX emphasized their FIU registration, strict anti-money laundering (AML) compliance, and advanced wallet security measures.

·         Mudrex and Giottus drew parallels to regular fintech businesses, arguing that platforms shouldn’t be blamed for user misconduct provided they maintain due diligence.

·         WazirX, after its $235 million hack in 2024, announced a major security overhaul and partnership with BitGo, adding $250 million in insurance coverage.

Despite these claims, officials flagged compliance gaps, particularly with Know Your Customer (KYC) checks, grievance mechanisms, and withdrawal irregularities in several exchanges.

Enforcement and Fiscal Actions

The Directorate General of GST Intelligence (DGGI) found ₹824 crore in GST evasion among 17 crypto exchanges as of December 2024, recovering ₹122 crore in taxes, interest, and penalties.

The Financial Intelligence Unit (FIU) and Enforcement Directorate (ED) are now investigating whether intermediaries acted as “crypto mules”, converting scam money into tokens for commissions.

Broader Implications

The findings expose a critical trust and oversight vacuum in India’s crypto sector:

·         Many exchanges operate via foreign holding companies, citing investor convenience and regulatory uncertainty as reasons.

·         Regulators now face the dual challenge of enabling innovation while closing compliance loopholes that allow illicit fund flows.

·         The government plans tighter oversight of FIU-registered platforms and cross-border VASPs under AML and counter-terrorist financing (CTF) norms.

 

[ABS News Service/18.11.2025]

At least 27 cryptocurrency exchanges, or Virtual (digital) Asset Service Providers (VASPs), have been flagged by the Ministry of Home Affairs (MHA) as conduits used by cyber criminals for laundering at least Rs 623.63 crore, siphoned from 2,872 victims in just 21 months between January 2024 and September 2025.

In comparison, crime proceeds of Rs 25.3 crore reported in 769 complaints were transferred via 12 foreign crypto exchanges through credit/debit cards during 2024-2025, according to records of the MHA’s Indian Cyber Crime Coordination Centre (I4C).

These revelations, based on data compiled from the National Cybercrime Reporting Portal (NCRP), point to what investigators call the most sophisticated financial laundering model yet to emerge from India’s cybercrime ecosystem.

“The victims had primarily invested through fake trading or investment apps, unaware that their funds were being converted into digital assets and layered through dozens of wallets,” an official said, adding that I4C has now shared an internal list of these VASPs with enforcement agencies and the Financial Intelligence Unit (FIU) under the Finance Ministry.

IC4’s analysis of the NCRP data shows that crime proceeds worth Rs 200 crore reported in 1,608 complaints received until September 30 were routed to Indian VASPs, while another Rs 423.91 crore reported in 1,264 complaints was transferred last year.

At Rs 623.63 crore, the quantum of recorded crime proceeds is only “the tip of the iceberg”, say officials, but this shows how even Indian crypto exchanges registered with the FIU are not immune to misuse by cyber criminals, who otherwise bank heavily on the peer-to-peer routes or rogue crypto platforms to channel dirty money.

Among the exchanges flagged by the MHA are Coin DCX, WazirX, Giottus, ZebPay, Mudrex and CoinSwitch, primarily due to their significant market shares.

Reached for comments, CoinSwitch clarified “categorically” that no such “transfers” took place through the platform, which “operates within a fully ringfenced and compliant environment designed to prevent any misuse”.

CoinDCX said it was “bound by strict confidentiality obligations and therefore cannot disclose case-specific details” but emphasised that the platform is equipped with advanced security protocols such as multi-signature and multi-party computation (MPC) wallets to ensure safe handling of seized assets.

A number of exchanges underlined that a crypto platform is not a party “beyond facilitating lawful trade” to any transaction between individuals. Pranjal Agarwal, market head (India) at Mudrex, pointed out that all platforms registered with FIU since 2023 have resolved any issues related to KYC verification and AML (anti-money laundering) screening that might have existed before.

“As reporting entities, we regularly file STRs (suspicious transaction reports). There are grey areas in P2P transactions but funds coming into FIU-compliant platforms in INR exit only in INR through bank accounts. We conduct stringent checks on withdrawals as cryptos, which are allowed only to some private wallets, that too with enhanced due diligence,” Agarwal said.

Vikram Subburaj, CEO of Giottus crypto platform, offered a real-world analogy. “If a person with a criminal background were to order food on Swiggy or hail a cab through Ola, it would not make those platforms complicit in any crime that he has committed or would commit. The same principle applies to all FIU-registered crypto exchanges. A lot of proceeds of crime get transferred through banks as well. However, the banks are not party to any crime,” he said.

As the crypto ecosystem evolves, acknowledged a CoinDCX spokesperson, so do tactics used by bad actors. “Our focus is on staying ahead of these threats while maintaining rigorous compliance standards. This includes rapid onboarding of custodian accounts for LEAs, robust KYC/AML frameworks, and continuous enhancement of monitoring systems to identify and prevent misuse proactively,” the spokesperson said.

Beyond KYC compliance and AML screening, inadequate grievance redressal mechanism at many exchanges and not-so-uncommon glitches causing delay in funds withdrawal, inconsistent accounting and even unwarranted deductions have also led to a backlash from some platform users. Moreover, recent breaches of some of India’s biggest crypto exchanges have also shaken user confidence.

Nischal Shetty, co-founder of WazirX, which lost $235 in a major hacking incident in July 2024, blamed the breach on third-party issues. “The WazirX server was not breached but a third-party custody server was compromised. We have already paid back 85% of our liabilities and relaunched on October 24. To fortify user trust, we have now partnered with asset custodian BitGo with an insurance cover of USD 250 million,” he said.

ZebPay said its highest priority is to ensure platform integrity, user security, and the highest standards of transparency and compliance. “We operate with stringent KYC, AML, and cybersecurity protocols and maintain robust monitoring systems to prevent and detect suspicious activity,” it said in a statement.

The ownership structure of several top Indian crypto platforms, functioning in what a senior industry hand called a “trust and oversight vacuum”, are helmed by foreign holding companies.

While many of them played down the trend as a common practice with fintech startups for the “ease of raising capital” through a holding company located in a convenient jurisdiction, some conceded it was due to “other considerations”.

“There is the tax angle, particularly during an acquisition. But one cannot ignore the regulatory uncertainty. The ban in 2018 left the platforms without even bank accounts in India. In such a scenario, a layered operation is an existential requirement,” said the CTO of an Indian crypto exchange, speaking on condition of anonymity.

“But one must differentiate between offshore platforms from Seychelles or Cayman (Islands) and those who operate from legitimate jurisdictions such as Singapore or the US,” he said.

The reluctance of a few crypto exchanges to pay 18% GST, in lieu of intermediary services provided for trading, did not help build trust between the industry and the government, according to an official with the Directorate General of GST Intelligence (DGGI), which searched the premises of several crypto platforms in 2022.

The Finance Ministry reported GST evasion of Rs 824.14 crore by 17 crypto exchanges and the recovery of Rs 122.29 crore, including interest and penalties, by December 2024. The foreign crypto platforms providing services to Indians also came under the GST regime this July.

The Enforcement Directorate (ED) and FIU are now probing whether Indian intermediaries are functioning as “crypto mules,” converting scam proceeds into tokens for commission. Investigators are also examining if VASP compliance failures allowed unverified accounts to bypass KYC processes.

In its analyses of the NCRP data, the IC4 identified that the single largest fraudulent transfer – Rs 10.09 crore – passed through UK/US based – Onlychain Vilnius. The second largest such transfer – Rs 8.13 crore – passed through Mauritius-based Ezipay Ebene.

While Onlychain Vilnius did not respond to a request for comment, Ezipay denied being a cryptocurrency service. “We do not advertise or provide crypto-related products directly or indirectly. All transactions are conducted through card-based remittances subject to 3D Secure and full regulatory compliance,” it said in a statement, asserting that it cooperates with Indian agencies when required.