The rise of cryptocurrency in India has brought with it a surge in online financial fraud, leaving many investors unaware of how their funds vanish into digital labyrinths. An investigation covering the period
from January 2024 to September 2025 has revealed that at least 27 cryptocurrency exchanges were exploited by cybercriminals for laundering illicit funds.
According to a report prepared by the Ministry of Home Affairs (MHA), these platforms were used to defraud 2,872 individuals of a total Rs 623.63 crore over just 21 months. The report, compiled by the National Cybercrime Reporting Portal (NCRP) and the Indian Cyber Crime Coordination Centre (I4C), describes the cases as one of the most complex cyber money-laundering operations detected so far in the country.
Investigators found that Rs 25.3 crore was also routed through 12 foreign exchanges during the same period, but Indian platforms accounted for the overwhelming majority of the losses. Most victims reportedly believed they were investing in legitimate trading apps, unaware that their money was being converted into cryptocurrency and shuffled through multiple wallets, making tracing extremely difficult.
An I4C official said that the victims had no clue where their hard-earned money was going. In response, I4C prepared an internal list of 27 virtual asset service provider (VASP) platforms, which was shared with investigation agencies and the Financial Intelligence Unit (FIU) to prevent further misuse.
The report highlighted that, out of 1,608 complaints filed by September 2025, Rs 200 crore had been transferred to VASPs, while Rs 423.91 crore was routed out through these platforms in 1,264 complaints. Experts, however, caution that these figures likely represent only the tip of the iceberg.
Prominent crypto exchanges identified in the MHA report include CoinDCX, WazirX, Giottus, ZebPay, Mudrex, and CoinSwitch, platforms that command significant market share, making them attractive targets for cybercriminals.
CoinSwitch, responding to the allegations, stated that no such transfers happened from their platform. “Our system is fully secure and compliant with all regulations,” it said.
CoinDCX said it employs advanced hybrid security technologies, including multi-signature and multi-party computation (MPC) wallets, while citing privacy constraints in sharing case-specific data.
Several exchanges emphasised that their role is transactional, and ultimate responsibility lies with users. Mudrex India head Pranjal Agarwal noted that all FIU-registered platforms have enhanced KYC and anti-money laundering (AML) mechanisms since 2023.
Giottus CEO Vikram Subburaj drew a comparison with everyday services, stating, “If a criminal orders food via Swiggy or hails a cab from Ola, it does not implicate those companies in the crime. The same principle applies to crypto exchanges.”
Despite these reassurances, investor confidence has been shaken by recurring issues such as KYC gaps, delayed withdrawals, unresolved complaints, sudden account deductions, and cyberattacks.
Notably, WazirX suffered a major hack in July 2024, resulting in a loss of around $235 million. Co-founder Nischal Shetty clarified that the breach occurred on a third-party custody server, not WazirX’s infrastructure, and claimed that 85% of affected funds have since been recovered.
Industry insiders also point to regulatory and operational challenges. During the 2018 crypto ban, Indian exchanges lacked bank accounts, prompting many to establish foreign holding entities to operate. Investigations by the Directorate General of GST Intelligence in 2022 revealed that 17 crypto exchanges had failed to pay Rs 824.14 crore in GST, of which Rs 122.29 crore was later recovered.
Authorities, including the Enforcement Directorate (ED) and FIU, are now examining whether intermediaries acted as “crypto mules”, converting illicit funds into digital tokens, and whether KYC lapses enabled misuse. Among the largest transfers recorded in NCRP data were Rs 10.09 crore via UK/US-based Onlychain Vilnius and Rs 8.13 crore through Mauritius-based Ezipay Ebene. Onlychain Vilnius did not respond to queries, while Ezipay denied providing crypto services, noting that all transactions are card-based and comply with security regulations.
