India’s cryptocurrency ecosystem is the centre of a controversy yet again, with a major cyber attack on leading crypto exchange CoinDCX on July 18 resulting in a loss of around $44 million.
According to the company, the data breach was limited to an internal operational wallet and will not impact user funds. The platform has since initiated an investigation into the incident.
“Today, one of our internal operational accounts—used only for liquidity provisioning on a partner exchange—was compromised due to a sophisticated server breach. I confirm that the CoinDCX wallets used to store customer assets are not impacted and are completely safe,” CoinDCX co-founder and CEO Sumit Gupta said on microblogging platform X (formerly Twitter).
Investors’ funds safe, say co-founders
He sought to assure investors that their funds were not affected and their main assets remain safe in a secure cold wallet infrastructure. All trading activity and rupee withdrawals continue to be fully operational.
“The incident was quickly contained by isolating the affected operational account. Since our operational accounts are segregated from customer wallets, the exposure is only limited to this specific account and is being fully absorbed by us—from our own treasury reserves. Our internal security and operations teams have been working through the day along with leading cybersecurity partners to investigate the matter, patch any vulnerabilities and trace the movement of funds,” Gupta said.
The hack comes almost exactly a year after the WazirX incident on July 18, 2024, where close to $235 million worth of digital assets were wiped out during a major security breach.
CoinDCX has announced that it will work with its exchange partner to block and recover assets and will roll out a bug bounty programme soon.
No regulations, but laws will prevail
While the exchange’s co-founders have issued statements to reassure customers about the safety of their investments, the second major hack in a year has raised fresh concerns about the security and lack of regulations around virtual digital assets.
Also read: WazirX hack: Do crypto investors have any legal recourse?
Despite the lack of a regulatory framework for cryptocurrencies in India, investors are not entirely without protection. The existing contract and consumer protection laws do offer mechanisms for redressal in the event of disputes, data breaches or negligence by crypto exchanges and platforms.
“Though cryptocurrencies are unregulated in India, investors may still seek recourse under general laws like the Indian Contract Act, Consumer Protection Act and IT Act for data breaches or hacks,” said Shiju PV, managing partner, IndiaLaw LLP. You can press for enforcing your contractual rights in Indian courts based on the platform’s terms and conditions. You can also seek legal remedies if personal data is compromised during a breach, he added.
“While there is no specific legislation governing cryptocurrencies, victims of such cyberattacks may resort to general provisions under the Indian Penal Code (for offences like cheating, theft and criminal breach of trust) and the Information Technology Act, 2000—particularly Sections 43 and 66 dealing with unauthorised access and data breaches),” said Sukrit Kapoor, partner, King Stubb & Kasiva, Advocates and Attorneys.
This apart, crypto exchanges that fail to adopt reasonable security practices may be exposed to civil liability under Section 43A of the IT Act. “They may also attract scrutiny under CERT-In’s 2022 cybersecurity directions, which require mandatory breach reporting and log retention by virtual asset service providers,” Kapoor pointed out.
The CoinDCX statement said customer funds have not been affected due to the breach but custodial exchanges are expected to maintain higher standards of data security than others. “Though crypto platforms operate in a decentralised ecosystem, liability in India is increasingly being determined based on the custodial nature of the platform. Custodial exchanges—where user funds are stored—are expected to maintain high standards of cyber hygiene and may be held accountable for operational negligence, even if customer funds are unaffected,” added Kapoor.
To be sure, there is no statutory distinction yet between custodial and non-custodial services, so the enforcement authorities may invoke existing provisions of the IT Act, CERT-In directions and notifications under the Prevention of Money Laundering Act to bring erring exchanges under scrutiny. “Going forward, the absence of crypto-specific regulations cannot be a defence for poor governance or failure to safeguard digital assets,” Kapoor argued.
Also read: Can CoinSwitch’s Rs 600-crore plan help WazirX investors recover their losses?
Yet, despite all the legal safeguards, the lack of a dedicated regulator continues to be a challenge for crypto investors. “Other limitations include foreign jurisdiction of exchanges and liability waivers in user agreements. Investors should closely review terms and conditions, especially grievance redressal and data protection clauses. Legal remedies exist, but enforcement can be challenging and uncertain,” said Shiju of India Law.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
