At least 27 cryptocurrency exchanges, or Virtual (digital) Asset Service Providers (VASPs), have been flagged by the Ministry of Home Affairs (MHA) as conduits used by cyber criminals for laundering at least Rs 623.63 crore, siphoned from 2,872 victims in just 21 months between January 2024 and September 2025.In comparison, crime proceeds of Rs 25.3 crore reported in 769 complaints were transferred via 12 foreign crypto exchanges through credit/debit cards during 2024-2025, according to records of the MHA’s Indian Cyber Crime Coordination Centre (I4C).These revelations, based on data compiled from the National Cybercrime Reporting Portal (NCRP), point to what investigators call the most sophisticated financial laundering model yet to emerge from India’s cybercrime ecosystem.“The victims had primarily invested through fake trading or investment apps, unaware that their funds were being converted into digital assets and layered through dozens of wallets,” an official said, adding that I4C has now shared an internal list of these VASPs with enforcement agencies and the Financial Intelligence Unit (FIU) under the Finance Ministry.IC4’s analysis of the NCRP data shows that crime proceeds worth Rs 200 crore reported in 1,608 complaints received until September 30 were routed to Indian VASPs, while another Rs 423.91 crore reported in 1,264 complaints was transferred last year.Read | After tax havens, dirty money finds a new home: CryptocurrencyAt Rs 623.63 crore, the quantum of recorded crime proceeds is only “the tip of the iceberg”, say officials, but this shows how even Indian crypto exchanges registered with the FIU are not immune to misuse by cyber criminals, who otherwise bank heavily on the peer-to-peer routes or rogue crypto platforms to channel dirty money.Among the exchanges flagged by the MHA are Coin DCX, WazirX, Giottus, ZebPay, Mudrex and CoinSwitch, primarily due to their significant market shares.Story continues below this adReached for comments, CoinSwitch clarified “categorically” that no such “transfers” took place through the platform, which “operates within a fully ringfenced and compliant environment designed to prevent any misuse”.CoinDCX said it was “bound by strict confidentiality obligations and therefore cannot disclose case-specific details” but emphasised that the platform is equipped with advanced security protocols such as multi-signature and multi-party computation (MPC) wallets to ensure safe handling of seized assets.A number of exchanges underlined that a crypto platform is not a party “beyond facilitating lawful trade” to any transaction between individuals. Pranjal Agarwal, market head (India) at Mudrex, pointed out that all platforms registered with FIU since 2023 have resolved any issues related to KYC verification and AML (anti-money laundering) screening that might have existed before.Also read | New crypto adds many blindfolds to old hawala“As reporting entities, we regularly file STRs (suspicious transaction reports). There are grey areas in P2P transactions but funds coming into FIU-compliant platforms in INR exit only in INR through bank accounts. We conduct stringent checks on withdrawals as cryptos, which are allowed only to some private wallets, that too with enhanced due diligence,” Agarwal said.Story continues below this adVikram Subburaj, CEO of Giottus crypto platform, offered a real-world analogy. “If a person with a criminal background were to order food on Swiggy or hail a cab through Ola, it would not make those platforms complicit in any crime that he has committed or would commit. The same principle applies to all FIU-registered crypto exchanges. A lot of proceeds of crime get transferred through banks as well. However, the banks are not party to any crime,” he said.As the crypto ecosystem evolves, acknowledged a CoinDCX spokesperson, so do tactics used by bad actors. “Our focus is on staying ahead of these threats while maintaining rigorous compliance standards. This includes rapid onboarding of custodian accounts for LEAs, robust KYC/AML frameworks, and continuous enhancement of monitoring systems to identify and prevent misuse proactively,” the spokesperson said.Also read | Agencies track trail: India to China via Dubai and CambodiaBeyond KYC compliance and AML screening, inadequate grievance redressal mechanism at many exchanges and not-so-uncommon glitches causing delay in funds withdrawal, inconsistent accounting and even unwarranted deductions have also led to a backlash from some platform users. Moreover, recent breaches of some of India’s biggest crypto exchanges have also shaken user confidence.Nischal Shetty, co-founder of WazirX, which lost $235 in a major hacking incident in July 2024, blamed the breach on third-party issues. “The WazirX server was not breached but a third-party custody server was compromised. We have already paid back 85% of our liabilities and relaunched on October 24. To fortify user trust, we have now partnered with asset custodian BitGo with an insurance cover of USD 250 million,” he said.Story continues below this adZebPay said its highest priority is to ensure platform integrity, user security, and the highest standards of transparency and compliance. “We operate with stringent KYC, AML, and cybersecurity protocols and maintain robust monitoring systems to prevent and detect suspicious activity,” it said in a statement.The ownership structure of several top Indian crypto platforms, functioning in what a senior industry hand called a “trust and oversight vacuum”, are helmed by foreign holding companies.While many of them played down the trend as a common practice with fintech startups for the “ease of raising capital” through a holding company located in a convenient jurisdiction, some conceded it was due to “other considerations”.“There is the tax angle, particularly during an acquisition. But one cannot ignore the regulatory uncertainty. The ban in 2018 left the platforms without even bank accounts in India. In such a scenario, a layered operation is an existential requirement,” said the CTO of an Indian crypto exchange, speaking on condition of anonymity.Story continues below this ad“But one must differentiate between offshore platforms from Seychelles or Cayman (Islands) and those who operate from legitimate jurisdictions such as Singapore or the US,” he said.The reluctance of a few crypto exchanges to pay 18% GST, in lieu of intermediary services provided for trading, did not help build trust between the industry and the government, according to an official with the Directorate General of GST Intelligence (DGGI), which searched the premises of several crypto platforms in 2022.The Finance Ministry reported GST evasion of Rs 824.14 crore by 17 crypto exchanges and the recovery of Rs 122.29 crore, including interest and penalties, by December 2024. The foreign crypto platforms providing services to Indians also came under the GST regime this July.The Enforcement Directorate (ED) and FIU are now probing whether Indian intermediaries are functioning as “crypto mules,” converting scam proceeds into tokens for commission. Investigators are also examining if VASP compliance failures allowed unverified accounts to bypass KYC processes.Story continues below this adIn its analyses of the NCRP data, the IC4 identified that the single largest fraudulent transfer – Rs 10.09 crore – passed through UK/US based – Onlychain Vilnius. The second largest such transfer – Rs 8.13 crore – passed through Mauritius-based Ezipay Ebene.While Onlychain Vilnius did not respond to a request for comment, Ezipay denied being a cryptocurrency service. “We do not advertise or provide crypto-related products directly or indirectly. All transactions are conducted through card-based remittances subject to 3D Secure and full regulatory compliance,” it said in a statement, asserting that it cooperates with Indian agencies when required.