Summary: This two-part series uses the WazirX cyberattack of July 18, 2024, in which crypto assets worth approximately USD 230 million were stolen from a multisig wallet, as a factual anchor to map the full spectrum of legal remedies available to Indian crypto users whose assets have been frozen, eroded, or subjected to proposed “socialisation” haircuts following a platform breach. Part I examines the criminal, cyber law, and data protection remedies available to crypto users following a platform breach and explains how a layered strategy combining these remedies offers the most effective path.

Introduction

The July 2024 cyberattack on WazirX compromised one of its multi-signature wallets and resulted in the loss of over USD 230 million in digital assets, with thousands of users finding their holdings frozen overnight. This incident not only marked a watershed moment for India’s cryptocurrency ecosystem, but also raised a fundamental question: What legal recourse do users have when a platform breach, a third-party custody failure, and/or internal negligence leads to loss, freezing, or proposed restructuring of their digital assets?

In a jurisdiction like India where cryptocurrency is sparsely regulated, users seeking appropriate relief must rely on a patchwork of legal frameworks, including criminal law, the Information Technology Act, 2000 (“IT Act”), the Digital Personal Data Protection Act, 2023 (“DPDP Act”), and contractual remedies under user agreements. This two-part blog series navigates the pathways available to users following a security breach. Part I primarily focuses on criminal and regulatory remedies, and Part II examines how Indian arbitration courts are increasingly willing to grant/uphold interim protection to users, while consumer commissions may not be the most suitable fora for reliefs.

Criminal Law: The Opening Salvo

Following the cyberattack, Zanmai Labs Pvt. Ltd. (“Zanmai”), the company operating WazirX, lodged a criminal complaint under the Bharatiya Nyaya Sanhita, 2023 (“BNS”) and the IT Act. An FIR was registered,[1] and an individual allegedly connected to the creation of fake WazirX accounts used in the cyberattack was arrested.[2] The Sessions Court has repeatedly denied bail,  citing the gravity of the offence and the individual’s active role in the criminal conspiracy.[3]

Courts have viewed crypto-fraud as an “economic offence”.  Considering such an offence has the potential to affect the country’s economy and involves the loss of public funds, courts have adopted a more conservative approach in matters of bail.[4] The Delhi High Court has also highlighted the public-interest dimension of cryptocurrency transactions, i.e., dissolution of recognised money into the dark, unknown, and untraceable channels.[5]

Users may often instinctively treat the breach as a purely external event beyond the platform’s control, such as hacking. Although often true, it is not always the case – especially when the platform’s management is either responsible for, or was negligent in preventing, the cyberattack and/or its operational lapses/contributed to the incident or the extent of losses. Therefore, users’ legal rights and remedies vary based on the platform’s conduct.

It therefore makes sense, that after the WazirX cyberattack, several users approached the Supreme Court, inter alia seeking the formation of a special investigation team, forensic audit, and freezing of WazirX assets.[6] However, the Supreme Court declined to entertain the petition as the prayers sought were within the domain of the legislature and the executive, but left it to the petitioners to approach the appropriate authority.[7] Some users then approached the Delhi High Court seeking similar reliefs.,[8] The Delhi High Court was more amenable to exercising its jurisdiction, and recognised that thousands of crores are invested/deployed by the public using these platforms[9] The High Court has issued notices to the respondents, including the Union of India (“UOI”), the Securities and Exchange Board of India (“SEBI”), the Reserve Bank of India (“RBI”), and WazirX.[10] It specifically directed UOI, SEBI, and RBI to indicate in their replies (i) the regulatory mechanism in place to exercise oversight over platforms such as WazirX, through which trading/investment in “crypto currency” is offered/enabled for public at large and (ii) whether any action has been taken or is proposed to be taken by the regulatory authorities against the entities operating the WazirX platform.[11] The matter is presently being heard finally.

Aggrieved users facing loss of holdings may consider filing a criminal complaint against the platform, subject to the relevant facts and provided that dishonest intention on part of the platform is evident/can be gauged, alleging the commission of criminal offences under the BNS and the IT Act, indicatively:

• Criminal breach of trust by an agent entrusted with a property [Section 316 (5) of BNS] – A user will have to demonstrate dishonest misappropriation/use of the cryptocurrency or its disposal in violation of any law or any contract (i.e., a user agreement) by the platform entrusted with the same, such as a banker, merchant, factor, broker, attorney or agent;
• Cheating [Section 318 of BNS] – A user will have to establish that they were induced/lured to invest by false or dishonest representations by the platform, including assurances of safety or security. However, the users will have to demonstrate the platform’s dishonesty at the time of the inducement (mens rea at inception);
• Criminal conspiracy [Section 61 of BNS] – This offence is generally alleged in conjunction with (a) or (b) above, when there are two or more persons involved, with the common object to do an illegal act or cause an illegal act to be done; or
• Disclosure of information in breach of lawful contract [Section 72A of the IT Act] – A user will have to establish unauthorised disclosure of personal data in breach of the user agreement/platform’s contractual confidentiality obligations, which disclosure was made with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain.  

Users should create a clear factual narrative on how assets were deposited, what the platform represented, how control was exercised, and how the asset loss or restrictions arose. They may also file complaints on the National Cyber Crime Reporting Portal.[12] Some states (e.g., Delhi[13]) have dedicated cryptocurrency-related advisories.

Data Breaches and the DPDP Act, 2023

While criminal law addresses intentional wrongdoing, data protection law addresses systemic failures in safeguarding user information.

Given (i) the broad and extensive definition of “personal data”[14] and “personal data breach”[15] under the DPDP Act and (ii) that cryptocurrency platforms process extensive personal data, most incidents of unauthorised access are likely to trigger obligations under the DPDP Act and Rules.

The key duties of platforms include:

1. Preventive duties: Platforms must implement “reasonable security safeguards” to prevent personal data breach, including encryption, access controls, log retention, and contractual protections with data processors.[16]
2. Post-breach duties: Platforms must notify both the Data Protection Board (“DPB”) and affected users without any delay, in a concise, clear, and plain manner.[17]

Following a data breach, a user (referred to as “Data Principal” under the DPDP Act) must first initiate action under the grievance redressal mechanism established by the Data Fiduciary (i.e., the cryptocurrency platform) before approaching the DPB.[18] If dissatisfied, they may escalate to the DPB,[19] whose decisions can be appealed before the Telecom Disputes Settlement and Appellate Tribunal and thereafter before the Supreme Court.

The DPB was established by a notification dated November 13, 2025, but the core operational provisions of the DPDP Act, including the DPB’s power to act on any intimation of personal data breach/complaint by a user, will come into force on May 13, 2027.[20]

Additionally, penalties under the DPDP Act, which can extend up to INR 250 crore for serious violations, are credited to the Consolidated Fund of India,[21] In other words, the DPDP Act does not provide for direct compensation to individual users for any loss suffered.

Nevertheless, in cases where the DPB identifies lapses in governance or security safeguards, findings under the DPDP Act may offer users meaningful leverage  to strengthen their parallel criminal, civil, or arbitral claims.

CERT-In Directions

Separately, cryptocurrency platforms are also subject to the directions of the Indian Computer Emergency Response Team (“CERT-In”), which mandate maintaining security logs, ensuring compliance with prescribed cybersecurity practices, and reporting of data breach incidents within six hours.[22] While CERT‑In does not provide private remedies to users, non‑compliance exposes platforms to fines and even imprisonment for responsible personnel.[23]

Closing Thoughts: A Coordinated Response Matters

For users affected by platform breaches, the key lesson is not to rely on a single legal pathway. Criminal complaints trigger investigation and preserve evidence. Invoking the DPDP or CERT-In framework assists in establishing security lapses and imposing regulatory accountability. Meanwhile civil or arbitral actions arising out of user agreements remain central to recovering losses/damages. Part II of this series (to follow) will examine how Indian courts, exercising jurisdiction under the Arbitration and Conciliation Act, 1996, have protected users impacted in the WazirX cyberattack. It will also discuss the National Consumer Disputes Redressal Forum’s view that such users should pursue other civil or criminal remedies rather than approach consumer commissions.

---

[1] https://wazirx.com/blog/wazirx-cyber-attack-day-wise-report/

[2] Delhi Police arrests Bengal man in Rs 2,000 crore WazirX cyberattack case, made fake account to facilitate hack – India Today

[3]https://indianexpress.com/article/cities/delhi/quantum-of-fraud-unprecedented-delhi-court-denies-bail-to-accused-in-rs-2000-crore-wazirx-cyberattack-case-10303363/ 

[4] Sunil Kumar v. State of Himachal Pradesh, Cr. MP (M) No. 1381 of 2025 (at Pr. 14-20) while relying on Nimmagadda Prasad vs. CBI, (2013) 7 SCC 466 and State of Bihar Vs. Amit Kumar, (2017) 13 SCC 751

[5] Umesh Verma vs. State, Bail Appln. 3788/2022 & CRL.M.A. 22040/2023, dated 14.07.2025 (at Pr. 11)

[6] https://www.financemagnates.com/trending/wazirx-investors-told-to-approach-government-after-court-dismissal-in-2000-crore-crypto-hack/.

[7] Hajarimal Bathra & Ors. Vs. Union of India & Ors., WP (Criminal) No. 161 of 2025, Order dated 16.04.2025

[8] Sudhir Verma & Anr. V. Union of India through the secretary to the Ministry of Finance & Ors., W.P.(C) 14969/2024 & CM APPL. 62785/2024, Order dated 24.10.2024.

[9] Ibid, Order dated 15.01.2025.

[10] Ibid, Orders dated 15.01.2025.

[11] Ibid, Order dated 15.01.2025.

[12] https://cybercrime.gov.in/Webform/FAQ.aspx

[13] https://cyber.delhipolice.gov.in/bitcoin.html

[14] Section 2(t), DPDP Act.

[15] Section 2(u), DPDP Act.

[16] Section 8(6), DPDP Act read with Rule 6 of the DPDP Rules, 2025. Rule 6 of the DPDP Rules prescribes minimum “reasonable security safeguards,” including measures like encryption/obfuscation/masking/virtual tokens, access controls, logging/monitoring, backups/continued processing measures, log retention (minimum one year), and contractual safeguards with data processors.

[17] Section 8(6), DPDP Act read with Rule 7 of the DPDP Rules, 2025.

[18] Section 13, DPDP Act

[19] Section 27(1)(b), DPDP Act.

[20] MeITY Notification dated 13^th November 2025, G.S.R. 843(E).

[21] Section 33, DPDP Act.

[22] Notification No. 20(3)/2022-CERT-In, Government of India, MeitY, dated 28^th April 2022

[23] Section 70B of IT Act.