The recent dismissal of a lawsuit against WazirX by the National Consumer Disputes Redressal Commission (NCDRC) has once again thrown a spotlight on the legal vacuum surrounding cryptocurrency regulation in India. Investors who suffered massive losses following a major cybersecurity breach in July 2024 took their grievances to the national consumer forum, accusing WazirX of service deficiency and unfair trade practices. However, the NCDRC rejected the case, citing the lack of legal clarity around digital assets and its own limited jurisdiction over such matters.
This decision has fueled frustration among investors, who are left without a clear legal pathway to seek redress. At the same time, it underscores the urgent need for a defined legal and regulatory framework for cryptocurrency in India—a need that grows more critical with each high-profile breach or fraud incident.
What Happened?
On July 18, 2024, WazirX suffered one of the largest crypto exchange breaches in Indian history. Hackers siphoned off over $233 million worth of digital assets—nearly 45% of the platform’s total holdings at the time—from one of its multisig (multisignature) wallets. These wallets require two or more private keys to authenticate transactions, offering an added layer of security over standard wallets. Yet the breach exposed glaring vulnerabilities in WazirX’s security systems.
Immediately after the attack, WazirX halted all user withdrawals. The decision left thousands of investors in a financial lurch. Over the next few months, user complaints surged, and tensions rose. In September, a Singapore court granted the platform a four-month moratorium, preventing legal proceedings and further halting withdrawal processes. By then, investor losses had mounted, and user trust had eroded.
WazirX later attributed the attack to the infamous North Korean hacker collective, Lazarus Group. Although the company launched an internal investigation and communicated with international agencies, it failed to offer compensation or a clear timeline for restoring services. This inaction prompted a group of Indian investors to take the matter to the NCDRC in January 2025.
The Legal Arguments
Investors brought forward two key complaints:
-
Deficiency in Service – They accused WazirX of failing to implement adequate cybersecurity measures to protect user funds.
-
Unfair Trade Practice – They alleged that the platform acted unfairly by suspending withdrawals indefinitely after the hack.
The plaintiffs argued that WazirX operated as a financial service provider and must therefore ensure high standards of security. They also claimed that by continuing to list and trade tokens even while halting withdrawals, the exchange created false perceptions of liquidity and availability.
NCDRC’s Response and Ruling
The NCDRC declined to entertain the complaint, stating that the cryptocurrency space remains outside its jurisdiction due to the “nebulous” regulatory regime. In particular, the commission addressed two questions:
-
Is Cryptocurrency a ‘Good’ under the Consumer Protection Act, 2019?
The court noted that digital assets do not clearly fall under the definition of ‘goods’ or ‘services’ in the CPA. Since the law does not explicitly include cryptocurrency, the commission cannot assume authority to adjudicate disputes related to it. -
Does the Commission Have Jurisdiction?
The court concluded that in the absence of specific legislation regulating cryptocurrency, the consumer forum lacks jurisdiction. It refused to comment on whether WazirX could have prevented the security breach or how the loss affected users financially.
By declining to delve into the technical or operational details of the breach, the commission effectively left victims without a legal remedy. The ruling creates a dangerous precedent, where platforms can escape liability by operating in a legally undefined zone.
Investor Fallout and Industry Reactions
Investors have reacted with disappointment and frustration. Many of them invested their life savings into crypto through WazirX, believing that the platform offered sufficient safeguards. With the NCDRC shutting the door on redress, affected users now face a legal impasse.
Industry stakeholders expressed concern over the precedent the ruling sets. Crypto analysts and fintech lawyers warned that this decision might embolden other platforms to operate with minimal accountability. Without defined legal responsibilities, exchanges could potentially avoid liabilities in future breaches or malpractices.
A Broader Governance Problem
India has yet to introduce comprehensive legislation on cryptocurrency. The Reserve Bank of India (RBI) remains skeptical of digital currencies, while the Ministry of Finance has proposed regulatory frameworks multiple times—none of which have materialized into enforceable laws.
This delay creates a governance gap. While some crypto exchanges operate semi-regulated by adhering to Know Your Customer (KYC) norms and taxation rules, the lack of a specific statute means they operate without strict legal oversight.
In WazirX’s case, the breach not only exposed cybersecurity weaknesses but also brought the platform’s operational and financial governance under scrutiny. Yet, in the absence of legal standards, neither regulators nor courts can hold such platforms accountable.
What’s Next?
For Indian crypto investors, the ruling marks a sobering reality. Until the government introduces a clear crypto law or amends existing ones like the CPA to include digital assets, investor protections remain minimal.
Legal experts suggest three possible actions going forward:
-
Legislative Action – Parliament must urgently pass a cryptocurrency regulation bill. The law should define digital assets, outline the responsibilities of exchanges, and establish a framework for consumer protection and legal recourse.
-
Judicial Clarification – Higher courts may need to interpret whether cryptocurrency qualifies as a “good” or “service” under current law. A Supreme Court clarification could expand the scope of existing laws temporarily until formal legislation arrives.
-
Self-Regulation by Exchanges – In the absence of formal law, crypto platforms must adopt self-regulatory practices. This includes publishing detailed cybersecurity protocols, transparency in fund management, and timely communication during crises.
Conclusion
The NCDRC’s decision in the WazirX case exposes the legal and regulatory uncertainty clouding India’s cryptocurrency sector. While users suffered significant financial losses in the breach, the absence of legal recognition for crypto under consumer law left them without justice. WazirX, meanwhile, avoided any accountability by operating in a grey zone.
This case serves as a wake-up call for lawmakers, regulators, and investors alike. The Indian crypto market cannot sustain its growth without a solid legal foundation. Unless the government takes swift action to regulate this space, more investors may find themselves in similar situations—powerless, frustrated, and financially devastated.
