FIU-Registered Does Not Mean Safe. Both of India’s Biggest Exchange Hacks Happened to FIU-Registered Platforms.
Every “best crypto exchange” article in India leads with the same reassurance: “FIU-registered.” As if that is a safety net.
WazirX was FIU-registered when North Korea’s Lazarus Group stole $234.9 million from it in July 2024. CoinDCX was FIU-registered when the same group stole $44.2 million from it in July 2025. Combined: $279 million stolen from India’s two largest exchanges in consecutive summers. Both FIU-compliant. Both hacked.
FIU registration means the exchange follows anti-money laundering rules. It does not mean your funds are insured. It does not mean the exchange undergoes security audits. It does not mean there is a compensation fund if things go wrong. India has no equivalent of SEBI’s Investor Protection Fund for crypto.
This guide covers what FIU registration actually means, what each exchange actually charges (not what they advertise), which exchanges have been hacked, which ones let you withdraw crypto to your own wallet, and the red flags nobody puts in comparison tables.
FIU Registration — What It Covers and What It Does Not
| What FIU Registration Requires | What FIU Registration Does NOT Cover |
|---|---|
| KYC verification of all users | Security audits or penetration testing |
| Suspicious transaction reporting to FIU-IND | Insurance of user deposits |
| Appointment of compliance officers | Proof of Reserves or solvency checks |
| Record maintenance under PMLA | Investor compensation in case of hack |
| Cooperation with law enforcement | Trading practice oversight (no SEBI equivalent) |
As of April 2026, 49 exchanges are FIU-registered — 45 Indian and 4 offshore (Binance, KuCoin, Coinbase, MEXC). But the FIU does not maintain a single, publicly accessible, real-time updated list. You cannot go to fiuindia.gov.in and see all 49 names. Different sources report 47, 49, or 31 — because there is no authoritative registry.
The Offshore Exchange Crackdown Timeline
| Date | Action |
|---|---|
| Dec 2023 | FIU issues show-cause notices to Binance + 8 offshore exchanges |
| Jan 2024 | URLs and apps blocked in India; Apple/Google asked to remove apps |
| Jun 2024 | FIU fines Binance Rs 188.2 crore for multiple PMLA violations |
| Aug 2024 | Binance registers with FIU, resumes India operations |
| 2024 | KuCoin, Coinbase register with FIU; OKX exits India entirely |
| Oct 2025 | FIU issues notices to 25 more offshore exchanges (BingX, LBank, CoinW, Poloniex, CEX.IO, others) |
| Apr 2026 | 49 total registered; India still has no dedicated crypto law |
Key insight: OKX looked at the compliance requirements, the tax regime, and the market size — and decided India was not worth it. That tells you something about the operating environment.
Exchange-by-Exchange Breakdown
WazirX
| Parameter | Detail |
|---|---|
| FIU Status | Registered |
| Hack History | $234.9M stolen (July 2024) — Lazarus Group |
| Current Status | Restarted Oct 24, 2025; 85% of pre-hack funds returned |
| Trading Fees | Rs 99/month ZERO subscription — zero trading fees |
| INR Deposit | Free |
| INR Withdrawal | Rs 10 flat |
| Crypto Withdrawal | Allowed (network fees apply) |
| Proof of Reserves | Not published |
| Insurance | None disclosed |
The fine print on “85% recovery”: WazirX returned 85% based on reference pricing at the time of the hack — not current market value. If you held ETH worth Rs 5 lakh in July 2024 and it grew to Rs 8 lakh by October 2025, you got approximately Rs 4.25 lakh (85% of Rs 5 lakh). The remaining 15% was converted to Recovery Tokens, redeemable over 36 months tied to WazirX’s future revenue and recovered assets. Recovery Tokens have uncertain value — they are not tradeable on other platforms.
Withdrawal catch: When WazirX restarted, trading was enabled but withdrawals remained suspended. Users could trade but not leave. This is a pattern — exchanges restart deposits and trading before enabling withdrawals, ensuring liquidity before allowing capital flight.
Security post-restart: WazirX partnered with BitGo for custody. Whether this prevents another Lazarus-style attack is unproven.
CoinDCX
| Parameter | Detail |
|---|---|
| FIU Status | Registered |
| Hack History | $44.2M stolen (July 2025) — Lazarus Group |
| Trading Fees | 0.04% to 0.50% (volume-tiered); base 0.2% maker/taker |
| INR Deposit | Free |
| INR Withdrawal | Min Rs 500 |
| Crypto Withdrawal | Blocked by default — requires internal review |
| Proof of Reserves | Not published |
| Insurance | None disclosed |
How the hack worked: Attackers sent a fake job offer to a CoinDCX employee. The offer contained malware. Once installed on the employee’s laptop, it gave attackers access to an internal server. They drained $44.3 million from an operational wallet across multiple transactions in approximately 5 minutes. Funds were routed through Solana addresses and bridged to Ethereum.
“Customer funds are safe” — with caveats: CoinDCX claimed the hacked wallet was an operational/liquidity wallet, separate from customer cold storage. But there is no independent audit verifying this segregation. An FIR was filed against CoinDCX after the hack. If customer funds were truly untouched, the basis for the fraud complaint is worth understanding.
The withdrawal lock: CoinDCX does not allow crypto withdrawals by default. You must request access and pass an internal review with no guaranteed approval timeline. This means if you buy BTC on CoinDCX, you cannot move it to your own hardware wallet unless CoinDCX decides to let you. This is not “security” — it is custody retention. You do not own crypto you cannot withdraw.
CoinSwitch
| Parameter | Detail |
|---|---|
| FIU Status | Registered |
| Hack History | None disclosed |
| Trading Fees | Zero on select INR pairs |
| INR Deposit | Free |
| INR Withdrawal | Free |
| Crypto Withdrawal | Disabled for 12+ months (cited regulatory uncertainty) |
| Proof of Reserves | Published — SHA-256 Merkle roots, quarterly, Big Four attested |
| Insurance | None disclosed |
The contradiction: CoinSwitch disabled crypto deposits and withdrawals citing “lack of clarity from regulators and policymakers.” But ZebPay and Binance India allow crypto withdrawals under the same regulations. If regulatory uncertainty is the reason, why do competitors operate the feature?
Spread warning: CoinSwitch’s instant buy/sell feature carries a spread that can significantly exceed the advertised “zero fee.” If Bitcoin’s market price is Rs 55,00,000 and CoinSwitch quotes Rs 55,55,000 to buy, that 1% spread is your real fee — invisible in the fee schedule.
Credit to CoinSwitch: They are one of only 3 Indian exchanges publishing Proof of Reserves with independent attestation. They also launched a Rs 600 crore programme to help WazirX hack victims recover funds — a competitive move, but a meaningful one.
Mudrex
| Parameter | Detail |
|---|---|
| FIU Status | Registered |
| Hack History | None disclosed |
| Trading Fees | 0.25% buy + 0.25% sell |
| INR Deposit | Free (UPI, IMPS) |
| INR Withdrawal | 1% fee + 1% TDS |
| Coin Set Rebalancing | 0.25% to 1% per rebalance |
| Crypto Withdrawal | Allowed |
| Proof of Reserves | Not published |
| Spread | Claims transparent, no hidden markup |
The exit cost trap: Mudrex markets “zero deposit fees” prominently. What they do not highlight: withdrawing INR costs 1% service fee on top of the mandatory 1% TDS. On a Rs 10 lakh withdrawal, you lose Rs 20,000 — Rs 10,000 to Mudrex, Rs 10,000 to TDS (recoverable in 6-18 months at ITR filing). The deposit is free. Leaving is not.
Coin Set rebalancing: Mudrex’s “Coin Sets” (crypto baskets) charge 0.25% to 1% every time the basket rebalances. If it rebalances monthly, that is 3-12% annually in fees that compound silently. The rebalancing fee is disclosed in fine print, but no Mudrex marketing material leads with “your crypto basket costs 3-12% per year in rebalancing fees.”
Early redemption penalty: Redeeming a Coin Set within one month of investing triggers an additional 1% fee.
ZebPay
| Parameter | Detail |
|---|---|
| FIU Status | Registered |
| Hack History | Hacked in 2018 for $1M — pre-FIU era; no major incident since |
| Trading Fees | Maker 0.15%, Taker 0.25% |
| INR Deposit | Free (UPI, IMPS, NEFT, RTGS) |
| INR Withdrawal | Rs 15 flat |
| Crypto Withdrawal | Allowed (network fees) |
| Proof of Reserves | Published — SHA-256 Merkle roots, quarterly, Big Four attested |
| Insurance | None disclosed |
The dormancy fee nobody expects: ZebPay charges 0.0001 BTC + 18% GST per month on inactive accounts. At current BTC prices (~Rs 55 lakh), that is approximately Rs 55 + GST = Rs 65/month drained from a forgotten wallet. Not devastating for active users, but a quiet wealth transfer from abandoned accounts.
Credit to ZebPay: One of India’s oldest exchanges (launched 2014), one of only 3 publishing Proof of Reserves, and one of the few allowing unrestricted crypto withdrawals. The dormancy fee is the main gotcha.
Binance India
| Parameter | Detail |
|---|---|
| FIU Status | Registered (after Rs 188.2 crore fine) |
| Hack History | None in India operations; global Binance has had incidents |
| Trading Fees | 0.1% base (maker/taker); lower with BNB or volume tiers |
| INR Deposit | UPI supported |
| INR Withdrawal | Standard |
| Crypto Withdrawal | Allowed (network fees) |
| Proof of Reserves | Published — real-time dashboard (global, not India-specific) |
| Insurance | SAFU fund (global) |
The paradox: Binance was banned, fined Rs 188 crore, forced to register — and now operates with arguably the best fee structure, tightest spreads, and most transparency (real-time PoR dashboard) of any exchange accessible in India. The same platform the Indian government blocked 18 months ago now wins awards at Indian crypto events.
India-specific limitations: The Binance India experience may differ from global Binance. Some features, trading pairs, and products available globally may be restricted for Indian users due to compliance requirements.
The True Cost Comparison — What a Rs 1 Lakh Round Trip Actually Costs
Advertised fees are meaningless without calculating the complete round-trip cost: buy → hold → sell → withdraw INR.
| Cost Component | WazirX ZERO | CoinDCX | Mudrex | ZebPay | CoinSwitch | Binance India |
|---|---|---|---|---|---|---|
| Subscription/Access | Rs 99/month | Free | Free | Free | Free | Free |
| Buy Fee | Rs 0 | Rs 200 (0.2%) | Rs 250 (0.25%) | Rs 250 (0.25%) | Rs 0 | Rs 100 (0.1%) |
| Sell Fee | Rs 0 | Rs 200 (0.2%) | Rs 250 (0.25%) | Rs 250 (0.25%) | Rs 0 | Rs 100 (0.1%) |
| Spread (estimate) | Rs 200-500 | Rs 300-800 | Rs 0-200 | Rs 200-500 | Rs 500-2,000 | Rs 100-300 |
| TDS (1% × 2 sides) | Rs 2,000 | Rs 2,000 | Rs 2,000 | Rs 2,000 | Rs 2,000 | Rs 2,000 |
| INR Withdrawal | Rs 10 | Rs 0 | Rs 1,000 (1%) | Rs 15 | Rs 0 | Standard |
| Total Visible Cost | Rs 309-609 | Rs 700-1,200 | Rs 1,500-1,700 | Rs 715-1,015 | Rs 500-2,000 | Rs 300-500 |
| Total Including TDS | Rs 2,309-2,609 | Rs 2,700-3,200 | Rs 3,500-3,700 | Rs 2,715-3,015 | Rs 2,500-4,000 | Rs 2,300-2,500 |
TDS of Rs 2,000 is recoverable when filing ITR — but it is capital locked for 6-18 months. For active traders doing Rs 50 lakh annual volume, Rs 50,000+ sits with the government interest-free.
The spread is the fee you do not see: A “zero fee” exchange charging 1.5% spread on instant buy costs more than an exchange charging 0.25% trading fee with a 0.1% spread. Always check: place a buy order and a sell order simultaneously. The gap between them is your real spread cost.
Security Scorecard — Who Has Been Hacked, Who Publishes Proof
| Exchange | Hacked? | Amount Lost | User Fund Impact | Proof of Reserves | Cold Storage Claim | Insurance |
|---|---|---|---|---|---|---|
| WazirX | Yes (July 2024) | $234.9M | 85% returned after 16 months; 15% as Recovery Tokens | No | Unknown | None |
| CoinDCX | Yes (July 2025) | $44.2M | Claims zero impact | No | Claims segregated | None |
| CoinSwitch | No | — | — | Yes (quarterly, Big Four) | Unknown | None |
| Mudrex | No | — | — | No | Unknown | None |
| ZebPay | Yes (2018, $1M) | $1M | Covered | Yes (quarterly, Big Four) | Unknown | None |
| BitBNS | No | — | — | Yes (quarterly) | Unknown | None |
| Binance India | No | — | — | Yes (real-time global) | Published | SAFU fund (global) |
Only 3 Indian exchanges publish Proof of Reserves: ZebPay, BitBNS, CoinSwitch. The other 46 FIU-registered platforms ask you to trust them. After $279 million in hacks across WazirX and CoinDCX, trust is not a strategy.
No Indian exchange publishes a real-time reserve dashboard. Binance’s PoR dashboard is global, not India-specific. The quarterly Merkle root attestations from ZebPay and CoinSwitch are better than nothing, but a lot can happen in three months.
The Withdrawal Problem — Who Actually Lets You Own Your Crypto
| Exchange | Crypto Withdrawal | Restrictions | INR Withdrawal |
|---|---|---|---|
| WazirX | Yes (post-restart) | Was blocked during 16-month shutdown | Rs 10 flat |
| CoinDCX | Blocked by default | Must request access, internal review, no timeline | Min Rs 500 |
| CoinSwitch | Disabled 12+ months | Cites regulatory uncertainty | Free |
| Mudrex | Yes | 1% fee on Coin Set early redemption | 1% service fee |
| ZebPay | Yes | Network fees only | Rs 15 flat |
| Binance India | Yes | Network fees only | Standard |
The principle: If you cannot withdraw crypto to your own wallet, you do not own crypto — you own an IOU from the exchange. When WazirX was hacked, users with coins on the exchange lost access. Users who had withdrawn to personal wallets were unaffected. The ability to withdraw is not a feature — it is the point.
Seven Red Flags to Watch For
1. No Proof of Reserves
If an exchange does not publish independently attested Proof of Reserves, you have no way to verify they actually hold the assets they claim. After FTX (global) and WazirX (India), “trust us” is not acceptable. Check if the exchange publishes Merkle root attestations and whether they are verified by a reputable auditor.
2. Crypto Withdrawals Disabled or Gated
Any exchange that prevents you from moving your crypto to your own wallet is retaining custody for business reasons, not security. CoinDCX’s “internal review” process and CoinSwitch’s year-long withdrawal suspension are red flags. Your crypto should be moveable on your terms.
3. Unverified Insurance Claims
SunCrypto claims “$150 million insurance” and “85% cold storage” without naming the insurance provider or linking a policy document. Any exchange making insurance claims without naming the insurer is making a marketing claim, not a verified fact. Ask: who is the insurer, what does the policy cover, and is there a public policy number?
4. Zero-Fee Marketing With Hidden Spreads
“Zero trading fees” means nothing if the buy/sell spread is 1-2%. Test any exchange before committing capital: check the difference between the quoted buy price and sell price for the same coin at the same moment. If the gap exceeds 0.5%, the spread is your real fee and it is aggressive.
5. Post-Hack FIR With “Funds Are Safe” Claims
CoinDCX claimed customer funds were safe after the July 2025 hack, but an FIR was filed. When an exchange says “funds are safe” after a breach, verify independently. Check on-chain data, wait for third-party confirmation (blockchain investigators like ZachXBT or Arkham Intelligence), and do not rely solely on the exchange’s press release.
6. Dormancy Fees on Inactive Accounts
ZebPay’s 0.0001 BTC/month dormancy fee is disclosed in their terms, but most users discover it only when they check an inactive account months later. Any exchange charging recurring fees on idle accounts — especially denominated in crypto that can appreciate — is a subtle wealth drain. Check terms before going inactive.
7. No Independent Security Audit Post-Breach
Neither WazirX nor CoinDCX has published an independent, third-party security audit report after their respective hacks. WazirX partnered with BitGo; CoinDCX offered a bounty programme. But neither has released a detailed audit showing exactly what failed and what was fixed. If an exchange gets hacked and does not publish a security audit, you are trusting the same systems that failed.
The Regulatory Vacuum — Why No Exchange Is Truly “Regulated”
India has no dedicated crypto law. Here is what exists and what does not:
| What Exists | What Does Not Exist |
|---|---|
| 30% flat tax on gains (Section 115BBH) | A dedicated “Virtual Digital Assets” law |
| 1% TDS on every transaction (Section 194S) | SEBI-like oversight of exchange trading practices |
| PMLA compliance via FIU registration | Investor protection fund for crypto |
| Rs 50,000 penalty for TDS non-compliance (Budget 2026) | Mandatory Proof of Reserves or security audits |
| Asset Tokenisation Bill 2026 (Private Member’s Bill, not government) | Circuit breakers or settlement guarantees |
The Asset Tokenisation (Regulation) Bill 2026 was introduced as a Private Member’s Bill in the Rajya Sabha on March 14, 2026. It proposes tiered custody licences under relevant regulators (SEBI for securities tokens, RBI for payments/stablecoins). But Private Member’s Bills rarely become law. Until a government-sponsored bill passes, crypto exchanges operate in a regulatory gap — taxed but not regulated, compliant on AML but unsupervised on everything else.
The Scam Landscape — Rs 72,000 Crore and Counting
Indians have lost over Rs 72,000 crore (approximately $8.6 billion) to crypto scams since 2015. In 2024 alone, cyber fraud losses hit Rs 22,845 crore — a 206% increase over 2023.
Major cases:
- GainBitcoin: Rs 6,000 crore Ponzi scheme — CBI arrested Darwin Labs’ CTO
- BitConnect: Multinational Ponzi by Gujarat-native Satish Kumbhani; ED seized Rs 1,646 crore in crypto in a single day (February 2025)
- Pune: India’s crypto scam capital — Rs 20,000+ crore in losses from that city alone
Common patterns in Indian crypto scams:
- WhatsApp groups showing fake profit screenshots and professional-looking dashboards
- Sign-up bonuses and referral rewards creating an illusion of legitimacy
- Deposits accepted instantly, withdrawals delayed indefinitely or blocked
- AI-generated deepfake videos of prominent figures promising giveaways
- “VIP membership” tiers requiring larger deposits for “higher returns”
The distinction that matters: Exchange hacks (WazirX, CoinDCX) are different from scam exchanges. Hacked exchanges were legitimate platforms with security failures. Scam platforms were never legitimate. But the user outcome can be similar — your money is gone, and no Indian regulator will compensate you.
The Honest Assessment — Which Exchange Is “Least Bad”
No Indian crypto exchange is safe. Every one operates without meaningful security regulation, investor protection, or mandatory insurance. The question is not “which is safe” but “which has the fewest red flags.”
If security transparency matters most: ZebPay or CoinSwitch — they are the only Indian exchanges publishing Proof of Reserves with independent attestation. Neither has suffered a major hack recently.
If lowest fees matter most: Binance India — 0.1% base fee, tightest spreads, real-time PoR (global), and the SAFU insurance fund. The irony of the formerly-banned exchange being the most transparent is not lost.
If you want crypto basket investing: Mudrex — but understand the 0.25-1% rebalancing fees compound to 3-12% annually, and the 1% INR withdrawal fee is a significant exit cost.
If you want true crypto ownership: Use an exchange that allows withdrawals (ZebPay, Binance India) and move your crypto to a hardware wallet (Ledger, Trezor). The safest exchange is the one you use only for buying — not for storing.
The universal rule: Never keep more on any exchange than you can afford to lose entirely. WazirX users learned this at $235 million of cost. CoinDCX users were saved by wallet segregation — this time. The next hack may not be as cleanly contained.
The TDS Cost Nobody Calculates
The 1% TDS is technically recoverable at ITR filing. But it creates a forced, interest-free loan to the government.
| Annual Trading Volume | TDS Locked | Months Until Refund | Opportunity Cost (at 8% FD rate) |
|---|---|---|---|
| Rs 5 lakh | Rs 5,000 | 6-18 months | Rs 200-600 |
| Rs 25 lakh | Rs 25,000 | 6-18 months | Rs 1,000-3,000 |
| Rs 1 crore | Rs 1,00,000 | 6-18 months | Rs 4,000-12,000 |
| Rs 5 crore | Rs 5,00,000 | 6-18 months | Rs 20,000-60,000 |
For a trader doing Rs 5 crore annual volume (not unusual for active traders), Rs 5 lakh is locked with the government for up to 18 months. At 8% FD returns, that is Rs 60,000 in opportunity cost — money the trader earns nothing on while the government holds it interest-free.
Crypto-to-crypto trades double the pain: When you swap BTC for ETH on an Indian exchange, both sides face 1% TDS. The exchange deducts from both buyer and seller. A single swap locks 2% in TDS — on a non-INR transaction where no rupees changed hands.
What Happens Next — The Regulatory Outlook
| Expected Development | Timeline | Impact |
|---|---|---|
| Virtual Digital Assets and Token Services Bill (leaked draft) | Unknown — may never be tabled | Would create tiered custody licences under SEBI for large exchanges |
| Asset Tokenisation Bill 2026 | Introduced March 2026 (Private Member’s) | Unlikely to pass without government support |
| Mandatory Proof of Reserves | Not proposed | Would force all exchanges to publish verifiable reserve data |
| Investor Protection Fund for crypto | Not proposed | Would provide compensation mechanism similar to stocks |
| TDS reduction from 1% to 0.01% | Repeatedly requested by industry; ignored in Budget 2026 | Would reduce capital lockup for active traders |
The honest outlook: India’s crypto regulation will remain in limbo. The government collects 30% tax + 1% TDS without providing any of the protections that come with regulation. For the government, this is the optimal position — revenue without responsibility. Do not expect meaningful investor protection until a hack large enough to force political action occurs. WazirX’s $235 million was apparently not large enough.