'As a lot of them are converted to other tokens, and since crypto is dealt with internationally, it can go to any exchange in any country.'
Calls for stronger regulations and legal recourse for users to get back their funds have intensified after India's leading cryptocurrency exchange WazirX suffered a data security breach, leading to theft of digital assets worth $230 million.
Last week, the crypto exchange confirmed the security breach on its platform which led to a theft of about 50 per cent of its total assets.
While WazirX has called it a 'force majeure event' beyond its control, the company has said it is trying to locate and recover the lost funds.
Recovering the amount from a sophisticated cyber attack on its platform may not be an easy feat, crypto executives and those close to the development have said.
"Recovering stolen crypto is hard as a lot of them are converted to other tokens, and since crypto is dealt with internationally, it can go to any exchange in any country," said Ashish Singhal, co-founder, CoinSwitch; a crypto exchange platform.
"The silver lining is that transactions can be tracked and in a few past cases it has been recovered too," Singhal added.
He noted that recovery of funds following a cyber attack of this scale was a tedious process as the stolen quantum can remain in a wallet for many years at a stretch.
In the backdrop of a lack of regulatory environment for crypto in India, it becomes a challenge to terminate transactions that involve stolen tokens.
"Although it is trackable, you still cannot stop its usage everywhere. That becomes the real problem as there will always be a decentralised platform where these tokens can be converted from one to another, or one wallet to another one," said Edul Patel, CEO, Mudrex, a crypto platform.
Legal experts tracking the sector believe that users who have lost their funds can look at the country's consumer protection laws for recourse.
"In terms of consumers, there is no specific law which you can go to and refer to in this instant cyberattack," said Navodaya Singh Rajpurohit, Legal Partner, Coinque Consulting and founder, Pravadati Legal.
"But in any case, consumer laws would be applicable if there is any negligence found on the part of WazirX, claiming that there was a deficiency in their services, further depending on the remedies sought by the customers relief under the Information Technology Act, 2002 or Arbitration and Conciliation Act, 1996" Rajpurohit added.
On Sunday, WazirX announced a bounty programme to track and freeze the stolen amount.
The company has promised that it will reward those assisting in recovery with a bounty pegged at 5 per cent of the recovered amount as part of the programme.
'In response to the cyber attack, we have filed an online police complaint and are processing a physical complaint,' WazirX said in a statement.
'We have reported the incident to the Financial Intelligence Unit and CERT-In. We are reaching out to over 500 exchanges to block the identified addresses,' added WazirX.
"What should now come out of this is that there should be conversations around active regulations, making self-custody a real possibility for people, allowing decentralised exchanges to conduct transactions, which is one of the ways to secure a user's money," Patel from Mudrex said.
Home-grown cryptocurrency firms had earlier suggested that regulating the sector may necessitate the involvement of multiple agencies, given the approaching deadline to develop a unified framework, Business Standard reported this month.
Industry participants said that creating comprehensive legislation through a single regulator could be complex and time-intensive ahead of the 2025 timeline.
"This incident could potentially prompt regulatory changes in India. To date, no regulatory body has taken the initiative to regulate crypto in the country," Rajpurohit pointed out.
'While the Financial Intelligence Unit exists," he added, "its primary mandate is the prevention of money laundering, not addressing cyber attacks, which may limit its jurisdiction in this matter, unless it is found in the investigation that the money has been laundered through this cyberattack."
Feature Presentation: Ashish Narsale/Rediff.com