Information Technology Act, 2000 - Application to Cryptocurrency Crimes
The Information Technology Act, 2000 (IT Act) provides the primary legal framework for addressing cybercrimes in India, including those involving cryptocurrency. Given that cryptocurrency exists entirely in the digital realm, the IT Act provisions are particularly relevant to cryptocurrency-related offenses.
The IT Act was substantially amended in 2008 to address emerging cyber threats. While the Act does not specifically mention cryptocurrency (which gained prominence post-2008), its provisions are broad enough to cover cryptocurrency-related cybercrimes. Courts have consistently applied IT Act provisions to cryptocurrency offenses involving unauthorized access, identity theft, and online fraud.
Relevance to Cryptocurrency Crimes
Cryptocurrency crimes frequently involve conduct covered by the IT Act:
- Unauthorized Access: Hacking into cryptocurrency exchanges or wallets
- Identity Theft: Stealing private keys or login credentials
- Phishing: Creating fake exchange websites to steal credentials
- Data Manipulation: Altering transaction records or smart contracts
- Online Fraud: Using computer resources to defraud investors
- Section 43: Civil liability for damage to computer systems
- Section 66: Criminal offense for computer-related crimes
- Section 66C: Identity theft punishable up to 3 years
- Section 66D: Cheating by personation using computer resource
- Section 65B: Admissibility of electronic evidence
- Section 79: Intermediary liability and safe harbor
Section 43 - Penalty for Damage to Computer, Computer System
Section 43 of the IT Act establishes civil liability for various unauthorized activities involving computer systems. This section is significant in cryptocurrency cases because it provides a civil remedy for victims and can be invoked alongside criminal provisions.
"If any person without permission of the owner or any other person who is in charge of a computer, computer system or computer network,- (a) accesses or secures access to such computer, computer system or computer network or computer resource; (b) downloads, copies or extracts any data, computer data base or information from such computer, computer system or computer network; (c) introduces or causes to be introduced any computer contaminant or computer virus; ... (i) destroys, deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means; ... he shall be liable to pay damages by way of compensation to the person so affected."
Elements of Section 43
1. Without Permission
The acts must be done without authorization from the owner or person in charge. In cryptocurrency contexts, this includes:
- Accessing exchange accounts without user authorization
- Using compromised credentials to access wallets
- Bypassing security measures on cryptocurrency platforms
- Social engineering to obtain access to systems
2. Computer, Computer System, or Computer Network
The target must be a computer resource as defined in Section 2(1)(k). Cryptocurrency infrastructure qualifies:
- Exchange servers and databases
- Cryptocurrency wallet applications
- Blockchain nodes and validators
- Smart contract platforms
3. Specified Acts
Section 43 lists specific prohibited acts including accessing, downloading, introducing viruses, causing damage, disrupting, denying access, and more.
Cryptocurrency-Specific Scenarios Under Section 43
Scenario: Exchange Database Breach
Facts: An attacker exploits a vulnerability in a cryptocurrency exchange's database to extract user data including email addresses, phone numbers, and wallet balances.
Section 43 Violations:
- Section 43(a): Unauthorized access to computer system
- Section 43(b): Downloading/copying data from computer database
- Section 43(c): If malware was used in the attack
Compensation: Exchange and affected users can claim compensation for actual damages plus consequential losses under Section 43.
Scenario: Wallet Application Compromise
Facts: Malware distributed through a fake cryptocurrency app steals private keys from users' devices, leading to unauthorized transfers from their wallets.
Section 43 Violations:
- Section 43(a): Accessing users' computer systems without permission
- Section 43(b): Extracting private key data
- Section 43(c): Introducing computer contaminant (malware)
- Section 43(i): Diminishing value of stored cryptocurrency
Compensation Under Section 43
Section 43 provides for compensation up to the limits specified, which may be inadequate for large cryptocurrency thefts. The compensation can include:
- Value of cryptocurrency stolen or lost
- Consequential damages from the breach
- Costs of remediation and security enhancement
- Business interruption losses for exchanges
Section 43 compensation is limited and may be insufficient for major cryptocurrency breaches involving crores of rupees. For substantial losses, victims should pursue both Section 43 claims before the Adjudicating Officer and criminal prosecution under Section 66, in addition to civil suits for damages.
Section 66 - Computer Related Offenses
Section 66 criminalizes the acts specified in Section 43 when done dishonestly or fraudulently. This is the primary criminal provision invoked in cryptocurrency hacking and unauthorized access cases.
"If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both."
Elements of Section 66
1. Dishonestly or Fraudulently
The critical distinction from Section 43 is the requirement of dishonest or fraudulent intent. In cryptocurrency cases:
- Dishonest: Intention to cause wrongful gain or wrongful loss (as defined in IPC)
- Fraudulent: Intent to defraud, involving deceit for gain
Most cryptocurrency hacking involves clear dishonest intent - stealing cryptocurrency for personal gain while causing loss to legitimate owners.
2. Acts Referred to in Section 43
The prohibited acts are those listed in Section 43. In cryptocurrency crimes, commonly invoked are:
- Unauthorized access to exchange or wallet systems
- Downloading/copying private keys, seed phrases, or credentials
- Introducing malware to steal cryptocurrency
- Manipulating smart contracts or transaction records
- Denial of service attacks on cryptocurrency platforms
Application to Cryptocurrency Crimes
1. Exchange Hacking
When hackers breach cryptocurrency exchange security to steal user funds, Section 66 applies because:
- Access to exchange systems is unauthorized
- Intent is clearly dishonest (to steal cryptocurrency)
- Acts fall within Section 43(a), (b), and potentially (c), (i)
2. SIM Swap Attacks
In SIM swap attacks targeting cryptocurrency holders:
- Attacker gains control of victim's phone number
- Uses it to bypass two-factor authentication
- Accesses cryptocurrency accounts and transfers funds
- Violates Section 66 through unauthorized access with dishonest intent
3. Smart Contract Exploitation
When attackers exploit vulnerabilities in smart contracts:
- Unauthorized manipulation of computer programs (smart contracts)
- Extraction of cryptocurrency through code exploitation
- May constitute damage to computer resource under Section 43
| Aspect | Section 43 (Civil) | Section 66 (Criminal) |
|---|---|---|
| Nature | Civil liability | Criminal offense |
| Intent Requirement | No specific intent required | Dishonest or fraudulent intent required |
| Remedy | Compensation | Imprisonment up to 3 years + Fine up to Rs. 5 lakh |
| Forum | Adjudicating Officer | Criminal Court |
| Standard of Proof | Preponderance of evidence | Beyond reasonable doubt |
When prosecuting cryptocurrency hacking cases, establish dishonest intent through: (1) Evidence of planning the attack (reconnaissance, obtaining exploit tools); (2) Immediate transfer of stolen cryptocurrency to attacker-controlled wallets; (3) Attempts to launder or convert stolen cryptocurrency; (4) Communication evidence showing knowledge of wrongdoing. This distinguishes criminal Section 66 from mere civil Section 43 liability.
Section 66C - Identity Theft
Section 66C addresses identity theft, a crucial provision in cryptocurrency crimes where attackers frequently steal credentials, private keys, and other identity-related data to gain access to victims' cryptocurrency holdings.
"Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh."
Elements of Section 66C
1. Fraudulent or Dishonest Use
The use must be with fraudulent or dishonest intent. In cryptocurrency cases, this is typically evident from the subsequent theft of funds.
2. Electronic Signature, Password, or Unique Identification Feature
In the cryptocurrency context, this includes:
- Private Keys: The cryptographic key controlling a cryptocurrency wallet
- Seed Phrases: Recovery phrases that can regenerate private keys
- Exchange Passwords: Login credentials for cryptocurrency exchanges
- 2FA Codes: Two-factor authentication codes
- API Keys: Keys for automated trading or access
- Wallet Addresses: When used for impersonation
3. Of Any Other Person
The identity feature must belong to someone other than the accused. The victim must be identified.
Wallet Identity Theft Scenarios
Scenario: Private Key Theft
Facts: An attacker through phishing obtains the 24-word seed phrase of a cryptocurrency investor. Using this seed phrase, the attacker regenerates the victim's wallet and transfers all cryptocurrency to their own address.
Section 66C Analysis:
- Seed phrase constitutes "unique identification feature" - it uniquely identifies and controls the wallet
- Use was fraudulent - intent to steal cryptocurrency
- Belonged to another person - the victim investor
Punishment: Up to 3 years imprisonment and fine up to Rs. 1 lakh
Scenario: Exchange Account Takeover
Facts: Through a data breach at an unrelated service, attackers obtain email/password combinations. Using credential stuffing, they access cryptocurrency exchange accounts where users had reused passwords, then withdraw all funds.
Section 66C Analysis:
- Password constitutes unique identification feature under Section 66C
- Dishonest use to access accounts and steal funds
- Each compromised account is a separate offense
Private Keys as "Unique Identification Feature"
Courts have not yet definitively ruled on whether cryptocurrency private keys constitute "unique identification features" under Section 66C. Arguments supporting this interpretation:
- Private keys uniquely identify the controller of a blockchain address
- They serve an analogous function to passwords in traditional systems
- The legislative intent was to protect digital identity credentials broadly
- The term "any other unique identification feature" is deliberately broad
While private keys clearly function as identity credentials, defense counsel may argue that the IT Act language contemplates human-selected credentials rather than cryptographically generated keys. Prosecutors should prepare arguments on purposive interpretation to ensure Section 66C covers cryptocurrency credentials.
Section 66D - Cheating by Personation Using Computer Resource
Section 66D addresses online impersonation fraud, a common tactic in cryptocurrency scams where fraudsters impersonate legitimate entities, exchanges, or even other individuals to defraud victims.
"Whoever, by means of any communication device or computer resource cheats by personating, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees."
Elements of Section 66D
1. By Means of Communication Device or Computer Resource
The offense must be committed using digital means. In cryptocurrency fraud, this is virtually always satisfied as transactions occur through:
- Websites and web applications
- Mobile applications
- Email and messaging platforms
- Social media platforms
- Blockchain networks
2. Cheating by Personation
"Cheating" has the meaning under IPC Section 415 (now BNS Section 316). "Personation" requires pretending to be someone else. In cryptocurrency context:
- Creating fake exchange websites mimicking legitimate exchanges
- Impersonating customer support representatives
- Posing as cryptocurrency project founders
- Creating fake social media accounts of prominent crypto figures
- Sending phishing emails appearing to be from legitimate services
Cryptocurrency Impersonation Cases
Scenario: Fake Exchange Website
Facts: Fraudsters create a website visually identical to a popular cryptocurrency exchange, using a similar domain name (typosquatting). Users who mistakenly visit this site enter their login credentials, which are captured. Fraudsters then access real accounts and steal funds.
Section 66D Analysis:
- Uses computer resource (fake website)
- Personates legitimate exchange
- Cheats users into providing credentials
- Causes wrongful loss to victims, wrongful gain to fraudsters
Additional Charges: Section 66C (using stolen passwords), Section 66 (unauthorized access), IPC 420/BNS 318 (cheating)
Scenario: Fake Airdrop/Giveaway Scam
Facts: Fraudsters create social media accounts impersonating famous cryptocurrency personalities (like exchange CEOs). They announce fake "giveaways" promising to double any cryptocurrency sent to specified addresses. Victims send cryptocurrency expecting returns that never come.
Section 66D Analysis:
- Communication device/computer resource used (social media)
- Personation of public figure
- Cheating by inducing victims to part with cryptocurrency
Scenario: Fake Customer Support
Facts: Fraudsters pose as customer support representatives of cryptocurrency exchanges on social media. When users post complaints, fraudsters contact them privately, claiming to help resolve issues. They trick victims into providing seed phrases or transferring cryptocurrency to "verify accounts."
Section 66D Analysis:
- Computer resource (social media, messaging) used
- Personation of exchange employees
- Cheating by obtaining seed phrases or inducing transfers
Relationship Between Section 66D and IPC/BNS Cheating
Section 66D overlaps with IPC Section 420 (BNS Section 318) but has specific advantages:
| Aspect | Section 66D IT Act | Section 420 IPC / 318 BNS |
|---|---|---|
| Specific Requirement | Use of computer resource + personation | General cheating inducing property delivery |
| Maximum Imprisonment | 3 years | 7 years |
| Maximum Fine | Rs. 1 lakh | Unlimited |
| Investigation | Cyber cell / designated authority | Regular police |
| Technical Expertise | Often better equipped for digital evidence | May lack specialized capability |
In cryptocurrency impersonation fraud cases, charge under both Section 66D IT Act and Section 420 IPC (or 318 BNS). Section 66D provides specialized cyber investigation framework while Section 420/318 provides higher maximum punishment. The two are not mutually exclusive and address different aspects of the same conduct.
Investigation Procedures for IT Act Offenses
Investigating IT Act offenses in cryptocurrency cases requires specialized procedures and technical expertise. The IT Act and associated rules prescribe specific investigation frameworks.
Investigating Officers
Under IT Act Section 78, offenses shall be investigated by police officers not below the rank of Inspector. Many states have established dedicated cybercrime investigation units:
- State Cyber Crime Police Stations
- Cyber Crime Investigation Cells
- Economic Offenses Wings with cyber capabilities
Key Investigation Steps
1. Preservation of Evidence
Immediate steps to preserve volatile digital evidence:
- Request exchanges for account freeze and data preservation
- Document blockchain transactions (screenshot with timestamps)
- Preserve communication records (emails, messages)
- Obtain network logs from affected platforms
2. Blockchain Analysis
Tracing cryptocurrency flows requires specialized analysis:
- Identify source and destination wallet addresses
- Trace transaction paths through blockchain
- Identify exchange addresses where cryptocurrency was deposited
- Link wallet addresses to real-world identities through exchange KYC
3. Information from Intermediaries
Obtaining data from cryptocurrency exchanges and service providers:
- User registration details (KYC documents)
- Transaction history
- IP addresses and access logs
- Bank account linkages
4. Technical Forensics
If devices are seized or compromised systems examined:
- Forensic imaging of devices
- Malware analysis
- Browser history and cached data
- Wallet software and key storage
Section 79 - Intermediary Liability
Cryptocurrency exchanges may qualify as "intermediaries" under Section 79. This has implications for:
- Safe Harbor: Exchanges following due diligence may be protected from liability for user transactions
- Compliance Requirements: Must adhere to Information Technology (Intermediary Guidelines) Rules
- Cooperation with Authorities: Must assist in investigations when notified
- Data Retention: Must maintain logs for specified periods
Many cryptocurrency platforms operate from foreign jurisdictions. Obtaining evidence from foreign exchanges requires MLAT (Mutual Legal Assistance Treaty) processes, which are time-consuming. Prosecutors should: (1) Prioritize evidence from India-based exchanges first; (2) Engage with MEA for MLAT requests early; (3) Consider Interpol channels for urgent matters; (4) Document blockchain evidence that does not require foreign cooperation.
Digital Evidence Requirements Under IT Act
The admissibility of electronic evidence in IT Act cases is governed by Section 65B of the Indian Evidence Act (now Section 63 of Bharatiya Sakshya Adhiniyam, 2023). Understanding these requirements is critical for both prosecution and defense.
Section 65B Certificate Requirements
Electronic records are admissible only if accompanied by a certificate under Section 65B(4) stating:
- Identification of the electronic record and manner of production
- Particulars of device involved in production
- Information appropriate to show reliability
- Signed by person occupying responsible position in relation to the device
Application to Cryptocurrency Evidence
Blockchain Records
Blockchain transaction records present unique evidentiary questions:
- The blockchain is a distributed ledger - no single custodian
- Records are cryptographically secured against tampering
- Any node operator can provide identical copies of transaction data
Arguments for admissibility without traditional Section 65B certificate:
- Blockchain records are inherently reliable due to cryptographic security
- Multiple independent sources can verify the same data
- Tamper-evidence is built into the technology
Conservative approach: Obtain certificate from blockchain analysis expert who extracted the data, certifying the process and reliability of the records.
Exchange Records
Records from cryptocurrency exchanges require standard Section 65B certification:
- Certificate from exchange's compliance or IT officer
- Description of exchange's database systems
- Chain of custody for extracted data
Wallet Software Data
Data extracted from wallet applications on seized devices:
- Forensic extraction report with hash values
- Section 65B certificate from forensic examiner
- Documentation of extraction methodology
Supreme Court on Section 65B
The Supreme Court in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020) clarified that Section 65B certificate is mandatory and cannot be dispensed with. Key holdings:
- Certificate is condition precedent for admissibility
- Cannot be waived even by consent of parties
- Defect cannot be cured at appellate stage
- Certificate must accompany the electronic record when produced
For cryptocurrency crime investigations: (1) Obtain Section 65B certificates contemporaneously with evidence collection; (2) Document the complete chain of custody; (3) Use forensic tools that generate verifiable hash values; (4) Have blockchain analysis certified by qualified experts; (5) Maintain original sources where possible for verification; (6) Request exchanges to provide certificates along with data responses.
Defense Strategies in IT Act Cryptocurrency Cases
Strategy 1: Challenge Electronic Evidence
Section 65B compliance is frequently defective:
- Certificate not signed by appropriate person
- Certificate not contemporaneous with evidence collection
- Certificate lacking required particulars
- Chain of custody breaks
- Hash value inconsistencies
Strategy 2: Attribution Challenges
Linking cyber activities to the accused person:
- IP addresses can be spoofed or shared
- Devices may have been compromised or used by others
- Wallet addresses alone don't identify controllers
- Exchange accounts may be created with false identities
Strategy 3: Intent Defense
Section 66 requires dishonest or fraudulent intent:
- Access was authorized or believed to be authorized
- Security research or bug bounty activities
- Mistake or accident rather than intentional conduct
- No intent to cause harm or gain
Strategy 4: Jurisdictional Challenges
IT Act territorial application:
- Section 75 provides for extraterritorial application
- Requires computer, computer system, or network located in India to be involved
- Challenge if all infrastructure was foreign
Strategy 5: Technical Defenses
Challenge prosecution's technical understanding:
- Mischaracterization of blockchain activities
- Confusion between wallet ownership and control
- Failure to understand smart contract mechanics
- Misinterpretation of transaction data
Engage technical experts early in IT Act cases. Cryptocurrency and blockchain technology is complex, and prosecution teams may make technical errors that create defense opportunities. An expert can identify: flaws in blockchain analysis methodology, alternative explanations for transaction patterns, technical impossibilities in prosecution theory, and defects in evidence collection procedures.