At 2:57 a.m. last Friday morning in Tokyo, someone hacked into the digital wallet of Japanese cryptocurrency exchange Coincheck Inc. and pulled off one of the biggest heists in history.
Three days later, the theft of nearly $500 million in digital tokens is still reverberating through cryptocurrency markets and policy circles around the world.
The episode, disclosed by Coincheck executives at a hastily arranged news conference last Friday night, has heightened calls for stricter oversight at a time when many governments are working out how to regulate the booming cryptocurrency exchange industry. Japanese policy-makers began a new licensing system for the venues just a few months ago, and regulators in South Korea are debating whether to ban exchanges outright.
While Bitcoin and its ilk have recovered from their selloff last Friday—thanks in part to Coincheck’s assurances over the weekend that customers would be partially reimbursed—market observers say concerns over security lapses at cryptocurrency exchanges are likely to persist. They may even push some investors toward peer-to-peer methods of trading that don’t rely on centralized platforms.
“The latest theft will have two immediate effects: more regulation by authorities over exchanges and more recognition of the advantages offered by decentralized ways of trading,” said David Moskowitz, cofounder of Indorse Pte. in Singapore, which runs a social network for blockchain enthusiasts.
On Monday Japan’s Financial Services Agency ordered Coincheck to submit a report by February 13 outlining the root causes of the debacle and its response to customers, and detailing how it intended to enhance risk management and internal controls. Japan’s government is working with relevant ministries and agencies to determine the cause of the Coincheck hack and stands ready to take action as needed, Chief Cabinet Secretary Yoshihide Suga told reporters in Tokyo on Monday. Coincheck will receive a business improvement order today, Suga said.
The Coincheck heist adds to a long list of thefts at cryptocurrency exchanges and wallets, stretching back to the robbery of Tokyo-based Mt. Gox in 2014. As prices of digital assets have soared, the platforms have become increasingly juicy targets for hackers. A lack of confidence in exchanges—most of which operate with little to no regulation—has prompted many institutional investors to spurn cryptocurrencies, although some are now dipping into the market after CME Group Inc. and Cboe Global Markets Inc. introduced Bitcoin futures in the United States last month.
“Such large-scale hacks are some of the biggest risks faced today by the global crypto community,” said Henri Arslanian, fintech and regtech lead at PwC in Hong Kong.
Coincheck, one of Japan’s biggest cryptocurrency exchanges, will use its own capital to reimburse customers who lost money in the theft, according to a statement posted on its web site last Sunday. The exchange—whose shareholders include 27-year-old CEO Koichiro Wada, COO Yusuke Otsuka and two investment firms—said it has been in touch with Japan’s Financial Services Authority and the Tokyo Metropolitan Police.
According to Coincheck’s account of the incident, an unidentified thief stole 523 million coins tied to the New Economy Money (NEM) block chain project, which is also known by some as the New Economy Movement. The tokens were trading at about 94 US cents at the time of the hack. It wasn’t until around 11 a.m. last Friday morning—about eight hours after the initial breach—that Coincheck staff noticed an alert pointing to a sharp drop in their NEM coin reserves.
The thief was able to seize such a large sum in part because Coincheck lacked basic security protocols. It kept customer assets in what’s known as a hot wallet, which is connected to external networks. Exchanges generally try to keep a majority of customer deposits in cold wallets, which aren’t connected to the outside world and, thus, are less vulnerable to hacks.
Coincheck also lacked multisignature, a security measure requiring multiple sign-offs before funds can be moved. While the safeguard failed to prevent a $65-million heist from Bitfinex in August 2016, NEM’s blockchain had multisignature functions that experts say would have made the theft more difficult.
“I really wish they would have been using NEM’s multisignature contract,” Jeff McDonald, vice president of the NEM Foundation, said in a YouTube video. “That would have probably saved them all these problems.”
The exchange hadn’t implemented the security measures due to “the difficulty of the technology and a lack of staff able to carry out the task,” Wada, who also serves as Coincheck’s chief technology officer, told a roomful of unusually combative reporters during a 90-minute press conference at the Tokyo Stock Exchange headquarters that stretched into the early hours of Saturday morning.
The theft sparked a social-media firestorm in Japan, one of the world’s biggest cryptocurrency markets, and spurred angry customers to gather in the bitter cold outside Coincheck’s headquarters—just an eight-minute walk from the site where Mt. Gox imploded four years earlier.
It was exactly the kind of scene that the country’s financial regulator had been hoping to avoid when it introduced a licensing system for cryptocurrency exchanges last April.