$534 Million Virtual Currency Hack in Japan

Cryptocurrency exchange Coincheck has confirmed that some 58 billion yen ($534 million) in customers’ virtual currency holdings were taken from its wallets Friday, in what appears to be the biggest virtual currency heist to date.

At around 3 am Friday, essentially all NEM—a type of virtual currency—held by the Tokyo-based exchange was illicitly transferred out of its digital coffers. Coincheck discovered the breach after 11 am, and soon halted withdrawals in all currencies. Trading is on hold for all virtual currencies except bitcoin, Nikkei reported.

The exchange is currently determining how many customers were affected, and has said it is considering possible responses, including compensation for those whose NEM were taken.

Coincheck managed its NEM accounts on systems vulnerable to hacking via external networks. Such an attack may have been behind Friday’s theft.

Coincheck “deeply regrets” the incident, CEO Koichiro Wada told reporters Friday night. The company “is currently determining what impact the breach will have on our finances,” said Yusuke Otsuka, chief operating officer. The theft has been reported to Japan’s Financial Services Agency as well as to police, and the exchange is urging its peers to halt trading in NEM.

  Doing Everything to Help

Lon Wong, president of the Nem.io Foundation created to promote the technology underlying NEM, wrote on twitter that “It’s unfortunate that Coincheck got hacked,” but said the foundation is “doing everything we can to help.”

Coincheck is one of Japan’s top virtual currency exchanges, alongside Tokyo-based bitFlyer. It has attracted users by offering a wide variety of cryptocurrencies. While Coincheck does not say how many accounts it hosts, an industry insider says the exchange holds “hundreds of billions of yen in customer assets.” Customers took to social media Friday night, airing concerns about the fate of their cash and cryptocurrency holdings.

Since April 2017, Japan has required cryptocurrency exchanges to register with the FSA and manage customer accounts separately from the exchange operator’s own funds. More than one-third of the roughly 40 exchanges in Japan before those requirements took effect have folded rather than make the necessary investments to upgrade their systems. Coincheck has applied for registration, though its application remains under review.

These rules are largely a response to the 2014 collapse of Japanese bitcoin exchange Mt. Gox—then the largest in the world—after hackers stole roughly 47 billion yen in bitcoin holdings. But it is questionable whether other exchanges have taken the lessons of that incident to heart.

“Taking security measures yields no clear benefit in terms of attracting customers,” and so many exchanges “have been lax” on that front, according to Takenori Kiuchi, a cyber security expert at NRI Secure Technologies. Despite fairly small outlays on systems development, exchanges have been spending heavily on ads to attract new customers. Coincheck, for example, began in late December broadcasting television commercials featuring a popular comedian.