TOKYO—On Friday evening in Japan, one of the biggest virtual currency exchanges in Asia, Coincheck, announced that it had lost 58 billion units of the cryptocurrency NEM, worth roughly $530 million dollars, which may well be the biggest cryptocurrency heist in history.
For those of us with a long memory, the press conference was eerily reminiscent of Feb. 28, 2014, when Mt. Gox, once the world’s largest bitcoin exchange, declared bankruptcy and announced that it had lost over $500 million worth of bitcoins to hackers. (The figure was later revised down to $430 million.)
This new incident is an embarrassment to the Japanese government, which has been trying to make Tokyo the global center for cryptocurrency.
According to Coincheck at its press conference on Friday, and on its webpage announcements, hackers first broke into the firm’s NEM accounts at 2:57 a.m. Friday, local time, on Jan. 25.
The security breach went undetected, however, until almost 11:30 that morning.
According to sources close to Japan’s Financial Services Agency, hackers using overseas servers were able to disguise themselves as authorized users and enter the system. They then withdrew large amounts of NEM, spreading the withdrawals out several times during the eight and a half hours they went undetected.
Yusuke Otsuka, the chief operating officer of Coincheck, confirmed suspicions that the firm’s cyber security was subpar when, at the press conference, he admitted that the stolen currency had been kept on-line in a “hot wallet” rather than a much more secure offline storage facility known as a “cold wallet.”
In layman’s terms, it would be like a convenience store in a bad neighborhood keeping $50,000 in large bills in the cash register, rather than periodically depositing the money in a bank vault off the premises. Mark Karpeles, the former CEO of Mt. Gox, told The Daily Beast, “The firm also did not use an extra layer of security known as a multi-signature system.”
Company executives offered some assurances that they might recover the funds, enigmatically stating, “We know where the funds (NEMs) were sent. We are tracing them and when they are cashed out, it may be be possible to get them back.”
The firm has notified Japan’s Financial Services Agency and the Tokyo Metropolitan Police Department. The police have not yet officially opened an investigation.
The Financial Services Agency, which had warned the firm about lax cybersecurity measures in recent months, gave the company a bureaucratic slap on the wrist, but one that may turn into a serious penalty. The agency demanded Coincheck turn in a report on the hack and the countermeasures for preventing a recurrence by the middle of February. The FSA also announced Monday, that it would begin inspecting other cryptocurrency exchanges and may conduct on-site inspections.
Coincheck suspended trading in all cryptocurrencies except bitcoin on Friday. The firm has said it would reimburse the 260,000 customers who lost NEM, but not at the full rate at the time of the theft. It currently estimates this will cost 460 billion yen ($430 million), based on the firm’s pre-theft assessed value for the NEM. There is some skepticism that it will be able to do this solely with internal funds. The firm has not said when it would reimburse the customers.
Public reaction to the “crypto-heist” has been rather muted, so far. Few were feeling much sympathy for Koichiro Wada, the president of the company, who seemed insufficiently apologetic at the press conference. (Mark Karpeles may have made a deeper bow after the Mt. Gox incident, and he’s not Japanese.)
When netizens dug up an old tweet in which Wada ridiculed a homeless woman, some expressed glee at seeing him brought down a few pegs. Yet due to the company’s promise to pay back the users, the impact still seems small.
One of the more amusing responses came from the newly formed cryptocurrency-themed all-girl band, Virtual Currency Girls, which debuted this month. The group is composed of eight members, clad in masks and frilly maid uniforms, each one representing a virtual currency, such as bitcoin cash, ethereum, and of course, NEM.
In a hastily convened press conference on Saturday, the girls said that the freezing of accounts at Coincheck would temporarily affect their salaries. Their management offered to pay them in cash (yen) but the girls insisted that they would wait for Coincheck to resume full-operations and be paid in virtual currency, “As a point of pride.”
Koharu Kamikawa, the 17-year-old member who is the band’s NEM avatar, had stern words for the perpetrators. “It’s absolutely bad [what you did]. I want to say to the hacker, ‘You jerk, you stupid jerk.’ Give everyone back their NEM!”
If only it were that easy, or hackers cared about the feelings of aspiring 17-year-old Japanese pop stars.
Japan has taken tremendous steps in the last year to become a center of cryptocurrency while China, Korea, and other countries are cracking down on them and their users.
In April of 2017, Japan officially recognized bitcoin as legal tender. In September last year, the Financial Services Agency (FSA) recognized 11 cryptocurrency trading exchanges, giving them semi-official status. Over 30 percent of global bitcoin transactions are conducted in yen.
But much of the activity surrounding cryptocurrency, including Initial Coin Offerings (ICOs), which are essentially a form of crowdfunding centered around a cryptocurrency, fall into a gray zone. The FSA may issue guidance and warnings, but if you’re a cryptocurrency trader in Japan, “let the user beware” has to be your motto.
If Coincheck goes under or can’t repay the users, it may be the beginning of a problem that Japan will have to fix if it wants to be at the heart of the virtual currency world.
There is also the question of whether the Japanese police have the will or the ability to go after the hackers. If they don’t, more crypto-heists are likely to occur.
Mark Karpeles told The Daily Beast in an email, “The hack of NEM assets was due to their lack of use of ‘cold wallet.’ It means someone breached into their server, potentially gaining access to information such as their user database. Only a forensic analysis of the breached server(s) will allow to tell how much data was accessed, and it is unlikely such information will be released, considering how the Japanese police acted so far… Efforts to arrest crypto-currency thieves require more than one country’s law enforcement to work.”
The Japanese police never apprehended the hackers of Mt. Gox, but they did arrest Mark Karpeles as a scapegoat, as detailed in the book which I wrote with Nathalie-Kyoko Stucky, Pay the Devil in Bitcoin: The Creation of a Cryptocurrency and How Half a Billion Dollars of It Vanished from Japan. Karpeles is still on trial four years after the hack was discovered.
Up to now pop idol groups, manga, robots, and anime have been the core of Japan’s tourist promoting strategy known as “Cool Japan,” but it seems that adoption of cryptocurrency (and the girl band promoting it) is now also part of the Cool Japan agenda as seen by Japan’s Ministry of Economy, Trade and Industry.
If that’s the case, putting in place some real regulations, and maybe getting major cryptocurrency exchanges to at least store their funds in “cold wallets” is what the new “Cool Japan” needs to do.