At 2:57 a.m. on Friday morning in Tokyo, someone hacked into the digital wallet of Japanese cryptocurrency exchange Coincheck Inc. and pulled off one of the biggest heists in history.
Three days later, the theft of nearly $500 million in digital tokens is still reverberating through virtual currency markets and policy circles around the world.
The episode, disclosed by Coincheck executives at a hastily arranged press conference on Friday night, has heightened calls for stricter oversight at a time when many governments are struggling to formulate a response to the digital-asset boom. Japanese finance ministry officials said on Monday that the country will conduct on-site inspections of exchanges and that cryptocurrencies would likely become an issue at the next G-20 meeting.
While Bitcoin and its ilk have rebounded from their selloff on Friday — thanks in part to Coincheck’s assurances over the weekend that customers would be partially reimbursed — market observers said concerns over security lapses are likely to persist. They may even push some investors toward peer-to-peer methods of trading that don’t rely on centralized platforms.
“The latest theft will have two immediate effects: more regulation by authorities over exchanges and more recognition of the advantages offered by decentralized ways of trading,” said David Moskowitz, co-founder of Indorse Pte in Singapore, which runs a social network for blockchain enthusiasts.
The U.S. Treasury described cryptocurrencies as an “evolving threat” earlier this month and said it’s examining dealers to make sure they aren’t being used to finance illegal activities. U.K. Prime Minister Theresa May has promised to consider a clampdown, while South Korean policy makers are debating whether to ban digital-asset exchanges outright. China outlawed the venues last year.
The Coincheck heist adds to a long list of thefts at cryptocurrency exchanges and wallets, stretching back to the robbery of Tokyo-based Mt. Gox in 2014. As prices of digital assets have soared, the platforms have become increasingly juicy targets for hackers. A lack of confidence in exchanges — most of which operate with little-to-no regulation — has prompted many institutional investors to spurn virtual currencies, although some are now dipping into the market after CME Group and Cboe Global Markets introduced Bitcoin futures in the U.S. last month.
“Such large-scale hacks are some of the biggest risks faced today by the global crypto community,” said Henri Arslanian, fintech and regtech lead at PwC in Hong Kong.
Coincheck, one of Japan’s biggest cryptocurrency exchanges, will use its own capital to reimburse customers who lost money in the theft, according to a statement posted on its website Sunday. The exchange — whose shareholders include 27-year-old Chief Executive Officer Koichiro Wada, Chief Operating Officer Yusuke Otsuka and two investment firms — said it has been in touch with Japan’s Financial Services Authority and the Tokyo Metropolitan Police.
According to Coincheck’s account of the incident, an unidentified thief stole 523 million coins tied to the NEM blockchain project, which were trading at about 94 U.S. cents at the time of the hack. It wasn’t until around 11 a.m. on Friday morning — about eight hours after the initial breach — that Coincheck staff noticed an alert pointing to a sharp drop in their NEM coin reserves.
The thief was able to seize such a large sum in part because Coincheck lacked basic security protocols. It kept customer assets in what’s known as a hot wallet, which is connected to external networks. Exchanges generally try to keep a majority of customer deposits in cold wallets, which aren’t connected to the outside world and thus are less vulnerable to hacks.
Coincheck also lacked multi-signature, a security measure requiring multiple sign-offs before funds can be moved. While the safeguard failed to prevent a $65 million heist from Bitfinex in August 2016, NEM’s blockchain had multi-signature functions that experts say would have made the theft more difficult.
The exchange hadn’t implemented the security measures due to “the difficulty of the technology and a lack of staff able to carry out the task,” Wada told a roomful of unusually combative reporters during a 90-minute press conference at the Tokyo Stock Exchange headquarters that stretched into the early hours of Saturday morning.
The theft sparked a social-media firestorm in Japan, one of the world’s biggest cryptocurrency markets, and spurred angry customers to gather in the bitter cold outside Coincheck’s headquarters — just an eight-minute walk from the site where Mt. Gox imploded four years earlier.
It was exactly the kind of scene that Japan’s FSA had been hoping to avoid when it introduced a licensing system for cryptocurrency exchanges last April. Coincheck was four months past its deadline for receiving such a license, but was allowed to continue operating — and advertising— while awaiting a final decision from the regulator.
On Monday, the FSA ordered Coincheck to submit a report by Feb. 13 outlining the root causes of the debacle and its response to customers, along with how it intends to enhance risk management and internal controls.
The exchange’s fate remains unclear. While Coincheck executives have said they plan to eventually restart trading, they hadn’t outlined a timeline by Monday afternoon. They did, however, pledge to compensate all 260,000 users impacted by the theft at a rate of 88.549 yen (82 U.S. cents) for each NEM coin. That sparked a rally in the tokens, which were trading at around 97 cents on Monday, according to Coinmarketcap.com.
“A commitment by Coincheck to repay investors may at least partially explain the NEM price recovery, but can Coincheck actually deliver on that promise?” said Bert Ely, principal at financial consulting firm Ely & Co. in Virginia. “Time will tell.”
Coincheck said it was cooperating with other exchanges in the hope of tracing the missing tokens.
“We know where the funds were sent,” Otsuka, the Coincheck COO, said during the late-night press conference. “We are tracing them and if we’re able to continue tracking, it may be possible to recover them.”
Regardless of how it plays out, the Coincheck theft is likely to push policy makers to enforce stricter security requirements at cryptocurrency exchanges, according to David Shin, a founding member of the Bitcoin Association of Hong Kong and president of the Singapore-based Asia Fintech Society.
“A lot of regulators don’t know yet how to regulate this area,” Shin said. “This episode will definitely get their attention.”