Tokyo-based cryptocurrency exchange Coincheck experienced the biggest cryptocurrency heist ever at the end of last month with hackers stealing $530M from its users. The exchange promised it would partially refund the 260,000 cryptocurrency investors affected by the robbery, although it did not say where it was getting the money from to do so, or when it would be issuing the refund.
Coincheck, which bills itself as “the leading bitcoin and cryptocurrency exchange in Asia” on its website, said the hackers specifically targeted the cryptocurrency NEM. It is currently the tenth largest cryptocurrency, trading at just under $1 per coin, with $9 billion worth of NEMs in total circulation. The currency’s price plunged by around 20% immediately following the news of the heist coming to light, although it has since recovered those losses.
Yusuke Otsuka, Coincheck’s chief operating officer, said on January 26th that around 523M NEM coins were sent from a NEM address at Coincheck at approximately 3am local time. Eight hours later, Coincheck identified a peculiar drop in the balance. The exchange said that the NEM coins were storied in a “hot wallet” instead of a “cold wallet”, and thus were connected to the Internet, therefore vulnerable to hacking. Experts have warned that keeping big sums in hot wallets is akin to carrying large amounts of cash in person.
Cold wallets are small devices, which are stored offline, such as Trezor and Ledger Nano S. Fortune cited the recommendation of Bitcoin evangelists to avoid third party exchanges and only keep money necessary for upcoming transactions in hot wallets. Even then, experts apparently recommend trading one cryptocurrency for another using decentralized exchanges such as Waves Dex or Changelly rather than centralized exchanges like Coincheck.
Coincheck offered its apologies via a blog post and at a news conference following the news, and has suspended trading all virtual currencies except Bitcoin as it looks more deeply into the circumstances surrounding the theft.
A Japanese government spokesperson said that it would be requiring Coincheck to improve its business practices following the hack; and that financial authorities were supervising the company’s response to the incident. Last April, Japan’s government recognized bitcoin as a legally accepted means of payment, and required all exchange operators to register with its financial regulator. The move was intended to protect consumers and stop illegal use of cryptocurrencies in the wake of the 2014 collapse of the Tokyo-based Mt. Gox, at that time the world’s largest Bitcoin exchange. It was also part of a strategy by Prime Minister Shinzo Abe to encourage growth in the fintech sector. On January 17th, the Japanese FSA had approved registration of 16 cryptocurrency exchanges in Japan; Coincheck was among a further 16 operating before the regulation was introduced, allowed to provisionally continue operations, while their applications are being assessed.
In developing news today, sources close to the investigation told the Asian Review that the hacker who stole the NEM from Coincheck appears to be trying to exchange it for other digital coins on the darknet. Apparently the hacker has been trying to make trades for bitcoins, sending messages containing a URL to an English site offering to exchange several tens of thousands of yen worth of NEM for bitcoin.