On Friday, Crunchbase News reported that Coincheck, the second largest cryptocurrency exchange in Japan, had experienced the largest theft of crypto—in terms of dollar value at current market prices—to date.
News from the past weekend necessitates a follow-up. Recent announcements suggest that the exchange plans to reimburse users affected by the hack, although concrete plans haven’t been made to do so yet.
The Breach: A Review
Friday, over the course of several hours, an as-yet-unknown attacker (or group of attackers) siphoned off 525.3 million NEM tokens in a series of transactions from Coincheck’s NEM “hot” wallet. The size of the haul: around $500 million worth of NEM, give or take a bit depending on how you calculate the price.
RelatedCoincheck’s $500 Million Theft
No other cryptocurrencies held by the exchange were affected by the breach. As initial news was breaking, early reporting from some outlets like Bitcoin.com, as well as social media commentary, suggested that $123 million worth of ripple was moved off of one of the exchange’s wallets in a single transaction. But it appears as though that transfer was intentional and made as a precautionary measure by Coincheck’s security team. Warren Paul Anderson, a product manager at Ripple Labs, said on Twitter that the Coincheck team reached out to say that “all” ripple tokens are safe.
A Putative Promise To Pay Back
This weekend, in a post to the company’s blog put out after midnight local time on Sunday, Coincheck executives announced that affected users will be reimbursed for their losses in Japanese Yen. According to the announcement, “approximately 260,000” Coincheck users will be reimbursed 88.549 JPY (approximately 81.5 cents, in USD) for each NEM token lost from their account.
The announcement from Coincheck says that the compensation rate was determined by taking the weighted-average exchange rate of the NEM-JPY pair on Zaif—the exchange currently operating the largest-volume NEM-JPY market in the world—at the time Coincheck froze trading.
Coincheck’s statement also says that compensation will be paid out of its own cash reserves and that the exchange “is committed to restarting services,” investigating the cause of the breach, and strengthening its security.
A Gaping Security Hole
Coincheck kept 100 percent of its NEM tokens in online “hot” wallets, according to reporting from the Japan Times. According to information provided to the Japan Times by “informed” but unnamed sources, Coincheck submitted its registration paperwork to Japan’s Financial Services Agency (FSA) in September. According to these sources, “FSA highlighted the risk of unauthorized accesses taking place in its computer system and urged it to strengthen security.”
Jeff McDonald, VP of the NEM Foundation, told the “Inside NEM” podcast that “when the funds were moved out of Coincheck it would appear that all the funds were in a hot wallet that had an exposed API and probably [an] exposed private key.” He later added that Coincheck should have used a “cold” (i.e. offline) wallet system, as well as multi-signature keys for its hot and cold wallets, considering that the NEM protocol makes these features easy to implement.
“There’s a lot of things that Coincheck… and I’m not pointing fingers. They are wonderful guys… but there is a lot of things they could have done to have [made] this impossible,”McDonald said according to a transcript of the podcast. “I hope that other exchanges implement a cold wallet system on either… or… or at least both. That would be awesome. And other exchanges have implemented a cold wallet system. It’s actually the most secure way to secure funds.”
Open Questions Abound
The statement says Coincheck will continue to pursue licensing and registration as a virtual currency exchange with the FSA.
According to reporting from the Financial Times, the FSA ordered a full report on the security breach, as well as detailed plans for how the exchange will improve its security, to be submitted by February 13.
Coincheck has yet to provide a detailed plan or timeline for disbursing funds to affected users. At time of writing, trading on the exchange, as well as withdrawals of currencies aside from bitcoin, hasn’t resumed.
Stay up to date with recent funding rounds, acquisitions, and more with the Crunchbase Daily.