On Friday afternoon in Japan, Coincheck, a Japanese cryptocurrency exchange, made a cascade of concerning announcements in a post on the company blog.
At 12:38 PM local time, the exchange halted all purchases of NEM, a token on a distributed blockchain of the same name. Fourteen minutes later, NEM withdrawals were stopped. A few hours later, all withdrawals, including of Japanese Yen, were placed on hold. By 6:19 PM JST, all financial input and outputs—except for bitcoin—had ceased.
What happened? Apparently, the largest crypto theft in the history of crypto thefts.
Here’s What Happened
Here’s what is known: According to reporting from Reuters, CNBC, Bloomberg, and crypto-focused news outlets like The Merkle, CoinTelegraph, and others, Coincheck experienced a serious security breach.
You can see on the blockchain that around 523 million NEM tokens were extracted from Coincheck’s “hot” wallet to the hacker’s address in eight transactions starting at 3:02 and 3:21 AM local time.
Eight hours later, the hacker stole another 2.3 million NEM, sending it to the same address. This indicates that Coincheck was unaware of the security breach for some time. Typically, exchanges would either stop all transactions to or from their hot wallets, or they’ll detect and blacklist certain addresses. It’s also been reported by CoinTelegraph that Coincheck didn’t store its NEM in a more secure multi-signature wallet, opting instead for a simpler single-signature wallet setup. Coincheck said the exchange uses multisig wallets for bitcoin and keeps most of its bitcoin and ether reserves in cold storage.
At the time the NEM was exfiltrated, the average price of the cryptocurrency was approximately $0.95, according to pricing data from Coinmarketcap. The combined 525.3 million NEM stolen, some 5.8 percent of the total circulating NEM supply, is valued at roughly $500 million. (Note: due to exchange rate differences between the US Dollar and Japanese Yen, many news outlets are reporting the 58 billion JPY worth of crypto is valued at around $534 million.)
The Number One Rank Nobody Wanted
The Coincheck hack marks the largest single loss of cryptocurrency due to theft, fraud, or technical error. It also gives Coincheck the dubious distinction of losing the most money—in terms of market value at the time of transaction—even including those that suffered from multiple thefts. Below, we’ve charted the biggest un-reversed losses to date:
Coincheck unseats Mt. Gox as the most significant loss of cryptocurrency of all time. Back in February 2014, Mt. Gox announced that 850,000 bitcoins had been stolen, but 200,000 of those have since been recovered. The total market value at the time of the theft was approximately $460 million.
Parity, which bills itself as the “fastest and most secure way of interacting with the Ethereum blockchain,” (their emphasis) managed to lose track of a cumulative $182 million due to theft and technical error. In July 2017, 153,037 ether—valued at approximately $32 million at the time—were stolen due to an error in Parity’s multi-signature contract setup. In November 2017, an additional $150 million was rendered inaccessible due to a bug in its software. However, some reports, including one from The Guardian, suggest that the November loss could go as high as $300 million.
Bitfinex (often spelled out in all-caps) lost 119,756 bitcoins, valued at $72 million, in an August 2016 hack. An earlier hack, a comparatively modest 1,500 bitcoins, in May 2015 lost $350,000 in user funds.
We were somewhat hesitant to include the DAO, an early ethereum-based project which lost $60 million in a theft. To return lost assets, the ethereum blockchain was hard-forked. No plans to hard-fork NEM have been announced.
Finally, the hack of Nicehash, a bitcoin mining pool, in December 2017, was the most recent major theft of cryptocurrency before the Coincheck breach today. A total of 4,736 bitcoins was stolen near bitcoin’s all-time-high valuation, losing users $67 million at the time.
What Happens Next?
There are still a lot of unknowns to sort out here. Although this isn’t a breach of the NEM protocol itself, there may be pressure from the community to hard-fork its blockchain to reverse this loss.
There’s also the question of regulatory response. Earlier this week, Crunchbase News documented a contraction in crypto valuations as traders processed news of looming controls in South Korea and China. Although the Japanese government has taken a fairly hands-off approach to crypto-market regulation, that may change going forward.
One thing is almost certain though: Most disasters—human and natural—deemed “the worst ever” rarely keep that designation. If the crypto economy is going to grow as much as its enthusiasts hope, this half-billion dollar loss may only be a drop in the bucket.