Tokyo-based cryptocurrency exchange Coincheck Inc. said it will use its own capital to reimburse about ¥46.3 billion ($400 million) to all 260,000 customers who lost money in Friday’s theft.
The company will repay all 260,000 users impacted by the theft of NEM coins, at a rate of ¥88.549 (81 U.S. cents) each, according to a statement posted on its website after midnight Sunday. A total of 523 million coins were stolen, resulting in the loss of almost all customer assets in NEM.
The value of the stolen assets has fallen from the initially estimated ¥58 billion due to drops in the market price of NEM.
The firm said it has yet to fix the details of the reimbursement, including the timing.
But Yusuke Otsuka, a Coincheck executive, told reporters later on Sunday that the company will repay clients with its yen deposits. He also said the lost NEM coins have not yet been converted to cash and that he will see if the company can get them back.
Coincheck has halted withdrawals of assets in all virtual currencies in the exchange and trading in all currencies other than bitcoin. It said it aims to restart its services after strengthening security measures and determining the cause of the asset loss.
The announcement came less than 48 hours after the hack was discovered Friday. The attack shocked Japanese policymakers, who introduced legislation last April to prevent such incidents, and piled pressure on global cryptomarkets wary of rising scrutiny from regulators.
The Financial Services Agency is looking at issuing a business improvement order to Coincheck over the loss, informed said Sunday.
The order would be issued under the revised law on fund settlement.
The FSA could ultimately order the Tokyo-based company to suspend some of its business operations, according to the sources.
Later Sunday, Coincheck made reports to the FSA on the damage from unauthorized access to its computer system and its policy of compensating customers.
The FSA had urged Coincheck to address security concerns about the way it manages customer assets before Friday’s theft.
Cryptocurrency exchanges manage customer holdings in two types of accounts — “hot wallets,” which are connected to the Internet for quick trading, and “cold wallets,” which remain offline.
Exchanges in Japan are required to register with regulators under the revised law on fund settlement that took force in April.
As part of questionnaires issued in late August, the FSA asked exchange applicants how their assets were distributed in the two types of accounts.
Coincheck, it turns out, managed all of its NEM coins in hot wallets.
After the company filed for registration in September, the FSA highlighted the risk of unauthorized accesses taking place in its computer system and urged it to strengthen security, sources said.
An industry source said it is the norm for about 90 percent of customer assets to be managed in cold wallets.
The FSA usually decides whether to approve the registration of a virtual-currency exchange after about two months. But Coincheck’s application remains under review, some four months after filing.
Until the FSA reaches a conclusion, the company is allowed to broker currency trading as it has been in business since before the revised law took effect.
If Coincheck successfully navigates the theft, the turnaround wouldn’t be the first in the cryptocurrency world. Bitcoin exchange Bitfinex also overcame a $69 million heist and last year repaid most customers who lost money in the August 2016 attack.