Financial watchdog raps Coincheck over lax security following massive hack

by Alex Martin

Staff Writer

The government’s financial watchdog took administrative action Monday against Coincheck, the major cryptocurrency exchange hit last week by the largest theft of digital money on record.

The Financial Services Agency (FSA) said it issued a business improvement order for Coincheck’s operations after NEM coins worth ¥58 billion — almost all of the customer assets it was holding — were stolen from the exchange Friday.

The costly hack underscored the security and regulatory difficulties surrounding bitcoin and other virtual currencies that are currently enjoying a global trading boom. The incident also came after the government made legal revisions in April to tighten Japanese regulations on cryptocurrency exchanges, amid surging interest in blockchain technology and following the collapse of bitcoin exchange Mt. Gox in 2014.

The FSA said it had ordered Coincheck to investigate the root cause of the hack and clarify responsibility after it questioned the company’s executives. The watchdog also asked the company to draw up prevention and risk management measures, and explain how it plans to deal with its customers.

The FSA set a Feb. 13 deadline for Coincheck to report back, saying it would consider on-site inspections if necessary.

In a statement, Coincheck said it will follow the FSA’s guidance and pledged to improve its operations.

On Sunday, the company said it will repay all 260,000 customers impacted by the theft. The reimbursement will stand at about ¥46.3 billion due to drops in the market price of NEM coins, which have been among the most popular digital currencies in the world.

The FSA said it was not yet aware of when and how Coincheck plans to repay its customers, or whether it has sufficient resources to do so.

Coincheck is not a registered operator but has applied to the agency for a license as an exchange. It has been operating under FSA rules while waiting for a decision. The FSA said there were currently 16 registered exchanges and 16 waiting for approval while operating.

The watchdog said it will continue to raise awareness following the cyberheist, which has jolted the nation’s cryptocurrency market, and that it has asked exchanges to review its security operations. It also plans to conduct hearings on the matter.

Meanwhile, the Metropolitan Police Department will launch an investigation into a suspected violation of the law prohibiting unauthorized computer access, according to local media reports.

The heist occurred as Coincheck was stepping up marketing efforts. In December it began airing commercials on national television featuring a popular comedian. The segment touted the exchange as the No. 1 application for cryptocurrency trading in terms of user numbers.

The scandal has triggered an immediate public backlash. Worried investors with assets in Coincheck gathered at the company headquarters after the heist was disclosed Friday. The exchange froze all withdrawals along with trading in 13 of the currencies it handles — all except bitcoin.

During a late-night news conference Friday, Coincheck executives were grilled over its security.

Virtual currencies are managed using “wallets.” Most exchanges store data in “cold wallets” that are not connected to the internet. But Coincheck CEO Koichiro Wada said that for NEM coins, the company kept the currency in a “hot wallet” connected to external networks, making it more vulnerable to fraudulent external access.

Moreover, for NEM coins, the company had yet to install “multisignatures” — a security measure requiring several signoffs before funds can be transferred and a system recommended by the Singapore-based NEM Foundation, which created the currency platform.

Yusuke Otsuka, a Coincheck director, told reporters Sunday that the company had no clear idea when the exchange would be able to resume operations or when it could reimburse customers. He said, however, that the company had good prospects for securing funds for the repayment and had adequate cash and deposits.

Jeff McDonald, vice president of the NEM Foundation, said in a statement Sunday that it is reaching out to exchanges and exploring three different options, while not elaborating in what exactly these were.

“We also have a full account for all of Coincheck’s lost XEM (NEM) on the blockchain,” he said. “At this time, the hacker has not moved any of the funds to any exchange, nor to any personal accounts of NEM community members.”

The foundation said it is creating an automated tagging system that will follow the money and tag any account that receives tainted money. It said it has shown exchanges how to check if an account has been tagged to prevent stolen funds from being cashed or converted to other cryptocurrencies.

Information from Kyodo added