TOKYO -- Cryptocurrency exchange Coincheck has confirmed that some 58 billion yen ($534 million) in customers' virtual currency holdings were taken from its wallets Friday, in what appears to be the biggest virtual currency heist to date.
At around 3 a.m. Friday, essentially all NEM -- a type of virtual currency -- held by the Tokyo-based exchange was illicitly transferred out of its digital coffers. Coincheck discovered the breach after 11 a.m., and soon halted withdrawals in all currencies. Trading is on hold for all virtual currencies except bitcoin.
The exchange is currently determining how many customers were affected, and has said it is considering possible responses, including compensation for those whose NEM was taken.
Coincheck managed its NEM accounts on systems vulnerable to hacking via external networks. Such an attack may have been behind Friday's theft.
Coincheck "deeply regrets" the incident, CEO Koichiro Wada told reporters Friday night. The company "is currently determining what impact the breach will have on our finances," said Yusuke Otsuka, chief operating officer. The theft has been reported to Japan's Financial Services Agency as well as to police, and the exchange is urging its peers to halt trading in NEM.
Lon Wong, president of the Nem.io Foundation created to promote the technology underlying NEM, wrote on twitter that "It's unfortunate that Coincheck got hacked," but said the foundation is "doing everything we can to help."
Coincheck is one of Japan's top virtual currency exchanges, alongside Tokyo-based bitFlyer. It has attracted users by offering a wide variety of cryptocurrencies. While Coincheck does not say how many accounts it hosts, an industry insider says the exchange holds "hundreds of billions of yen in customer assets." Customers took to social media Friday night, airing concerns about the fate of their cash and cryptocurrency holdings.
Since April 2017, Japan has required cryptocurrency exchanges to register with the FSA and manage customer accounts separately from the exchange operator's own funds. More than one-third of the roughly 40 exchanges in Japan before those requirements took effect have folded rather than make the necessary investments to upgrade their systems. Coincheck has applied for registration, though its application remains under review.
These rules are largely a response to the 2014 collapse of Japanese bitcoin exchange Mt. Gox -- then the largest in the world -- after hackers stole roughly 47 billion yen in bitcoin holdings. But it is questionable whether other exchanges have taken the lessons of that incident to heart.
"Taking security measures yields no clear benefit in terms of attracting customers," and so many exchanges "have been lax" on that front, according to Takenori Kiuchi, a cybersecurity expert at NRI Secure Technologies. Despite fairly small outlays on systems development, exchanges have been spending heavily on ads to attract new customers. Coincheck, for example, began in late December broadcasting television commercials featuring a popular comedian.
The risks of leaving exchange systems connected to the internet, as may have been the case at Coincheck, is well-documented. North Korea is thought to have launched a number of cryptocurrency raids, including a recent attempted attack on 10 South Korean exchanges. Personnel linked to those exchanges received an email containing malware that could have stolen passcodes to exchange accounts.
These threats have even forced some South Korean exchanges to shut down. An attack in December on Seoul-based Youbit robbed the exchange of nearly 20% of its asset reserves, forcing parent Yapian to file for bankruptcy.
A recent upswing in virtual currency trading has made addressing security risks all the more pressing. At its peak in December, bitcoin was worth 20 times what it was at the beginning of 2017. Even novice investors plunged funds into all manner of cryptocurrencies, fearful of missing out on the next big opportunity.
Around 40% of bitcoin trading is conducted in yen, the highest share attributable to any currency in the world. Around 1 million Japanese residents were said to have virtual currency accounts in the latter half of 2017; that figure recently seems to have surpassed 1.5 million.
Nikkei Inc. group company QUICK holds an equity stake in bitFlyer.