TOKYO -- Suspicious communications between the computers of Tokyo-based cryptocurrency exchange Coincheck and unidentified servers outside Japan began weeks before the Jan. 26 theft of 58 billion yen ($542 million) of the cryptocurrency NEM, a new finding suggests, a person close to the police investigation said.
The finding suggests someone hacked into the Coincheck system via employee email and stole a "private key" necessary to transfer NEM.
According to the person, several Coincheck employees received English-language emails appearing to be an internal message from a colleague in early January. Once the sender's address was clicked, the user's computer was infected with a virus that enabled it to be operated from outside the company.
Soon afterward, Coincheck's system began contacting external servers in Europe and the U.S. without proper instructions. The suspicious communications went on until almost midnight on Jan. 25, then stopped as a large amount of NEM began moving out of the exchange's system soon after the date changed to Jan. 26.
Takayuki Sugiura, head of the Tokyo-based information-security consultancy L Plus, said it was likely someone repeatedly accessed Coincheck's server to steal the private key for the NEM transaction. Sugiura estimates that roughly 40% of the NEM stolen, worth about 25.5 billion yen, has already been exchanged for bitcoin and other currencies.
On about Feb. 7, messages seeking to exchange NEM with other virtual currencies appeared on an anonymous "dark web" site.
The Tokyo Metropolitan Police Department has deployed about 100 police officers to analyze records of suspicious access to the Coincheck server and possible connections with the NEM theft.
The stolen money that has been converted to bitcoin is being kept at several e-wallets, with hundreds of millions of yen in each, the person close to investigation said, adding that individuals involved in the NEM heist are preparing to change the currency into cash at exchanges outside Japan.