ArrowArtboardCreated with Sketch.Title ChevronCrossEye IconIcon FacebookIcon LinkedinShapeCreated with Sketch.Icon Mail ContactPath LayerIcon MailMenu BurgerPositive ArrowIcon PrintIcon SearchSite TitleTitle ChevronIcon Twitter

Coincheck targeted by suspicious traffic for weeks before NEM heist

Bogus email to employees may have delivered virus that allowed for system hack

Suspicious communications between Tokyo-based Coincheck and servers outside Japan went on for weeks before a $542 million cryptocurrency theft, a new finding suggests. (Photo by Rie Ishii)

TOKYO -- Suspicious communications between the computers of Tokyo-based cryptocurrency exchange Coincheck and unidentified servers outside Japan began weeks before the Jan. 26 theft of 58 billion yen ($542 million) of the cryptocurrency NEM, a new finding suggests, a person close to the police investigation said.

The finding suggests someone hacked into the Coincheck system via employee email and stole a "private key" necessary to transfer NEM.

According to the person, several Coincheck employees received English-language emails appearing to be an internal message from a colleague in early January. Once the sender's address was clicked, the user's computer was infected with a virus that enabled it to be operated from outside the company.

Soon afterward, Coincheck's system began contacting external servers in Europe and the U.S. without proper instructions. The suspicious communications went on until almost midnight on Jan. 25, then stopped as a large amount of NEM began moving out of the exchange's system soon after the date changed to Jan. 26.

Takayuki Sugiura, head of the Tokyo-based information-security consultancy L Plus, said it was likely someone repeatedly accessed Coincheck's server to steal the private key for the NEM transaction. Sugiura estimates that roughly 40% of the NEM stolen, worth about 25.5 billion yen, has already been exchanged for bitcoin and other currencies.

On about Feb. 7, messages seeking to exchange NEM with other virtual currencies appeared on an anonymous "dark web" site.  

The Tokyo Metropolitan Police Department has deployed about 100 police officers to analyze records of suspicious access to the Coincheck server and possible connections with the NEM theft. 

The stolen money that has been converted to bitcoin is being kept at several e-wallets, with hundreds of millions of yen in each, the person close to investigation said, adding that individuals involved in the NEM heist are preparing to change the currency into cash at exchanges outside Japan.

You have {{numberReadArticles}} FREE ARTICLE{{numberReadArticles-plural}} left this month

Subscribe to get unlimited access to all articles.

Get unlimited access
NAR site on phone, device, tablet

{{sentenceStarter}} {{numberReadArticles}} free article{{numberReadArticles-plural}} this month

Stay ahead with our exclusives on Asia; the most dynamic market in the world.

Benefit from in-depth journalism from trusted experts within Asia itself.

Try 3 months for $9

Offer ends September 30th

Your trial period has expired

You need a subscription to...

See all offers and subscribe

Your full access to the Nikkei Asian Review has expired

You need a subscription to:

See all offers
NAR on print phone, device, and tablet media