TOKYO -- The theft of 58 billion yen ($526 million) in cryptocurrency from Japan's Coincheck last week demonstrated that profit-focused exchange operators have neglected critical infrastructure, including protections for investor assets.
When Coincheck said early Sunday morning it would refund 80% of the value of the stolen virtual currency out of its own pocket, the news astonished a 29-year-old Tokyoite with an account at the exchange. "It has 46 billion yen in cash?" the office worker wondered.
If Coincheck does have the funds, its lucrative business model offers a hint as to why. The exchange tacks a fee -- which reportedly can run as high as 10% -- onto each trade. This is well above the rates of less than 1% at foreign exchange margin trading companies.
Unlike traditional stock exchanges, which match buy and sell orders from customers, cryptocurrency exchanges also fill orders from their own accounts. This method is often used with digital currencies aside from bitcoin, which tend to be less liquid. As such, the practice was highly profitable for Coincheck, which deals in a broad range of cryptocurrencies.
The exchange enjoyed meteoric growth, leaving rivals in the dust. It logged 3.2 trillion yen in bitcoin transactions in December alone. Given the hefty fees levied on trades, Coincheck likely raked in monthly profits of more than 30 billion yen in some months.
This cash was poured into advertising and promotions, including commercials featuring popular comedian Tetsuro Degawa that drew in housewives and students. "Even our accounts grew significantly thanks to those commercials," an executive at a rival exchange said.
But amid this expansion, Coincheck neglected to upgrade key systems. The exchange failed to take even basic precautions against hacking, such as using "cold" digital wallets unconnected to outside networks.
Digital currencies have become a favorite target for hackers. Exchanges in South Korea faced a rash of cyberattacks that the country's National Intelligence Service pinned on a North Korean group. "If the exploit [used in the Coincheck hack] is the same as in the South Korean incidents, then it's very likely that North Korea was involved," said Toshio Nawa at Japan's Cyber Defense Institute.
Despite its prominence in the industry, Coincheck operates without a license from the Financial Services Agency. The watchdog has yet to approve the exchange's application, expressing reservations about its dealing in "anonymous" cryptocurrencies such as Monero, Dash and Zcash. Because these digital currencies lack traceable transaction records, they lend themselves to money laundering.
"The FSA was right not to register" Coincheck, Shinji Kimura, CEO of mobile payment app provider AnyPay and an expert on the digital-currency industry, said Monday.
Some suspect Coincheck may just be a tip of the iceberg. The FSA on Thursday ordered all cryptocurrency exchange operators to examine and promptly submit reports on risks in their systems.
After legislation providing a legal framework for virtual currencies took effect in April, the FSA introduced one of the world's first registration systems for cryptocurrency exchanges. Exchange operators are required to get official approval as well as manage customer assets separately from their own.
Such rules are par for the course in the financial industry. The regulations for brokerages and foreign exchange margin trading companies are even more stringent. All assets deposited by customers must be put into trust accounts, ensuring they remain safe even if the institution goes bankrupt. Brokerages have an additional layer of protection, with a joint fund that compensates customers if assets are not returned.
Because the cryptocurrency industry lacks such safety nets, the failure of one exchange would hurt a wide range of users.
That the FSA raided Coincheck's offices just four days after slapping the exchange with an improvement order and seven days after the hack, indicates that it feared losing vital information. "If you don't investigate in real time, you can't get the full story," a senior FSA official said.
Cryptocurrency exchanges also lack a self-regulatory organization tasked with writing rules for the industry, unlike other areas of the financial sector. Two rival trade groups have finally begun discussing a merger, but actual rules remain some way off.
The industry is "paying the price for getting carried away by surging prices and putting off rule-making," Kabu.com Securities President Masakatsu Saito said, echoing many in other corners of the financial sector.