TOKYO -- Japan's Financial Services Agency on Monday took administrative action against hacked cryptocurrency exchange Coincheck, following the theft of 58 billion yen ($534 million) worth of NEM digital money.
In an afternoon news conference, the watchdog said it ordered the exchange to investigate the vulnerabilities that led to last Friday's heist and submit a plan for "effective system risk management" to prevent a recurrence.
The FSA ordered Coincheck to "take appropriate measures for its customers," bolster its management practices and "clarify the bearer of responsibility" for such incidents. The exchange is required to submit a written report to the FSA by Feb. 13.
"Inappropriate management of system risks had become the norm at Coincheck," the FSA said.
The watchdog will also look into other cryptocurrency exchanges to ensure they have adequate safety mechanisms in place. This may include on-site inspections.
Coincheck will refund all of the roughly 260,000 NEM holders in yen, the company said in a statement on Sunday. Chief Operating Officer Yusuke Otsuka told reporters that customers will be reimbursed out of the company's cash holdings. Otsuka said no date has been set for the payments or for a restart of transactions on the exchange.
The NEM extracted from Coincheck's system has not been exchanged into cash or other forms of cryptocurrency, according to Otsuka. "We have found no traces of the lost cryptocurrency being converted into hard currency," he said. "We are exploring all possibilities, including recovering the stolen amount."
The blockchain system used for cryptocurrencies allow participants to cross-monitor transactions. This is how the company knows the money has not been converted. In theory, the online address that holds the stolen NEM can be identified, though the address holder's identity and geographic location cannot be determined.
Industry stakeholders have blasted Coincheck's lax practices, which included storing secret information online rather than offline. The critics include Yoichi Miura, president of blockchain system developer Xbridge; Kenji Saito, a senior researcher at Keio University; and Shuhei Fujise, chief analyst at cryptocurrency market research company Alt Design.
"It is highly likely that the regulator will raise the screening standards for cryptocurrency exchange registration," Fujise said of the knock-on effects from the case.
The FSA has sought information from Coincheck on why it had not put recommended measures in place. "We have to take into account the major impact on society," a senior FSA official said of the agency's response to the incident.
The unauthorized access to Coincheck's system, which appears to have cleaned out virtually all of customers' NEM holdings, marks the biggest loss of cryptocurrency since the 2014 breach at Tokyo-based exchange Mt. Gox, when bitcoin worth 47 billion yen at the time vanished.
Meanwhile, in the wake of the latest hack, two trade groups in Japan's booming cryptocurrency sector have decided to merge into a self-regulatory body -- a step they had hesitated to take before.
The Japan Blockchain Association -- which includes bitFlyer, the nation's biggest cryptocurrency exchange -- and the Japan Cryptocurrency Business Association still have to hammer out the details of the merger.
The FSA had been urging them to join forces, but they had been unable to agree on a way forward until now. The new, broader organization could make it easier to set common rules for protecting investors, such as managing customer assets separately from the exchanges' capital. Having uniform disclosure standards would also aid customers in choosing an exchange.
Cryptocurrencies are increasing in number and spawning offshoots at a pace that tests regulators' ability to keep up. Japan has taken a relatively light-touch approach to regulating cryptocurrency activity compared with China, which has clamped down after an early surge in trading.
Japanese stocks related to virtual money were performing relatively well on Monday, largely because the price of bitcoin -- the most widely used cryptocurrency -- was stable in the aftermath of the Coincheck heist. Bitcoin is trading at around $11,500 at the moment, little changed from last Friday. GMO Internet, which counts cryptocurrency exchange GMO Coin as a subsidiary, gained 7% in the morning session. Ceres, which invests in cryptocurrency companies, finished the morning up 5%.
The NEM price was floating around $0.95 before the Coincheck news broke. It fell to $0.8 afterward but has rebounded back to about $1.
Nikkei Inc. group company QUICK holds an equity stake in bitFlyer.
Nikkei staff writers Masayuki Yuda and Tomomi Kikuchi in Tokyo contributed to this report.