Japan cryptocurrency hack highlights oversight challenges
Coincheck lost $533m in just 20 minutes, drawing rebuke from finance minister
Nikkei staff writers
TOKYO -- Japan's financial regulator has ordered improvements at Coincheck after the cryptocurrency exchange lost 58 billion yen ($533 million) worth of digital currency to hackers, signaling a broader reckoning for exchanges that have let user protection measures slip in their rush to attract customers and the difficulty of regulating this field.
Coincheck has not sufficiently analyzed the root cause of the breach, nor has it adequately considered measures to prevent a recurrence, a spokesperson for the Financial Services Agency told reporters Monday afternoon. Finance Minister Taro Aso told the Japanese parliament's lower house budget committee on Monday that Coincheck's security setup "lacks basic knowledge and common sense."
The rebuke came just three days after nearly all NEM -- a type of virtual currency -- in Coincheck's digital wallets was illicitly transferred out. The FSA has given the exchange until Feb. 13 to respond with a plan to improve risk management and prevent another hack. Police have already met with Coincheck officials and launched a full investigation into the possible violation of laws on computer and network access.
The watchdog in April 2017 became one of the world's first regulators to require registration by cryptocurrency exchanges, in light of legal changes that took effect that month. But this seems to have given investors a false sense of security about virtual currencies, opening the floodgates to speculation. Though the law implemented in April also labeled virtual currencies as methods of payment, rather than actual currencies, this designation belies the high volatility and risk involved in trading such assets.
Yet regulating virtual currencies more tightly in the wake of the Coincheck breach carries its own problems. While doing so might put consumers' minds at ease, it could also raise barriers to entry in the industry, hindering the spread of useful and convenient technologies. The FSA has said only that it will work to strike a balance between innovation and user protection if it moves to strengthen regulations.
In the meantime, the agency has said it will conduct an emergency survey of Japan's cryptocurrency exchanges to gather information on safety measures and other systems. In particular, the FSA looks to see whether companies are managing virtual currency accounts on so-called cold wallets disconnected from outside networks, and whether they are using multisignature security systems, which split up security keys among multiple devices or users.
Coincheck took neither of these precautions with its NEM accounts. Nor was the exchange able to detect the illicit transfers in time to stop them. The first transfer was made just after midnight Japan time on Friday, and by 12:21 a.m. the equivalent of around 57.6 billion yen had been taken -- 99% of the total amount stolen. Another 400 million yen or so in NEM was transferred out throughout the morning, before the exchange noticed, at around 11:25 a.m., that its NEM balance was unusually low.
Exchanges typically rely on ease of use and low service fees to attract users, and "security measures, which do little to draw customers, have fallen by the wayside," according to Itsuro Nishimoto, president of security services provider Lac.
Major Tokyo-based exchange bitFlyer has taken to using cold wallets for all six of the cryptocurrencies it handles in the wake of the Coincheck breach. Bitbank, another Tokyo exchange, is taking steps that will let it more quickly detect illicit outside access to its accounts.
There are also concerns about whether exchanges are doing enough to separate customer funds and operating accounts, as the law requires. The FSA is looking into whether virtual currencies should be put in trust to ensure their safety in the event of an exchange's collapse. This is a common practice among securities brokerages and foreign exchange margin trading companies when dealing with customer assets.
Coincheck looks to repay in yen the roughly 260,000 customers who had NEM on deposit. Japanese residents will have to report capital gains from trading in virtual currency as miscellaneous income, subject to a 15-55% tax, based on the filer's total income, in 2019.
Japan is not the only country grappling with such regulatory challenges. South Korea has been struggling with how to regulate virtual currencies after a rash of hacking last year. The newspaper Dong-A Ilbo has reported that South Korean exchanges are even more vulnerable than Coincheck was to security breaches.
The government in Seoul unveiled new regulations in December, including a requirement that traders in virtual currency use their real names. Authorities have even considered shutting down exchanges entirely, only to be met with fierce backlash by young investors and other cryptocurrency proponents concerned that South Korea could fall behind in the field. China, for its part, moved last fall to ban so-called initial coin offerings and shutter cryptocurrency exchanges, intending to stem capital flight and avoid shocks to the financial system.
Authorities have reason for concern. Virtual currencies are a favorite target of hackers in North Korea and elsewhere, and can be used by groups such as terrorist organizations to launder money. Malaysia's central bank is weighing information disclosure requirements for currency exchanges to combat these risks. Valdis Dombrovskis, vice president of the European Commission, urged European Union financial authorities to consider strengthening oversight of cryptocurrency operations in a letter sent in December. The U.K.'s Financial Conduct Authority advises consumers that any and all money invested in virtual currencies could be lost.
Group of 20 finance ministers and central bankers will discuss possible rules for virtual currencies when they meet in Argentina in March. Cryptocurrency's "anonymity, lack of transparency and the way in which it conceals and protects money laundering" and "financing of terrorism" is unacceptable, according to Christine Lagarde, managing director of the International Monetary Fund.
Nikkei Inc. group company QUICK holds an equity stake in bitFlyer.