TOKYO -- The massive theft of digital money at cryptocurrency exchange Coincheck was due to sloppy management, which left a huge amount of customers' money at risk at Japan's second-largest cryptocurrency exchange.
Some 58 billion yen ($533 million) in NEM cryptocurrency tokens was taken from customers' digital wallets Friday.
Japan's Financial Services Agency on Monday ordered Coincheck to improve the security of its operations.
Coincheck announced on Sunday that it will refund about 46 billion yen to all of the roughly 260,000 holders of the NEM digital currency. Their money will be protected, but money to be refunded to customers will be covered by Coincheck as losses if the NEM tokens remain lost. The incident significantly undermined confidence in the cryptocurrency market.
"We basically manage all currencies in a 'cold wallet'," said Kariya Kayamori, CEO of Quoine, an operator of cryptocurrency exchange Quoinex based in Tokyo. A cold wallet refers to storage that is offline, not connected to networks, and is therefore much safer.
One of the reasons for the theft of NEM coins was the use of "hot wallets," which are connected to networks at all times. Unauthorized access could have been prevented if the digital money had been managed with "cold wallets," but the exchange could not provide this "due to technical reasons and understaffing," said Coincheck President Koichiro Wada.
Coincheck failed to manage other parts of its operation as well. Cryptocurrencies have passcodes called secret keys, but they are not sufficient to protect the system from being hacked.
Therefore, exchanges use a system of separately managing different secret keys called Multisig, so as to protect the system from being hacked and reduce the risk of theft. However, Coincheck did not use this system to manage NEM tokens.
NEM, which stands for New Economy Movement, was launched in late March 2015. In Japan, NEM is handled by Coincheck and Osaka-based companies Tech Bureau and Xtheta.
The Coincheck theft is likely to affect a wide range of users.
Brokerages and foreign exchange margin trading companies protect customers' assets by separately managing them and transferring them to the accounts of trust banks. Furthermore, brokerages have safety nets, such as setting up a joint foundation that compensates when customers' assets are not returned. The cryptocurrencies exchanges, meanwhile, have no such systems.
Jeff McDonald, vice president of NEM Foundation, released a video on Saturday, saying that the foundation will cooperate with Coincheck and other exchanges to find out the cause of the unauthorized access. McDonald, however, denied the possibility of implementing a "hard fork," a mechanism by which administrators change transaction histories and restore the status before the unauthorized access.
As the vulnerability of NEM technology did not cause the token theft, it will be difficult to persuade global traders to implement a hard fork.
Founded in 2012, Coincheck headed by CEO Koichiro Wada, 27, is Japan's second-largest cryptocurrency exchange, after Tokyo-based bitFlyer, which has the highest trading volume, through more than 1 million accounts. Coincheck handles 13 cryptocurrencies, including NEM, Bitcoin and Ethereum.
The incident has thrown cold water on the upward trend of the cryptocurrency market.
In 2017, NEM prices jumped 270-fold due to its popularity among retail and other investors who missed out on the Bitcoin wave. On Thursday, the day before the theft was revealed, the digital currency was at around 100 yen per XEM. NEM prices dropped about 20% immediately after the theft was revealed, pushing down prices of Bitcoin, Ripple and other cryptocurrencies as well.
The theft may prompt retail investors -- who have flocked to cryptocurrency trading since late last year to benefit from soaring prices -- to start worrying and exit the market.
The effects have spread to payments for products and services using Bitcoin. Coincheck announced on Saturday that it will stop accepting withdrawals and new payments in yen for its Bitcoin service Coincheck Payment, starting on Saturday evening.
At 5 p.m. on Friday, Recruit Lifestyle, the retail support arm of human resources conglomerate Recruit Holdings, voluntarily stopped the Bitcoin payment services it had provided to Meganesuper and other businesses with Coincheck.
A conveyor-belt sushi restaurant in Tokyo's Ginza district, which had been using Coincheck's payment services, on Saturday decided to voluntarily stop accepting payments in Bitcoin. "We decided to halt the service as we were unsure if payments would be made. I'm sorry about what happened because [Bitcoin] was a good promotion," said the store manager.
Kenji Saito, part-time lecturer at the Keio Research Institute at SFC, points to a problem in the design of NEM systems. On NEM's network, according to Saito, how many NEMs are held and how often players participate in the network are important indicators for rewards.
Simply put, no matter how NEM tokens are obtained, players who participate in the network with many NEMs will be entitled to new tokens.