TOKYO -- The Japanese cryptocurrency exchange that lost over 7 billion yen ($61.5 million) to hackers last month has yet to repay the victims of the breach, while both industry and regulators seek stronger consumer protections against the risks plaguing the field.
Tech Bureau, the Osaka-based operator of the virtual currency trading platform Zaif, said Monday it needed more time to finalize a compensation framework for investors harmed by the Sept. 14 cyberattack. The company said earlier it hoped to reach that goal by the end of September.
When Tech Bureau publicized the breach on Sept. 20, it also announced a basic agreement to sell a majority stake for 5 billion yen to an affiliate of Fisco, which oversees another cryptocurrency exchange in Tokyo. Some of that money would be used to compensate clients for the roughly 4.5 billion yen in digital coins stolen from customers. But Tech Bureau said Monday that the two sides continue to discuss terms of the deal.
Cyberthieves snatched over 4.2 billion yen worth of bitcoin, though the heist targeted Monacoin and Bitcoin Cash as well. Tracking down the recipients of the stolen coins remains a complicated task.
"Bitcoins can be divided into small anonymous transactions, which can then be immediately transferred to overseas cryptocurrency exchanges and gradually converted to cash," a cryptocurrency operator said.
Tech Bureau raised 10.9 billion yen through initial coin offerings as of November 2017, with the stated purpose of bolstering development of blockchain technology. The Financial Services Agency, the Japanese regulator, is looking into the whereabouts of the capital as part of a larger investigation.
The latest hack follows the roughly 58 billion-yen breach at Coincheck in January, indicating a structural problem with cryptocurrencies themselves.
Both thefts involved unauthorized access to hot wallets, or client accounts constantly connected to the internet. Funds can be safeguarded in offline "cold wallets," but that option sacrifices areas of user-friendliness such as less time spent depositing and withdrawing funds.
"Exchange operators should overhaul their security, including hot wallets," said Naoyuki Iwashita, a professor at Kyoto University. "We are well past the point of handling massive amounts of funds with the mindset of startups."
Echoing those concerns, the self-regulatory Japan Virtual Currency Exchange Association looks to cap the availability of funds in hot wallets at roughly 10% to 20% of customer assets.
When Japan enacted rules last year requiring cryptocurrency exchanges to register with the government, the primary objective was to prevent money laundering. Authorities have begun considering additional rules to govern what has proven to be a market fraught with risks.
The FSA opened a meeting Wednesday tasked with exploring additional controls covering exchange operators, derivatives trading and initial coin offerings. Digital currencies deemed to present problems with consumer protection could face bans.
Participants at Wednesday's meeting also discussed improving transparency in how cryptocurrencies are valued. Taizen Okuyama, chairman of the JVCEA, cited the group's plan to reveal client account numbers and other data on a monthly basis.