On September 20th, the crypto community news reported that yet another exchange and more specifically, yet another Asian exchange had been the victim of a hack.
It was on that Thursday morning that the operator of a Japanese cryptocurrency exchange Zaif-Tech Bureau notified users that malicious third parties had managed to steal $60 million worth of digital currencies.
Concerns were raised initially when earlier in the week Tech Bureau tweeted via their official Twitter account, that they had suspended deposits and withdrawals of Bitcoin and Monacoin due to a ‘server failure.’ This was then followed up by the announcement that the same procedure now applied to Bitcoin Cash. Tech Bureau then tweeted on Tuesday ‘confirming the safety of customer assets.’
However, Zaif initially detected an irregularity on Monday and on Tuesday notified the Financial Services Agency (FSA), according to their Thursday announcemen. The breach developed around 5-7pm, unfortunately by which time unauthorized disbursement had already materialized.
The stolen funds were lifted from the notoriously risky ‘hot wallets’ connected to the internet 24/7 for easy deposits and withdrawals, however, compromise security for doing so. The vulnerabilities of this method were exposed painfully following the Coincheck hack, also breached through the same architectural systems.
The FSA had previously ordered Tech Bureau twice to improve its operations, along with their response to system failures, and following this recent hack issued a third business improvement order. The company still hasn’t announced any progress on those security measures or how the hackers infiltrated their systems in the first place.
Tech Bureau has said they will receive about $43 million in financial assistance from Fisco, a company which provides financial information services. They plan to compensate customers who have lost their funds, but as of yet, have not acknowledged specific guidelines intended for user remuneration.
Latest Hack in a Worrying Trend of Asian Exchanges
Throughout the relatively short time span of the history of blockchain technology and cryptocurrencies, Asian-based crypto exchanges have been particularly vulnerable to hacks when compared to their European and North American equivalents.
On January 26th earlier this year, Coincheck announced that the company had suffered the biggest hack in the history of cryptocurrencies and blockchain technology.
The exchange president Wakata Koichi Yoshihiro and Chief Operating Officer Yusuke Otsuka estimated the stolen funds to be approximately $533 million. Media reports estimated that 500 million NEM tokens illegally taken from Coincheck’s hot wallets.
Source – (https://coincheck.com/)
There had been rumors about a potential theft in the morning when the exchange surprisingly froze most of its services. The firm then announced on its website of the restriction of deposits, withdrawal, and trading of XEM, the token of the NEM ecosystem.
Around 30 minutes later, a much broader suspension on withdrawals of all cryptocurrencies along with the Yen was implemented. This preceded the restriction on trading of all cryptocurrencies, except Bitcoin.
The Nikkei Asian Review had earlier in March, published an article explaining malware emails that had been sent to numerous members of Coincheck staff a few weeks before the attack. This led many to believe the employee email system was compromised and allowed the hackers the opportunity needed to steal the private key.
Being an exchange, Coincheck had access to substantial available liquid capital. So it was able to announce they would be refunding some fiat to users lost holdings via a $426 million fund for the victims.
In the immediate aftermath of the hack, NEM at the time the 10th largest cryptocurrency by market cap, fell 11% over a 24-hour period – to 87 cents. Bitcoin also dropped 3.4% as well as Ripple retreating by 9.9%.
Bithumb Hack (June 2018)
Following on from the Coincheck hack, on June 19th, Bithumb, South Korea’s largest crypto exchange was also hacked with over $30 million worth of funds stolen. During the time of the attack, Bithumb ranked as the sixth largest cryptocurrency exchange according to trade volumes worldwide.
On June 19th 12:49 UTC, Bithumb announced the temporary suspension of deposits due to a change in wallets with their exchange service. Coincidentally during this move to an upgraded security feature – twelve minutes later – Bithumb announced they were suspending all deposit and withdrawal services, as a consequence of over $30 million stolen from Bithumb wallets.
Through an official announcement on June 21st, Bithumb confirmed they would aim to compensate users who have lost funds. Bithumb also stated that their wallet system was to undergo a complete overhaul to better prepare against such attacks in future, while claiming ‘no damage’ will be felt to users, as a result of their long-standing separation of company and customer assets.
Bithumb had a previous history of attacks before this most recent one, when in July 2017, 30,000 customers had their personal information stolen due to the security breach of an employee’s computer, resulting in some user losses.
Coinrail Hack (June 2018)
Somewhat strangely, in the same month, Bithumb was hacked; a second South Korean exchange, Coinrail was also the victim of improper conduct.
Despite being one of the smaller exchanges, ranking just inside the world’s top 90 exchanges according to Coinmarketcap, Coinrail was hit with an attack that left with more than $40 million in altcoins stolen.
The hackers managed to steal $19.5 million worth of Pundi X tokens and a further $13.8 million from Aston X, an ICO project to decentralize documents, $5.8 million in Dent tokens, a mobile data ICO and over $1.1 million Tron, which is a hugely popular project backed by Justin Sun.
Coinrail still hasn’t yet disclosed how it plans on compensating any unfortunate customers but the ICOs have at least started to respond slowly. Following the hack, Coinrail transferred 70% of its assets into cold storage.
What Has The Response Been?
Currently, there are no established rules within cryptocurrency for compensating customers. The self-regulated Japan Virtual Currency Exchange Association is considering compensation protocols for thefts of digital currencies via cyber attacks, especially as the frequency of such incidents is increasing with 158 cases reported nationally in the six months up to June 2018, 3 times higher than the same period last year.
Traditional centralized financial institutions already have existing corrective measures in response to hacking. Banks will reimburse customers for any funds deposited through stolen bank cards, under depositor protection laws. At securities companies, customer’s cash is usually placed in trust banks, with securities separately managed by institutions like the Japan Securities Depository Center. This means the threat of hacking remains low.
Incidents like the Coincheck hack resulted in an adverse effect on the cryptocurrency trading volume. Despite trading at around $20.000 at the end of last year, the price at the time of the hack declined to $6000. Unfortunate instances such as Coinhack’s only flame concerns investors will continue to drift away from cryptocurrencies.
The FSA intends to examine exchanges more effectively, analyzing their assets management systems for clients and the nature of their security measures. There is also the possibility that Tech Bureau is hit with additional disciplinary actions.
The agency also hopes to restart screenings for newly registered exchanges; a process almost canceled following the Coincheck incident. Over 150 exchanges are on the waiting list for registration, but their examinations will now be modified to consider factors such as the strength of business plans, based on the conclusions of previous onsite inspections.
An FSA official proclaimed that the Zaif hacking “will likely have an impact on future screenings.”
In the financial technology industry, including cryptocurrencies, the FSA aims to foster innovation while safeguarding the interests of the users. In April 2017, Japan amended its payment services law to protect users and restrict money laundering.
Will This Be Enough to Increase Trust?
From a personal standpoint, the issue with strengthening regulations also leads to a dilemma. Even if Japan and fellow Asian countries, as well as worldwide for that matter, become firmer with exchanges, offenders will be able to bypass stricter rules by channeling funds via foreign intermediaries. Therefore, it will be a necessity to encourage and create a useful framework for international collaboration.
However, the impact of the Zaif hack, especially on the Japanese market and regulation is still not fully known as the FSA, and the Tech Bureau examine the cause. The market price was affected and may cause inconvenience within the cryptocurrency industry.
The FSA would need to reconsider the appropriateness of their regulation and implementation because Zaif was the first sizeable hacking incident of a registered company.
Despite the uncertainty, security and risk management should be the main priority for exchanges and investor protection. There will need to be stricter regulations and accountability for the parties responsible for indisputable negligence. The cryptocurrency market is still extremely volatile and yet to mature, meaning sensitivity to any bad news will be keenly felt – especially when concerning hacked exchanges.
Defining cryptocurrency exchanges as a regulated financial institution was a definite success where the exchanges require adequate security measures for operation.
The regulators will continue to do their best, however, so will the hackers.