When Coincheck was hacked for a record $530 million (at the time) in January this year, it was right in the midst of the of the late 2017 and early 2018 ICO frenzy.
The sum was astonishing, and even surpassed the infamous Mt. Gox hack of 2014 where more than 850,000 BTC — $460 million and 6% of the total BTC in circulation at the time — was stolen from the leading Bitcoin exchange. It is important to note that in today’s prices, the Mt. Gox hack is valued at roughly $3 billion in stolen BTC, making it substantially larger through a contemporary prism, however.
To really put into perspective just how massive these losses are, both Coincheck and Mt. Gox rank among the largest heists of all time, cryptocurrency or not.
While Mt. Gox shortly filed for bankruptcy following the hack, Coincheck has surprisingly remained in business and was even recently approved as a licensed exchange by Japan’s Financial Services (FSA). Both Mt. Gox and Coincheck, were and are, based in Japan, and the required registration and regulation of exchanges by Japan’s FSA were inspired by the Mt. Gox hack.
Brief History of Coincheck
Coincheck was founded in 2014 in Japan and was one of the most popular cryptocurrency exchanges in the country. Offering a wide variety of digital assets including Bitcoin, Ether, LISK, and NEM, Coincheck was an emerging exchange that joined the Japan Blockchain Association.
Since Coincheck was founded it 2014, it was incidentally not subject to new exchange registration requirements with Japan’s FSA — who rolled out a framework after Mt. Gox –, and eventually was a contributing factor to its poor security standards that led to the hack.
Coincheck was led by President Wakata Koichi Yoshihiro and Chief Operating Office Yusuke Otsuka in the run-up to the hack.
The Coincheck Hack
On January 26th, 2018, Coincheck posted on their blog detailing that they were restricting NEM deposits and withdrawals, along with most other methods for buying or selling cryptocurrencies on the platform. Speculation arose that the exchange had been hacked, and the NEM developers issued a statement saying they were unaware of any technical glitches in the NEM protocol and any issues were a result of the exchange’s security.
The Coincheck Blog Post announcing suspension of NEM coin services
Further, NEM devs reiterated that exchanges utilize its Multisig Contract Smart Signing App to provide an additional layer of security requiring multiple exchange managers to sign off on large transactions.
Coincheck subsequently held a high-profile conference where they confirmed that hackers had absconded with 500 million NEM tokens that were then distributed to 19 different addresses on the network. Totaling roughly $530 million at the time — NEM was hovering around $1 then — the Coincheck hack was considered the largest theft in the industry’s history.
Coincheck was compelled to reveal some embarrassing details about their exchange’s security, mentioning how they stored all of the NEM in a single hot wallet and did not use the NEM multisig contract security recommended by the developers.
Coincheck CEO and president Koichiro Wada & COO Yusuke Otsuka at the Coincheck Press Conference
The use of large sums with hot wallets is a notoriously poor security practice. Most exchanges today use a hybrid hot/cold wallet system, with the vast majority of the value stored in the cold wallets and secured via multisig.
The fact that Coincheck was not officially registered with Japan’s FSA also surfaced following the hack. During their conference, the Coincheck representatives showed deep remorse for the loss and pledged to register with the FSA as a result of the incident. The next day, Coincheck announced that they would refund all 260,000 users affected by the hack, and received outspoken support from their community for electing to do so.
Simultaneously, the NEM developers team had tagged all of the NEM stolen in the hack with a message identifying the funds as stolen so that other exchanges would not accept them. However, NEM announced they were ending their hunt for the stolen NEM for unspecified reasons several months later, and speculation persisted that hackers were close to cashing out the stolen funds on the dark web.
Japan’s exchanges formed a self-regulating cryptocurrency initiative following the incident, and Japan’s FSA issued several business improvement orders to Coincheck.
Mainstream media covered the hack extensively and compared it to similar failures by cryptocurrency exchanges in the past to meet adequate security standards. At the time, most media coverage of cryptocurrencies was centered on their obscure nature, dramatic volatility, and lack of security. Coincheck’s hack fueled that narrative considerably as the sum stolen was eye-popping and the cryptocurrency used — NEM — was unknown to most in the mainstream.
NEM depreciated rapidly following the hack, and the price fell even more throughout 2018, in line with the extended bear market in the broader industry. Currently, NEM is trading at approximately $0.07, a precipitous fall from ATH over $1.60 in early January.
Monex Group acquired Coincheck in April 2018, who then revised the cryptocurrencies that Coincheck would offer once it re-launched and managed the reimbursement of the users affected by the hack. Japan’s FSA has since ramped up its evaluation of cryptocurrency exchanges in the country, but it remains surprising that Coincheck was able to obtain a license and move forward after such a disaster.
Coincheck resumed NEM trading in mid-November and has joined the Japan Network Security Association. The exchange is now open to new registrations.
Comparisons with the Mt Gox Hack
The extent of the Coincheck hack was rivaled by only a few other hacks, notably the Mt. Gox hack. While nominally Coincheck is the largest hack in the industry’s history, the effects of Mt. Gox were significantly more impactful since the stolen funds consisted only of Bitcoin and caused a sustained market correction as well as an ongoing controversy with the stolen funds and founder. Moreover, Mt. Gox squandered 6 percent of the overall Bitcoin circulation at the time in a market that was much less mature than it is today.
The current value of the Mt. Gox hack — at $3 billion — outpaces the Coincheck hack’s roughly $36.5 million value now by a substantial margin.
The accumulation of cryptocurrency exchange hacks throughout 2018 was quite extraordinary. Ciphertrace’s Q3 AML report highlights how hackers stole $927 million in the first three quarters of 2018 alone. Further, the report reveals some intriguing insights into the ease with which hackers can liquidate stolen funds via unregulated crypto-crypto exchanges.
According to the report, 97 percent of criminal Bitcoin flowed into exchanges in unregulated countries with weak AML laws. While the report only analyzed Bitcoin, the uncertainty of where the stolen NEM from Coincheck went can be illuminated by the trend of laundering stolen crypto through smaller, unregulated exchanges at discounted prices in Bitcoin or more anonymity-focused cryptocurrencies like Monero and ZCash.
South Korea’s National Intelligence Agency said that North Korean hackers might have been behind the Coincheck heist, but there is no way of confirming whether North Korea was directly responsible.
Despite the fallout, Coincheck is now fully operational and registered with Japan’s FSA. Hopefully, the hard lessons learned throughout 2018 will serve as a fundamental improvement to security practices among exchanges in 2019.
Regardless of the ongoings of centralized cryptocurrency exchanges, it is always best practice to retain control of your private keys and never trust third parties with your value. As Nick Szabo accurately prognosticated:
“Trusted third parties are security holes.”
As decentralized exchanges and P2P marketplaces continue to develop, users can only hope that trusted third parties will no longer be necessary components of the future landscape for exchanging digital assets.