Second Major Hack Casts Doubts over Japan’s Cryptocurrency Security SystemsEconomy
Another Cryptocurrency Exchange Hacked
In the evening of September 14, 2018, the Osaka-based Tech Bureau’s Zaif cryptocurrency exchange was hacked, resulting in the theft of approximately ¥7 billion of cryptocurrency (in the form of Bitcoin, Bitcoin Cash, and Monacoin). The hack was not discovered until three days later, on September 17. A report was made to the regional finance bureau and news of the security breach was announced just before three in the morning of September 20.
This was not the first incident to affect Japanese cryptocurrency exchanges in recent months. In January this year, a hack at Coincheck resulted in the theft of around ¥58 billion of NEM tokens, prompting the Financial Services Bureau to take steps to bolster its monitoring systems. Zaif itself had received two business improvement orders from the Kinki local finance bureau. Since Coincheck operates without formal registration, having been in business since before the amended Payment Services Act came into force, the recent hack was the first major breach at a registered cryptocurrency exchange. As Tech Bureau announced the hack at Zaif, the publicly listed Fisco Digital Assets Group announced that one of its subsidiaries would acquire a majority of Tech Bureau’s stock, providing a cash injection of ¥5 billion; Tech Bureau said it would use the funds to compensate customers for their losses.
On September 20, Fisco announced that the cryptocurrency exchange operated by one of its subsidiaries has no connection to the Zaif system, and said it was looking to sign a formal agreement on a financial assistance package for Zaif. Fisco’s total market value at time of writing was approximately ¥9.8 billion. According to its earnings summary, the company had ¥1.25 billion in cash on hand at the end of June. It is unclear how the company will raise the funds to buy the Tech Bureau stock.
All registrations of new cryptocurrency exchanges have been suspended since the Coincheck breach. On August 10, the Financial Services Authority published an interim report on its monitoring of cryptocurrency exchanges, and there had been hopes that the registration inspections would restart. Following the recent hack, however, there are worries that there will be further delays before the process restarts. Coincheck, a Monex Group company aiming to restructure its business, is far from the only exchange affected; well over 100 companies are currently waiting for the official registration process to reopen. It also seems likely that the incident will affect margin trading in cryptocurrency and debates over the legal position of initial coin offerings in cryptocurrencies.
More than Two Days of Silence
No official announcement has yet been made about how Zaif was hacked. The theft targeted the exchange’s “hot wallet,” which allows instant transfers of cryptocurrency. It seems that either there was a theft of security keys for hot wallet funds on company servers, or that there was a hack of the system’s API to allow a transfer of funds from its hot wallet.
It is not the usual practice for a cryptocurrency exchange to keep the bulk of its customers’ funds in a hot wallet. Usually, these funds are kept in cold storage separately from the main network and require a manual security operation for transfers. Tech Bureau has yet to make any announcement about the unusual ratio between customer funds kept in hot and cold wallets, or why it chose to keep as much as ¥5 billion of Bitcoin deposits in a hot wallet.
Another question that remains unresolved is why it took until September 17 for the company to notice the theft of several billion yen from its servers. The hack took place on September 14—why did it take three days for the company to notice a security breach on this scale? Surely the emptying of hot wallet cryptocurrency funds should have triggered error messages when users tried to make withdrawals from the evening of Friday September 14 onward.
It is standard practice to carry out a daily stocktaking to make sure there is no discrepancy between the balance of cryptocurrency in the exchange’s databases and the amount of cryptocurrency saved in wallets. If the theft took place on the evening of September 14, in normal circumstances it should have been discovered later that day, or on the following day at the latest. Monday September 17 was a public holiday; it seems that no stocktaking took place on this day, and as a result the theft was not discovered until the day after.
The Difficulty of Knowing Who to Trust
Since the Coincheck hack, the general advice has been that for safety reasons, customers should use officially registered cryptocurrency exchanges and avoid illegal exchanges overseas and businesses that are waiting for official registration and approval. However, the Zaif case shows that even exchanges officially registered with the Financial Services Agency are not necessary safe either. The situation is not helped by the fact that every one of the registered businesses currently in operation has received at least one business improvement order at some stage, making it difficult for users to know which exchanges are safe to use.
To ensure better safety for cryptocurrency transactions in the future, users will have to check not only whether a business is properly registered or not, but also look at the content of any business improvement orders it may have received, and to use the company’s official results to assess its financial situation and decide whether it would be in a position to pay compensation in the event of a security breach or other incident. Even accepting the proviso that it is the responsibility of investors to assess potential risks before they take the plunge, expecting ordinary users to understand the intricate workings of cryptocurrencies and the various factors affecting price fluctuations, to be able to analyze business improvement orders and financial reports, and to identify safe cryptocurrencies and exchanges based on this information, is probably asking too much.
There have now been two major hacking incidents involving cryptocurrency in the space of one year. As we move toward restarting the approval and registration process for cryptocurrency businesses, it is vital to take steps to prevent similar incidents from happening again. But putting thoroughgoing prevention measures in place will not be easy.
Cryptocurrency exchanges are not yet subject to universally agreed security standards, and there is not yet any equivalent of the Center for Financial Industry Information Systems, which independently sets standards for traditional institutions like banks and securities firms. Since small-scale start-ups represent a large proportion of the nascent industry, there are worries that stringent regulations might hamper innovation. But given the scale and frequency of incidents to date—most notoriously the Mt. Gox incident—it is not surprising that many people believe cryptocurrency businesses should be subject to stricter regulations than traditional banks.
The Online Automation Trap
There are two main reasons why it is harder to ensure safety in transactions using cryptocurrencies compared to legal tender currencies and financial products: the fact that an Internet connection is essential to transfer funds using a cryptocurrency, and that price fluctuations are automated and take place entirely online. With legal tender currencies and financial products, it is possible to use closed networks that are not connected to the Internet, and in many cases transactions involving large sums are not entirely automated: a real human being is normally involved at some stage. Thanks to this, numerous attempted cyberattacks and near-miss transfers of funds to the wrong accounts have been prevented at the last minute by human oversight and intervention.
Ironically, the same aspects that have often been regarded as the chief advantages of cryptocurrencies—the fact that markets are open 24 hours a day, 365 days a year, and that automated transactions can be completed online—have made it harder to establish safe systems for cryptocurrency exchanges staffed by human workers. Venture start-ups can often not afford to employ workers to staff their exchanges around the clock, but many have felt pressured to operate their exchanges 24 hours a day all year round to take advantage of these attributes of cryptocurrencies
The Struggle to Rebuild Confidence
Will the thieves who stole some ¥6.7 billion from Zaif succeed in escaping justice? Unfortunately, the people responsible for the hacks on Mt. Gox in 2014 and Coincheck this January have still not been caught. Alexander Vinnik, the owner of the Russian exchange BTC-e, was arrested in Greece for suspected involvement in laundering of the stolen bitcoin currency. France and the United States are among the countries that have issued warrants for his arrest. But investigations in Japan have not yet shown much progress. The Tokyo Metropolitan Police apparently has a team of 100 investigators working on the Coincheck hack, but there have been no reports on major breakthroughs so far.
In the case of incidents involving cryptocurrencies built using cryptographic technology—making money laundering easy across international borders—investigators need a high level of IT knowledge; close cooperation with law enforcement agencies in other jurisdictions is also essential. Unfortunately, the reality is that the police in charge of investigating these cases in various parts of Japan are currently lagging behind in terms of systems and experience.
Japan has now seen more incidents of this kind than anywhere else in the world. Can we take advantage of this unfortunate fact and strengthen our security measures for cryptocurrency exchanges to put together a regulatory and investigatory system that will lead the world? Is the day coming soon when cryptocurrencies will offer users safety as well as convenience, or are we heading for tougher regulations before the industry begins to regain consumer confidence? The cryptocurrency environment in Japan faces a moment of truth.(Originally published in Japanese on September 27, 2018. Banner photo © Anesthesia/PIXTA.)