It was, by any reckoning, a huge haul. Between $400 million and $534 million dollars of NEM stolen, depending on whether you go on its value at the time or once the market had reacted to the news. At a press conference on Friday afternoon, the stunned Coincheck team painted forlorn figures as they came to terms with being on the receiving end of the greatest heist of all time. In the inevitable post-mortem, questions have been raised about the security practices of the Japanese exchange.
Gox II: Goxxed Harder
Japan thought its days of being the focal point for record-breaking cryptocurrency heists were behind it. Less than four years on from the Mt Gox hack, which heralded the end of Japan’s and the world’s largest exchange, the country is back in the spotlight. Over the past few years, Japan has earned praise for its measured approach to cryptocurrencies, having encouraged their use in a regulated environment. Only this week, the Bank of Japan gave crypto a mild endorsement. But on Friday January 26, the nation’s 127 million citizens awoke to the news that another seismic cryptocurrency hack had occurred on home soil. At around 3am local time, someone withdrew all of the NEM held by the exchange in a single transaction.
The identity and origin of the hacker is unknown at this time, but what few details have emerged suggest serious flaws in Coincheck’s security procedures. It appears that the 500 million NEM were stored in a hot wallet with no multi-sig. If so, the exchange has learned nothing from recent history, for it was a similar setup that resulted in Mt Gox losing around 850,000 bitcoins in 2014. At a press conference on Friday, when asked about Coincheck’s security practices, there was an awkward pause before president Wakata Koichi Yoshihiro batted the question away, electing to issue an apology instead.
The Coincheck Hack by Numbers
The magnitude of the Coincheck hack, a haul which exceeds any other, can be seen by comparing it alongside real world record-breakers.
Securitas Depot Robbery, $83 million: Disguised in wigs and prosthetics, a gang did over a security depot in Britain in 2006. They would have made off with more, only there was no more space for cash in the lorry. The Securitas robbery was worth one sixth of the NEM hack.
Knightsbridge Security Deposit Robbery, $97 million: A safety depot raid in London in 1987 netted a huge load of cash and jewelry but it was still only worth a fifth of the NEM cryptocurrency hack.
Baghdad Bank Heist, $282 million: Iraq’s Dar Es Salaam bank was relieved of hundreds of millions of dollars in 2007, with two guards alleged to be the instigators. The bumper robbery was worth around half the NEM stolen from Coincheck.
Mt Gox, $450 million: The tranche of bitcoins stolen from the world’s largest cryptocurrency exchange in 2014 was worth around $80 million less than the value of NEM that was taken.
An Irredeemable Fortune
In reality, the thief may find themselves struggling to shift their hot property. Within hours of the attack occurring, the NEM team had contacted cryptocurrency exchanges seeking to have the wallet address blacklisted. One thing NEM won’t be doing is emulating Ethereum and hard-forking. If the blockchain were to be rolled back and the stolen coins forked away, it would do Coincheck a favor, but would do little to demonstrate the immutability of blockchain ledgers.
Japan’s Financial Services Authority has confirmed it is “looking into the facts” surrounding the matter. Meanwhile, Coincheck has promised that it is seeking to compensate its customers who had their NEM stolen. Despite its hefty dollar value, the NEM hack is unlikely to put a discernible dent in the cryptocurrency markets. It raises serious questions though about Coincheck’s fitness to operate a cryptocurrency exchange.
The company had previously reported being approved by the Financial Services Agency, but it’s emerged that Coincheck was not registered with the FSA. The only way for Coincheck to pay back its customers may be for it to be allowed to continue trading. Whether regulators will allow the beleaguered exchange to stay in business – and whether customers will trust it again – is another matter entirely.