The Japanese cryptocurrency exchange Coincheck confirmed the digital robbery of some 500 million NEM tokens (worth up to ¥58 billion or around $532 million at the time of the incident) in what appears to be the biggest crypto heist in history.
Coincheck has suspended trading and withdrawals, saying it “deeply regrets” the loss of tokens worth some $500 million which makes it the biggest ever theft from a cryptocurrency exchange. The previous record-holder was Mt.Gox, a world-leading bitcoin exchange, in February 2014 when some 850,000 bitcoins (worth $390 million at the time) were stolen from the platform, preceding its eventual demise.
This time the heist affected only NEM [coin symbol XEM] cryptocurrency, which is currently the 10th largest virtual currency according to CoinMarketCap. XEM was created by NEM foundation and is based on a blockchain technology. Since the incident become public, the token price plunged more than 15 percent from the day’s high of around $1.02 down to $0.85.
The illegitimate withdrawal of the cryptocurrency was discovered on Friday morning. Coincheck rushed to suspend all withdrawals of NEM, as well as sales and purchases. By Friday evening, the ban on withdrawals was extended to all currencies. Trading has also been halted for all cryptocurrencies, expect bitcoin.
Coincheck CEO Koichiro Wada and Chief Operating Officer Yusuke Otsuka said it is so far unclear who was responsible for the hack, how it was perpetrated and what damage has been done.
Police and the Japanese government’s financial regulator, the Financial Services Agency, have been notified of the breach, they said. Police cars were spotted at the exchange’s offices late on Friday.
Really awkward pause (30 sec+) when Coincheck asked if their security was weak. Exec would not admit it was weak, but just apologized. Reporters really pissed by his response 👺
— Yuji Nakamura (@ynakamura56) January 26, 2018
Coincheck has offered its “sincere apologies” to the affected customers but fell short of blaming the incident on lax security measures. “We are deeply sorry for troubling people with this issue,” Wada said, as cited by Japan Times.
It is unclear whether the exchange will able to recover the tokens, although Otsuka said the company has been considering paying out compensations. It is also unknown whether the attack was orchestrated from abroad, by hackers at home, or was possibly an inside job.
Meanwhile, NEM Foundation President Lon Wong said it was a careless security policy that cost Coincheck and its clients a fortune. Speaking at a press conference, Coincheck officials admitted the firm did not implement NEM’s multi-signature smart contracts. The feature enables users to attach several accounts, possibly located on different computer platforms, to the multi-signature account, so hackers would need to compromise both to get access to the wallet.
Coincheck’s refusal to implement the protocol is the vulnerability the hackers most likely seized upon, according to Lon Wong. “That’s why they could have been hacked. They were very relaxed with their security measures,” he told Cryptonews, calling the heist “the biggest theft in the history of the world.”
It was also revealed that Coincheck has not registered with Japan’s financial regulator – but has vowed to file for registration now.
The over-reliance of cryptocurrency owners on web-hosted wallets makes exchanges prime targets for criminals, cybersecurity guru John recently warned that “every exchange will at some point in the near future get hacked.”