Amidst the hype of late 2017's ICO boom, Coincheck was struck by a jaw-dropping $530 million hack at the start of the following year, taking place during this volatile period.
The scale of the theft was mind-boggling, even outdoing the notorious heist of Mt. Gox hack 2014, where over 850,000 BTC valued at $460 million — then 6% of the entire bitcoin supply — was snatched from the top Bitcoin exchange. Though, considering current prices, the same Mt. Gox debacle would be worth around $3 billion, making it significantly more impactful today.
Drastically putting the scale into context, both Coincheck and Mt. Gox mark some of the most substantial thefts throughout history, regardless of whether measured in cryptocurrency or other terms.
Though Mt. Gox promptly filed for bankruptcy after their security breach, Coincheck, surprisingly, continued its operations and was eventually recently approved granted a license by Japan's Financial Services Agency (FSA), underscoring an odd contrast between the two Japan-based exchanges. The Mt. Gox hack catalyzed the FSA's regulatory framework requiring exchanges to register.
Brief History of Coincheck
Initially launched back in 2014, Coincheck quickly rose to prominence within Japan as a renowned cryptocurrency exchange, featuring various digital assets like Bitcoin , Ether , LISK and NEM. As a growing platform, it joined the Japan Blockchain Association.
Coincheck was originally exempt from Japan's FSA's new registration mandates due to its 2014 establishment before the regulations sparked by Mt. Gox came into effect, ultimately laying the groundwork for its inadequate security that led to the breach.
Leadership during the breach at Coincheck was held by President Wakata Koichi Yoshihiro and COO Yusuke Otsuka.
The Coincheck Hack
On January 26th, 2018, Coincheck took to their blog to announce they were putting a hold on NEM deposits and withdrawals while largely pausing other cryptocurrency activities. This announcement fueled speculation about a potential breach, with NEM developers denying any protocol flaws, pointing out the issue lay with Coincheck's security measures.
The Coincheck Blog Post declaring a halt to NEM coin functionality
Moreover, the NEM developers reiterated the importance of exchanges utilizing its Multisig Contract Smart Signing App as an added security layer, insisting multiple managers approve large transactions.
Coincheck soon held a major conference press event, confirming that cybercriminals had made off with 500 million NEM tokens, distributed across 19 network addresses. Worth about $530 million at the time — NEM was trading near $1 — the breach marked the most significant theft in the sector's history.
In a rather embarrassing revelation, Coincheck disclosed that they kept all their NEM in one hot wallet, skipping the multisig contract protection recommended by NEM's developers.
Coincheck's CEO Koichiro Wada & COO Yusuke Otsuka at the press gathering
Maintaining huge sums within hot wallets remains notoriously insecure. Present-day exchanges typically rely on a mix of hot/cold wallets, storing most assets in cold wallets secured via multisig.
Coincheck's unregistered status with Japan's FSA came to light post-hack. During their briefing, Coincheck acknowledged their regret over the loss and vowed to seek FSA registration. Following the incident, Coincheck announced pledged reimbursements to all 260,000 impacted users, receiving vocal support from their community for making this choice.
At the same time, the NEM developers marked all stolen NEM tokens with a warning indicating their stolen status to discourage exchanges from accepting them. However, NEM later announced they were ceasing their recovery efforts without further detail, while the notion that hackers were close to cashing out the stolen funds on the dark web.
The Aftermath
This led to initiatives forming for self-regulating Japanese cryptocurrency exchanges, and Japan's FSA issued handed several business improvement directives to Coincheck.
The hack was extensively covered by mainstream media, drawing parallels with previous cryptocurrency exchanges lapses in security by exchanges. At the time, cryptocurrency coverage often highlighted their enigmatic nature, wild price swings, and security deficiencies. Coincheck's hack significantly bolstered this narrative due to the eye-popping value of the stolen NEM, largely unknown to the public.
Following the hack, NEM's value plummeted sharply, further declining through 2018 in line with the broader market's ongoing bearish trend. Presently, NEM sits at close to $0.07, a dramatic fall from early January's peak of over $1.60.
Monex Group acquired Coincheck managed to reopen by April 2018, reviewing their coin offerings upon re-launch, and overseeing reimbursement for harmed users. Since then, Japan's FSA has increased scrutiny of exchanges within the nation, though it remains surprising that Coincheck managed to secure a license post-crisis.
Mid-November saw Coincheck resume NEM trading and join the Japan Network Security Association, opening its doors to fresh registrations.
Comparisons with the Mt Gox Hack
The Coincheck breach only contended with a few similar-sized hacks, notably Mt. Gox. While Coincheck holds the title of the largest hack nominally, Mt. Gox had more profound effects as their stolen funds, consisting solely of Bitcoin, triggered an ongoing market shift and continual controversy issues with the siphoned funds and founder. Additionally, Mt. Gox depleted 6% of the extant Bitcoin supply at that time, in a market much less evolved than today's environment.
Read: Mt Gox Heist: Exploring Bitcoin’s Largest Theft
The Mt. Gox hack's current valuation — approximately $3 billion — dwarfs Coincheck's equivalent value now, standing at about $36.5 million, by a glaring margin.
The turbulent year of 2018 saw a remarkable spike in cryptocurrency exchange hacks. Ciphertrace's Q3 AML report report showcased nearly $927 million pilfered in the first nine months alone. Furthermore, the document offered fascinating revelations about the ease with which hackers offloaded illicit funds via non-regulated crypto exchanges.
As per the report, 97% of criminal Bitcoin made its way to exchanges in jurisdictions with lax AML regulations. Although it focused solely on Bitcoin, the mystery surrounding the stolen NEM's destination from Coincheck could be illuminated explained by ongoing trends for laundering plundered crypto through smaller, unregulated hubs with discounted deals in Bitcoin or privacy-oriented coins like Monero and ZCash.
Korea's National Intelligence Agency said suggested that North Korean cyber operatives may have orchestrated the Coincheck theft, yet concrete evidence tying them directly is unavailable.
Lessons Learned
Despite the aftermath, Coincheck is entirely operational now and registered with Japan’s FSA. Hopefully, critical lessons from 2018's tribulations will foster enhanced security measures across exchanges in the upcoming year.
Even with the challenges facing centralized exchanges, one can never be too cautious with their private keys, always wary about entrusting third parties with their assets. As the adage goes, Nick Szabo accurately prognosticated :
“Trusted third parties are liability points.”
As decentralized exchanges and peer-to-peer platforms continue to advance, users are optimistic that third-party intermediaries will no longer be essential in the future landscape for trading digital tokens.
