What Happened?
On Friday, January 26, Japanese exchange Coincheck revealed that an unidentified thief had stolen more than $500 million worth of NEM tokens, worth about $0.94 apiece at the time of the attack. Roughly eight hours had passed before the exchange noticed that its NEM reserves had been severely diminished at 11am on Friday.
Following the revelation, Coincheck sent the following message to its users:
“Depositing NEM on Coincheck is currently being restricted. Deposits made to your account will not be reflected in your balance, and we advise all users to refrain from making deposits until the restriction has been lifted.”
The exchange also made the decision to abruptly freeze all withdrawals from the exchange on Friday after a user holding $123 million worth of Ripple tokens suddenly left the exchange with all of their assets; other users with sizeable holdings also reportedly departed from the exchange after the revelation of the NEM hack.
Several days after the attack, Coincheck announced that it would be paying back users $0.81 for every dollar worth of NEM that was taken from them, although the timeline for the payback has not yet been determined.
Expert cryptocurrency analyst Koji Higashi explained that there is quite a bit of skepticism within the crypto community about how Coincheck will make good on its promises:
“[Coincheck’s] announcement states that they will pay back the users with their own capital, meaning that they maintain that they hold more than 480 millions USD worth of cash or liquid assets.
This is hard to believe for many but considering their monthly trading volume, which is rumored to be around 40 billion USD and their high spread, they may actually own enough cash to reimburse the users. However, there is also argument against it and it's all rumors until coincheck reveals the more details as to how exactly they are going about it and by when (there is no clear deadline specified yet.)”
At the same time that Coincheck announced its plans to repay users, the NEM Foundation revealed its plans to institute a tracking system onto the NEM blockchain, which effectively makes it possible for all transactions to be traced (and the hacker to be identified.)
Coincheck has until February 13 to submit a reported to the Japanese Financial Services Agency outlining the reasons that incident happened and plans to improve security measures. The FSA also announced over the weekend that it would be fining Coincheck, although the amount of the fine has not yet been determined.
On February 2nd, the FSA sent 10 officials to raid Coincheck’s offices, seizing computers and documents as possible evidence in the investigation. This was the first time that the FSA had ever raided a cryptocurrency exchange. The FSA also announced that it would be inspecting all domestic crypto exchanges.
The hack sparked a global crypto selloff last Friday, but markets did begin to recover after Coincheck announced that it would be reimbursing users.
Weak Security Practices Could Be At Fault
Koji Higashi explained that the exchange could have been breached because of its alleged decision to store funds online in a so-called ‘hot wallet’--most exchanges and other crypto firms would never store such large amounts of cryptocoins online. “The best practice is to keep most of the crypto assets in cold wallets,” Higashi said.
He went on to say that the exchange may have made the decision to keep the funds online in order to keep the Trading Platform running more quickly: “They [Coincheck] seem to have prioritized user convenience and growth over security.”
Is Coincheck the New Mt Gox?
The Coincheck hack is, of course, being compared very closely to the infamous Mt Gox exchange hack that took place in 2014. When Mt Gox was attacked, thousands of Bitcoins now worth roughly $470 million disappeared; while a few suspects were eventually identified as possible culprits, no one was ever charged with the crime.
That’s the main difference between Coincheck and Mt Gox--the Mt Gox hack came at a time when crypto was generally regarded as nothing more than a hobby for anarcho-capitalists. No one was ever really punished for the Mt Gox incidents, and none of the affected users ever saw a dime of their funds returned to them.
Now, things have changed. Members of the crypto community were the only ones paying any real attention to the Mt Gox case; but the world’s eyes are on Coincheck.
While it’s not completely clear what the Coincheck saga will mean for the global regulatory landscape when it comes to crypto, it seems that the world can choose to use the Coincheck saga in one of two ways: fuel for the fire that is attempting to burn crypto down, or a series of valuable lessons on the best security practices and damage control.
Calls For Regulation
The Coincheck hack has sent shockwaves through the world’s government and financial institutions, who have been collectively scrambling over the past several months to figure out how to appropriately regulate crypto. For many, the hack has only strengthened pre-existing beliefs that cryptocurrency is dangerous, volatile, and insecure.
The Japanese government has historically placed itself on the cutting edge of innovative regulatory practices when it comes to crypto; many credit the Japanese Virtual Currency Act that was passed in April 2017 with the June crypto boom that brought Ethereum and Bitcoin to unprecedented heights.
The VCA, which legitimized BTC and ETH as legal forms of payment, also provided a legal structure for crypto exchanges to gain licensure. Bloomberg reported that so far, 16 exchanges have been licensed through the Act; 15 are operating with their applications pending approval.
Of course, the hack has sparked concerns that the Japanese government may change its tune when it comes to crypto. Koji Higashi believes that the swift action that the government has already taken indicates that the regulatory climate in Japan could see some minor adjustments that could ‘cool’ global crypto markets in the short term, but that Japan’s crypto attitude will not change dramatically in the long term:
“The FSA (Financial Service Agency, who governs financial activities in Japan) has been responding to the incident promptly already. Given the hack incident, they gave coincheck an "operation improvement order" and ordered them to report the details back by Feb 13th. The incident has also affected other exchanges and the FSA will clamp down on exchange security in general, not just Coincheck, to prevent further hack incidents.
All these mean that the industry will become more heavily regulated akin to the traditional finance sector and the barrier of entry will rise. Also, overly aggressive promotion (TV commercials etc) will be restricted given Coincheck's mistake and this will cool down the crypto trading market at least for a short term in my opinion.
As for the global effect, the demand for crypto in Japan may diminish for a little while, but I believe it will not have a severe negative effect for the global market. The stolen fund will likely be reimbursed (according to Coincheck) and the appetite for speculation is overwhelming so I don't think the fall of Coincheck will change the long term direction of the crypto market in Japan.”