The combination of loose regulation, the Wild West of cryptocurrency trading and a hunger for massive and fast financial returns created a perfect storm in Japan. The recent hack of the Coincheck cryptocurrency exchange triggered the illicit transfer of about 520M units of XEM with a value of about $538M. Natsuko Inui from the Financial Services Information Sharing and Analysis Center (FS-ISAC) dissected the incident and outlined the response of Japanese regulators during the recent Australian Cyber Conference, hosted by AISA.
FS-ISAC started in the USA in 1999 but is now a global organisation with over 7000 member companies across 45 countries. The group shares information globally as well as within smaller groups based on geography and industry verticals.
Coincheck is a Japanese cryptocurrency exchange that also offers lending and payment services that is run by its 27 year old founder and CEO. Early on 26 January 2018, 520M XEM was transferred illegally affected about 260,000 of Coincheck's clients. By the middle of the day, Coincheck stopped all transfers of XEM with the news hitting Twitter at 2:06PM. A short time later, NEM.io, the operator of the XEM network was asked to halt XEM transfers and Coincheck shutdown all cryptocurrency transfers other than Bitcoin. At 11:30 that night, Coincheck held a press conference and publicly apologised for the incident.
The next day, NEM.io announced that a tracking mechanism would be implemented on the platform within 48 hours with Japan's financial regulator, the Financial Services Agency (FSA), sent an alert to all related parties and announced that there would be a compensation program put in place.
About six weeks later, all affected parties were compensated with a distribution of the equivalent of about $538M. Any parties who profited from the payment were taxed on the profit.
On January 28, Coincheck debriefed the FSA who, the next day, slapped a business improvement order on Coincheck and then the police launched another investigation.
How did the breach occur?
Like many breaches, Coincheck was the victim of a targeted phishing attack. A Coincheck employee was infected through a targeted email that resulted in a private key being stolen from a server.
Suspicious traffic was detected on the Coincheck network but was not acted on and the stolen XEM was all stored in a "hot wallet" - a software wallet that is held online. A further weakness was that Coincheck did not use multisig, or the use of multiple private keys, to validate transactions. Coincheck ran its services on AWS and did not put basic security controls in place.
The regulatory response
Following the breach, Coincheck was acquired by the regulated financial services company Monex Group. Inui suggested this acquisition was "encouraged" by the FSA.
The FSA set new rules saying that cryptocurrency exchanges must be registered and provide evidence that they are not engaged in money laundering or terrorism funding and that steps must be taken to protect users. Interestingly, the FSA ordered a number of business improvements but did not suspend Coincheck.
Coincheck was given two orders by the FSA. The first demanded Coincheck describe how and why the breach occurred, and that the company improves their customer handling and governance procedures. They were also directed to build a basic risk management framework and that they report on progress against this order within two weeks. All of these measures, said Inui, were considered basic matters and the FSA was surprised such measures were not already in place.
Before the report was due, the FSA conducted an on-site inspection at Coincheck - something that Inui said was very unusual. At the beginning of February, the scope of the order was expanded to seven other exchanges with the expectation that these measures would already be in place.
On the 8th of March, a second order was issued to Coincheck and the other exchanges, requiring a number of actions including an overhaul of management, a review of the business strategy and monthly reporting on progress against the orders until the order is fully executed.
The FSA's review found that while the revenues of cryptocurrency exchanges were rapidly growing but the management team and processes were not keeping up. There was poor third-party vendor management and there were not sufficient security personnel. There was a focus on profit and little care of customers and the lack of compliance awareness and focus was "baffling to the FSA". There was also poor serration of duties between board and audit functions.
That has resulted in the FSA, which has typically been hands-off, has now tightened regulation with their commence checklist four-times longer and the FSA reviewing board paper minutes to check that appropriate risk management processes are being executed.