Another cryptocurrency heist has shaken Japan. This time, 6.7 billion yen ($60 million USD) worth of company and user funds have vanished from Japanese cryptocurrency exchange platform Zaif.
Tech Bureau Corp, the Osaka-based company that operates Zaif, estimates the heist occured on September 14, 2018, between 5 p.m. and 7 p.m. local time. The exchange detected the breach on September 17, 2018, and reported the event to authorities the following day.
Of the stolen money, the hacker siphoned 4.5 billion yen (about $40 million USD) from user accounts and 2.2 billion yen (just under 19.5 million USD) from the company’s own assets. The three virtual currencies stolen include bitcoin, monacoin and bitcoin cash. Of those, $37.8 million were bitcoin funds (5,966 BTC).
Tech Bureau Corp will be able to tell the exact number of bitcoin cash and monacoin stolen once it gets its servers back up. All the cryptocurrency was taken from a server managing its hot wallet. A hot wallet refers to a wallet that remains online for immediate transactions. In contrast, a cold wallet represents more secure, long-term storage that is kept offline.
Early this year, Tokyo-based Coincheck saw a loss of $530 million worth of NEM tokens. That hack represented one of the largest financial losses since the introduction of bitcoin. Coincheck has since been acquired by Monex.
Since April 2017, Japan has required all of its crypto exchanges to be licensed. Both Coincheck and Tech Bureau Corp were founded in 2014, before the new laws went into effect. Coincheck was not fully licensed at the time it was hacked, but Tech Bureau Corp is a registered exchange.
The New York State Attorney General’s office has ratcheted up its war of words against cryptocurrency exchanges, warning consumers of the myriad of risks they face in depositing money on these platforms.
Crypto Exchanges at Risk of Manipulation
In a lengthy report on the “Virtual Markets Integrity Initiative,” New York’s Attorney General argues that online cryptocurrency exchanges are vulnerable to manipulation, fraud and other types of abuse. Consumers of these platforms therefore “face significant risks” from hackers and the exchange operators themselves, some of which have been known to exploit “deceptive and predatory practices, market manipulation, and insider abuses.
“[V]irtual asset trading platforms now in operation have not registered under state or federal securities or commodities laws,” the report says. “Nor have they implemented common standards for security, internal controls, market surveillance protocols, disclosures, or other investor and consumer protections. Accordingly, customers of virtual asset trading platforms face significant risks.”
The report, which examines ten cryptocurrency exchanges operating in the U.S. and internationally, concludes a six-month investigation that was initiated by New York Attorney General Eric T. Schneiderman. Back in April, Schneiderman sent letters to 13 exchanges requesting information on their operations and internal controls.
Several Exchanges in the Hot Seat
At least four cryptocurrency exchanges were outed by the Attorney General’s office as being most problematic and possibly operating illegally in the state of New York. Not coincidentally, these exchanges refused to participate in the Attorney General’s request for information.
The report reads:
“Customers should be aware that the platforms that refused to participate in the OAG’s Initiative (Binance, Gate.io, Huobi, and Kraken) may not disclose all order types offered to certain traders, some of which could preference those traders at the expense of others, and that the trading performance of other customers on those venues could be negatively affected as a result.”
June 2011: Bitcoin user loses $500,000 in bitcoin to hackers
In early 2011, Bitcoin had been a tight-knit community of hobbyists. Mining bitcoins was easier back then: people could generate thousands of bitcoins using a conventional home PC.
That’s what allinvain, a user on the Bitcoin Talk forums, claimed to have done, amassing a fortune of 25,000 bitcoins. Bitcoins were worth pennies in 2010, but, by early June 2011, the price of bitcoins had soared to $20, making his bitcoins worth around $500,000.
Then, on June 13, disaster struck for allinvain. “I just woke up to see a very large chunk of my Bitcoin balance gone,” he wrote. Allinvain believed that someone had hacked into his PC and stolen the bitcoins from his hard drive, transferring them to an account controlled by the hackers.
If those coins had not been stolen—and he’d held on to them until today—they would be worth around $250 million.
August 2011: Wallet service MyBitcoins disappears from the Web
Bitcoin wallet services offer to store bitcoins on users’ behalf. These were initially portrayed as a convenience to the customer, but many of them turned out to be either insecurely run or outright frauds (it can be hard to tell, since the frauds tend to claim they were hacked).
One wallet service that was popular in Bitcoin’s early days, for example, was called MyBitcoin. In August 2011, the company disappeared from the Web, claiming the site was hacked.
This and similar experiences have made the Bitcoin community suspicious of online wallet services. With no real regulation, there’s no way for users to verify that a wallet service is reliable.
An exception to this is client-side Web wallets like the one offered by Blockchain.info. In these services, customer data is only stored in encrypted form on the server. Data is encrypted on the client side with a customer-provided password. That approach makes users less vulnerable than traditional wallet services where the service provider has direct control of the bitcoins.
March 2012: Hacked Web host leads to stolen bitcoins
Hackers exploited a vulnerability in the shared online web host Linode to steal at least 46,703 bitcoins—then worth more than $200,000—from several Linode users. That included more than 43,000 bitcoins stolen from Bitcoinica, an early Bitcoin exchange.
Bitcoinica suffered a second hack in May 2012 that cost the company another 18,000 bitcoins. It was then taken offline for a security audit. Bitcoinica didn’t survive these incidents. In August 2012, the site was sued by several users seeking the return of $460,000 in deposits.
One lesson of the Linode debacle is that Bitcoin-related businesses have to be extremely careful when operating on shared hosting providers. Bitcoins are secured by encryption keys. If any third party—either other customers or rogue employees—has access to customer data, they will be able to read the encryption keys and use them to transfer bitcoins away from their owners.
August 2012: Bitcoin Ponzi scheme is shut down
The Bitcoin Savings and Trust was a classic Ponzi scheme. Customers were lured in with a promise of high returns—seven percent per week—and new customers’ deposits were used to pay profits to previous customers.
The scheme shut down in August 2012, and a year later the government indicted organizer Tendon Shavers. The government accused him of raising more than 700,000 bitcoins from gullible customers. In 2014, a judge ordered Shavers to repay victims more than $40 million. The judge found the scheme had cost victims 265,678 bitcoins.
September 2012: More exchanges get hacked, shut down
In September 2012, a Bitcoin exchange called Bitfloor suffered a catastrophic attack. Attackers stole 24,000 bitcoins, then worth around $250,000. Bitfloor didn’t have $250,000 in reserves, so the theft effectively made Bitfloor insolvent.
Bitfloor resumed operations a few weeks later, hoping to earn enough in fees to repay earlier customers. But the effort was unsuccessful; Bitfloor closed its doors for good in April 2013, leaving frustrated users in its wake.
February 2014: Hackers bring down the world’s then-largest exchange
The Bitcoin world’s biggest financial fiasco was the collapse of Mt. Gox—then the world’s leading Bitcoin exchange—in 2014. Operated by French-born CEO Mark Karpelès from a headquarters in Japan, Mt. Gox was the main way people bought and sold Bitcoins from its foundation in 2010 until February 2014. Then Mt. Gox announced that 850,000 bitcoins had gone missing—likely stolen by hackers, the company said.
At early 2014 prices, those bitcoins were worth around $450 million. Today, they’d be worth $8.5 billion.
In July, US law enforcement officials announced they had arrested a suspect in the massive theft. A Russian man named Alexander Vinnik was the owner and operator of a competing Bitcoin exchange called BTC-e. The feds allege that he knowingly accepted stolen bitcoins from Mt. Gox and laundered them through his own bitcoin exchange.
The collapse of Mt. Gox left no shortage of angry customers. Ironically, the continued appreciation of Bitcoin’s value means that the bankrupt company could eventually be able to repay its debts in full—with piles of money left over. Mt. Gox’s assets and liabilities were frozen while the company worked through the bankruptcy process. The liabilities were frozen in terms of Japanese yen, while the company’s remaining bitcoins have ballooned in value—from around $400 each at the time of the bankruptcy to around $11,000 today.
Obviously, Mt. Gox’s former creditors believe they should be repaid in appreciated bitcoins, but Japanese law might not be on their side.
January 2015: Bitstamp exchange is hacked
In January 2015, the popular Bitcoin exchange Bitstamp reported that it had lost around 19,000 bitcoins, then worth about $5 million. The exchange survived the attack and remains a leading Bitcoin exchange today.
August 2016: Another exchange loses 120,000 bitcoins to hackers
In August 2016, the Bitcoin exchange Bitfinex announced that hackers had stolen $77 million worth of bitcoins. The company foisted these costs on to users, forcing them to take a 36-percent reduction in the value of their deposits.
Bitfinex is still around, but there are big questions about the company’s credibility. As the New York Times puts it, Bitfinex is an “opaque operation that provides no information on its website about where it is or who operates the company.”