Biggest crypto heist ever featuring Coincheck rocks industry
Massive hack takes Japanese exchange Coincheck offline, attackers steal record $534 million in crypto - bigger than the infamous Mt Gox.
What is thought to be the largest theft of crypto-currency ever has been uncovered, once again raising questions about security and regulatory protection in the emerging market of digital assets.
The incident unfolded on Friday, as Tokyo-based Coincheck halted trading, then restricted deposits and withdrawals. The rumours of a compromise were immediate, and shortly afterwards the company announced that approximately $523 million in NEM had been stolen.
Coincheck said in a statement that the approximately 260,000 users affected would receive refunds at a rate of 88.549 JPY per NEM held on the platform, adding: “We realize that this illicit transfer of funds from our platform and the resulting suspension in services has caused immense distress to our customers, other exchanges, and people throughout the cryptocurrency industry, and we would like to offer our deepest and humblest apologies to all of those involved.”
The hack follows a string of exchange compromises and hacks, including an as-yet unexplained compromise of hashpower exchange NiceHash but the scale dwarfs them all, placing it above the notorious Mt Gox hack in 2014. The Mt Gox hack severely damaged market faith in crypto-currencies at the time, as it accounted for more 80 per cent of global BTC transactions at its peak, and the fallout of claim and counterclaim continues in the courts today.
Ilia Kolochenko, CEO of web security company, High-Tech Bridge comments: "This case is undoubtedly the largest breach in the foggy realm of crypto-currencies. Nonetheless, I wound certainly refrain from panic: Coincheck's announcement to compensate the victims of the breach is laudable and boosts trust towards digital currencies.
Incident detection in eight hours is also comparatively good timing: many large companies detect similar incidents in a few months. We can clearly see the difference between amateurs operating Mt. Gox in 2014, and well-prepared professionals behind Coincheck. It is unclear how the breach took place, but I would not exclude insider activities or a at least an accomplice. Hopefully, a technical investigation will shed some light on the incident.
Steady growth and wider adoption of digital coins continuously increase their attractiveness for cybercriminals. Unlike fraudulent bank or PayPal transactions, theft of digital coins is very difficult to trace and virtually impossible to revert. Despite persistent lack of qualified personnel and insufficient governmental funding, law enforcement agencies managed to build decent teams and effective processes to detect, investigate and prosecute theft from bank accounts.
However, proper investigation of incidents with crypto-currencies is still nascent in most countries. Lack of regulation, opaque ownership and decentralization - make digital coins a low hanging fruit for cyber gangs who can easily grow their profits without increasing their efforts. I would expect many similar incidents in 2018, unfortunately."
The hack has raised questions around the handling of cryptocurrencies at Coincheck, as the funds were apparently held in an online ‘hot wallet’ rather than an offline ‘cold wallet’, which significantly raises the possibility of a successful hack. Experts estimate that a total of $1.2 billion worth of Bitcoin and Ether has been stolen from investors and businesses in less than 10 years.
A recent High-Tech Bridge investigation into cryptocurrency apps on the Google Play store found that even among the most widely downloaded, 94 per cent contained at least three medium-risk vulnerabilities. Using the company’s new free online service Mobile X-Ray, the researchers also found the 94 per cent of applications were still using SSLv3 or TLS 1.0 banned by PCI DSS.
High-Tech Bridge announced the week that the company will accept payment for application security services in Bitcoin and 45 other cryptocurrencies via CoinGate.