Japanese cryptocurrency exchange CoinCheck confirmed on 26 January 2018 that it has been the victim of a massive hack, resulting in what would appear to be the largest cryptocoin theft of all time.
In a press conference CoinCheck admitted that the current understanding was that the hackers had stolen around 523 million of the exchange's NEM coins which, at the time of detection, were worth around $534 million. This would surpass the $400 million worth of Bitcoin that was stolen in the Mt Gox incident of 2014.
CoinCheck is reportedly still trying to verify how the hackers were able to access the wallet where the NEM coins were stored but, it would appear, that the hackers were able to steal the private key for the wallet which then enabled them to withdraw the coins.
Questions are, however, likely to be asked as the NEM coins were stored in a simple hot wallet (a wallet connected to the internet and used for trading) as opposed to a more secure multisig wallet (where more than one key is required to authorise a transaction) or even a cold wallet (which takes the coins offline).
CoinCheck does store other coins in multisig wallets, as well using cold wallets for the likes of Bitcoin and Ether, and apparently the plan was to store the NEM coins offline too.
It has also been reported that, shortly after discovering the hack, CoinCheck moved around $110 million worth of Ripple to a more secure location in case the hackers were still able to access their systems. Whilst clearly a sensible precaution this move is likely to lead to further questions as if it was relatively straightforward to move Ripple, why had CoinCheck not already done the same with NEM?
Although interestingly the impact on the market appears to be significantly less than the Mt Gox incident (Bitcoin and Ethereum initially dropped 7% and 5% respectively but then bounced back relatively quickly), this hack will inevitably have substantial consequences.
CoinCheck themselves have reported the matter to Japan's Financial Services Agency, as well as the police, and the FSA has set a deadline of 13 February for CoinCheck to report back on the cause of the hack, the prevention and risk measures CoinCheck will be putting in place as well as how they will deal with their customers. The FSA has also said it will consider on-site inspections if necessary.
CoinCheck have stated that they will refund most of the coins stolen, promising to reimburse around $423 million to their customers. The FSA, however, has said it was not yet aware of how CoinCheck planned on doing so or, indeed, whether it actually had the necessary funds for such a large reimbursement.
NEM is working on an automated tagging system to prevent the hackers turning the NEM coins to fiat currencies, or converting them into other cryptocurrencies. The system will follow the money and tag any account that receives tainted money and NEM has already shown other exchanges how to check whether an account has been tagged.
Moving forward, cryptocurrency exchanges will be reviewing their own security setup and are likely to move to assure their customers that their coins are stored securely. Some regulators are already seeking to bring such exchanges under their purview and it is likely that others are likely to follow suit with the aim of imposing security requirements on them. It is also highly likely that we will see an increase of customers looking to take matters into their own hands and isolate their private keys offline with hardware wallets such as Trezor or Ledger.