Coincheck advised to fix flaws before $530m cyber theft

Women walk under a sign of Japan`s Financial Services Agency in Tokyo, Japan on June 2017. -- Reuters
Women walk under a sign of Japan`s Financial Services Agency in Tokyo, Japan on June 2017. -- Reuters

Japan’s financial regulator on Friday swooped on Coincheck Inc with surprise checks of its systems and said it had asked the Tokyo-based cryptocurrency exchange to fix flaws in its computer networks well before hackers stole $530 million of digital money last week.

Security gaps in Coincheck’s systems were among the reasons the exchange had not been given official approval to operate, the Financial Services Agency said. Coincheck had been allowed by the regulator to operate pending registration.

The comments came after 10 FSA officials conducted surprise checks on Coincheck’s office on Friday morning, as authorities stepped up efforts to pin down how hackers pulled off one of the world’s biggest cyber heists.

The inspection, launched at 8am on Friday, focused on compensation for customers, financial conditions and system management at the exchange, and Coincheck’s efforts on consumer protection, a senior FSA official said.

Coincheck has said the virtual coins were stored in a “hot wallet” instead of the more secure “cold wallet,” which operates on platforms not directly connected to the internet. The exchange was also not using an extra layer of security known as a multi-signature system.

The regulator’s knowledge of flaws in Coincheck’s systems before the theft will likely draw further focus on Japan’s approach to regulating cryptocurrency exchanges.

Japan last year became the first country to regulate exchanges at the national level - a move that won praise for boosting innovation and protecting consumers, contrasting sharply with crackdowns in South Korea and China.

The theft highlights the vulnerabilities in trading an asset that policymakers are struggling to regulate, as well as the broader risks for Japan as it aims to leverage the fintech industry to stimulate economic growth.

The FSA earlier this week issued a business improvement order to Coincheck and said it would investigate all cryptocurrency exchanges in Japan for security gaps following the hack.

The regulator said on Friday it had ordered all cryptocurrency exchanges to submit a report on their system risk management.

Coincheck had been ordered to submit a report on the hack and measures for preventing a recurrence by Feb. 13. But Friday’s surprise inspection was conducted ahead of the deadline to “ensure protection of users,” Finance Minister Taro Aso told reporters.

The FSA has already conducted an interview-based hearing with Coincheck but questions remain, a source with direct knowledge of the matter told Reuters on Friday.

In 2014, Tokyo-based Mt. Gox, which once handled 80 percent of the world’s bitcoin trades, filed for bankruptcy after losing bitcoins worth nearly half a billion dollars to a hacking attack. More recently, South Korean cryptocurrency exchange Youbit shut down and filed for bankruptcy after being hacked twice last year.

INVESTIGATIONS

Coincheck said on Sunday it would repay about 46.3 billion yen ($425 million) of the virtual money. The FSA has said it had yet to confirm whether the company had sufficient funds for the reimbursement.

Coincheck has turned over communication records to police in Tokyo investigating the heist, the Nikkei business daily said on Thursday. A Tokyo Metropolitan Police Department spokesman declined to comment.

Authorities in several countries are also investigating last week’s heist involving the NEM cryptocurrency, a member of the foundation behind the digital coin said on Thursday.

Last year’s explosive rise in the value of digital coins and the flood of new retail investors drawn to the market have rattled global regulators nervous about a sector used largely for speculation. Officials have said cryptocurrencies are used by criminals to launder money.

Bitcoin, the world’s largest cryptocurrency, skidded 11 percent on Thursday to its lowest since November, as a Facebook ban on cryptocurrency adverts and a growing regulatory backlash against the nascent market frightened investors.

Bitcoin extended its slide to $8,639 on Friday after skidding a day earlier to as low as $9,022 on the Luxembourg-based Bitstamp exchange, less than half the peak price of almost $20,000 it reached in December.