Zaif Case or Why Japanese Exchanges Lost $518 Million For Six Months

Over the past couple of years, Japanese exchanges and cryptocurrency wallets have been literally shaken by hacker attacks. The National Police Agency (NPA) released on September 20 data for the first half of 2018: the number of registered incidents was 158, which is three times more than in the same period of 2017. That amount has even exceeded the total quality for the whole last year, when 149 cases of Internet attacks was committed. This report was timed to the recent cyber attack of Zaif, one of the largest crypto exchanges in Japan, that is actually managed by Tech Bureau Inc. The shock was also caused by the fact that this exchange was licensed under all the rules and inspected regularly.

The attack was registered on September 14, but the exchange was in no hurry to report it, and found an unusual outflow of funds only after 4 days. On September 17, the movement of digital assets was suspended. And only on September 18, Zaif reported a loss of about $60 million (6.7 billion yen) to the Japan Financial Services Agency (FSA). This time the theft was in Bitcoin, Bitcoin Cash and MonaCoin. At the moment company revised the overall assessment of the theft, increasing the claimed figure to $62 million (7 billion yen), and $40 million (4.5 billion yen) were client assets among them.

According to the NPA report, $7.66 million (860 million yen) of bitcoins and $13.5 million of Ripple (1.52 billion yen) were stolen in the first half of this year. And just by one hack of Coincheck alone, hackers had stolen $534 million (about 58 billion yen) in NEM tokens from digital wallets. During this period, there were also 14 cases of theft in Ethereum with losses of about $540 thousand (61 million yen). NPA representatives said that the increase in attempts to hack cryptocurrency networks has been recorded since about August 2017. In the first half of 2018, the lion's share of the losses came on the crypto exchanges in the total amount of approximately $518 million. And the other funds of about $22 million, were stolen from an individual cryptocurrency wallets.

Four days worth $60 million

"Just reported in Japan: Japanese Exchange Zaif hacked, 5966 BTC (37million USD) stolen from hot wallet (stolen 5 days ago, and just reported now!). BCH and MONA also potentially stolen" - the developer of the LBRY platform Kay KUROKAWA tweeted on September 19. In the following tweets KUROKAWA already indicates that the amount of damage reached $60 million. According to him, the exchange took as much as 4 days to detect theft or leave an official statement at least.

After the announcement of the theft, Zaif declared its asset reserve as $20 million (about 2.2 billion yen) and entered into an agreement with Fisco company to invest $44.5 million in exchange for a large ownership share. In recent past the Japanese financial information provider Fisco created a cryptocurrency Fund worth more than 2.66 million (300 million yen) to invest in bitcoin and other cryptocurrencies. That was in January 2018, and two years earlier the company has been investing in Tech Bureau and other exchanges. By the way, Coincheck did the same way in resorting to rescue by selling itself to the former Director of Goldman Sachs to compensate users for the stolen funds.

This year in March Tech Bureau received administrative order to improve the business, especially in taking measures to improve security system and facilitate anti money laundering.

The hacker attacks problem has stirred up the entire crypto community in conditions of the fast growing Asian crypto market space. Andrew LIM, the President of the South Korea Blockchain (SKBC), also noted that Zaif has been repeatedly warned of the need to protect its platform: “If that is the case, there were serious concerns as to their inability or unwillingness to comply. I also read that no immediate announcement was made by Zaif of the breach”.

Worth reminding that this year on June 10 when the South Korean exchange Coinrail was attacked, it led to a huge reduction in the capitalization of the crypto market that reached $42 billion. It was caused by a panic among the investors and a large number of plums. By the way, the rate of bitcoin and many other crypto-currencies fell by 5-10% in that period. And Youbit suffered a lot after the second attack and the theft of 17% of all assets last September. As a result they declared them as a bankrupt and just closed. "Although Youbit and Coinrail were hacked and shut down, Bithumb managed to survive their $30 million loss and sits at one of top 10 cryptocurrency exchanges in the world. Compared to the total market cap of over $200 billion, $30 million does not seem much, however, the global cryptocurrency market dropped over $40 billion, a nervous, over-reaction to the breach,” - said Mr. LIM.

However, Coinrail completely changed the security system that contained the vulnerability and gained back the activity a month after the hack. The exchange partially reimbursed the funds to users, but as usual did not explain exactly how the attack occurred. And Bithumb, after hacking on June 19 this year, recovered users stolen funds in the amount of $31 million by its own expense to save the good face. The Bithumb representatives announced on their website after the attack immediately: ”All assets of our customers are securely saved in Bithumb’s cold wallet; hence all assets are completely safe and secured". But the attack of the 7th in terms of trading volume of the cryptocurrency exchange in the world did not pass without a trace, so the news of hacking immediately affected the exchange rate of all currencies. For example, the price of bitcoin decreased by 2%.

According to the expert, who wished to remain anonymous in an interview for Bitnewstoday.com, Zaif incident questioned the reliability of the exchange, this as particular and any other exchange at all: "Zaif has got received 2 business improvement administrative order that requires it to address issues around IT system vulnerability and management/governance system. In that sense, I guess, it has already had problems that lead to this incident. More generally, cryptocurrency exchanges are fundamentally just startups and lack human and financial resources that enable them to equip enough cybersecurity countermeasures. And even though they cannot equip the safe system, they provide custody service and manage the huge amount of customers' assets. This is the fundamental problem”.

The most well-known attacks on exchanges have led to more thorough FSA control over their activities and an appropriate level of security. As we wrote earlier, after the attack on Coincheck, the FSA together with the Agency for consumer protection and the National police Department had inspected 23 cryptocurrency exchanges. The reason for such activation of regulators had been caused not only the amount of theft, but also the fact that the exchange was not registered in the Japanese Financial Services Agency. And that had been found out just due to the attack.

Also, the increased attention of regulators is associated with the rapidly growing size of the cryptocurrency market. One of the loudest cyberattacks on the exchange is hacking Mt. Gox in 2014. And although the volume of theft is much smaller than the incident with Coincheck, since the size of the stolen amounted to $350 million, the impact of this attack was much more significant in view of the smaller volume of the cryptocurrency market as a whole. This completely destroyed the exchange and brought it out of the digital game.

Japanese regulators: aggressive but fair

Since 2005, the Settlement Law has begun to act in Japan. And by this law the only registered and licensed trade organizations can conduct their activities in Japan.

On March 8, the FSA ordered GateWay and Mr. Exchange to make adjustments into their security systems. Both exchanges were also pointed to take attention to the obvious shortcomings and gaps in the protective mechanisms which were found by FSA experts during the investigation. However, instead of correcting the identified shortcomings, both exchanges withdrew applications for legalization of activities almost immediately and then just returned their funds to customers.

The first of the inspected and closed by regulators were FSHO and Bit Station. The next ones were Raimu and bitExpress exchanges, that withdrew their registration applications.

FSA behavior is perceived as aggressive due to the fact that the Agency is concerned about the occurrence of possible troubles for the exchange clients. FSA with each inspection finds the new gaps in the cybersecurity of exchanges and even that licensed by the rules.

According to independent experts, who wished to remain anonymous in view of their direct involvement in the events, Zaif incident can stimulate the discussion on the separation of crypto asset custody and matching of a transaction from the cryptocurrency exchanges. Or it could encourage a shift from centralized exchange toward decentralized exchange although DEX is still not so user-friendly and need more technological development.

“The impact of the incident on the Japanese market and regulation is still unclear as JFSA and the company still scrutinize the root cause. Of course, the market price is affected heavily and may cause the difficult situation for the cryptocurrency industry... And JFSA would be required to reconsider the appropriateness of their regulation and implementation because Zaif is the first large hacking incident of a registered company, but not a quasi-registered company. In comparison with the attack on Coincheck which was quasi-registered and Mt Gox incident was before the introduction of regulation" - said an anonymous source for Bitnewstoday.com

The stricter, the better - investors are much more important!

The big interest of the Land of the Rising Sun nation to digital currencies is only growing and becoming more professional. If in 2017, the Japanese were interested in issues of ensuring the exchanges security and doubts about the legality of the ICO, then this year some of web requests were related to regulation, and the rest concerned to specific transactions and individual contracts.

According to the FSA, in the first quarter of 2018, 3,559 of requests for cryptocurrency were submitted, and according to the report of the Consumer Affairs Agency (CAA) these requests amounted to 2,769 in 2017 comparable to the 847 of requests in 2016.

Andrew LIM believes that security and risk management should be a top priority for exchanges and investor protection, as hacking attempts will always be: “As much as I regret to admit it, we need stricter regulations and accountability for those responsible for obvious negligence. The cryptocurrency market has yet to mature. The market is too sensitive to bad news, especially to hacked exchanges. Defining cryptocurrency exchanges as regulated financial institutions was a major milestone where the exchanges must have adequate security measures in place to operate. The regulators are doing their best… but so are the hackers”.