On September 18, the Japanese cryptocurrency exchange Zaif confirmed that it was the target of a September 14 cyberattack that yielded an estimated $60 million (¥6.7 billion), in the form of 5,966 Bitcoins and an unknown quantity of other cryptocurrency assets. The points of attack reportedly were Zaif customers’ “hot wallets,” the online digital wallets that customers use to store cryptocurrency assets.
Tech Bureau, the Osaka-based cryptocurrency exchange that operates Zaif, stated that it had reported the theft to the Japanese Financial Services Agency (FSA) and law enforcement authorities. Tech Bureau plans to raise the funds to compensate customers for their losses by selling a majority of its shares to a group company under the Japan-based financial services provider Fisco. Fisco’s group company is expected to provide ¥5 billion to Tech Bureau as both companies “work to complete an agreement by the end of the month.”
Note: The Zaif hack is not the first cyberattack against Japanese cryptocurrency exchanges this year. In January, Tokyo-based cryptocurrency exchange Coincheck Inc suffered a “hot wallet” cyberattack that stole approximately $532.6 million (¥58 billion). These two attacks – combined with the fact that the FSA had previously ordered Tech Bureau twice this year “to improve its operations, including its response to system failures” – demonstrate the urgency with which the cryptocurrency-exchange community needs to commit to installing and maintaining robust cybersecurity and data-protection measures.
Explanations like “technical difficulties and a shortage of staff” will not satisfy regulators in Japan or other countries who have seen multiple large-scale cryptocurrency hacks; indeed, an FSA official has already said that the Zaif hack “will likely have an impact on future screenings” for newly registered exchanges. Although cryptocurrency-related market capitalization may have increased vastly since 2014 – when the bitcoin exchange Mt. Gox lost an estimated $473 million – neither consumer confidence nor regulatory patience can remain infinitely elastic.
One indication that the cryptocurrency sector recognizes that fact is the August 2018 application by the Japanese Virtual Currency Exchange Association (JVCEA) for certification by the FSA. The JVCEA reportedly “plans to work with the government on drafting and overseeing legislation that will allow the Japanese crypto exchange industry to become self-regulating,” and to that end submitted to the FSA a detailed 100-page document containing its proposed self-regulatory measures. In the end, some combination of self-regulatory and government regulatory measures will likely be necessary to impress on the industry the importance of adopting and implementing meaningful cybersecurity defenses and other internal controls and compliance measures.