$60 million stolen from Japan’s Zaif cryptocurrency exchange
Hot wallets are hot targets.
When we came in on Monday, the money was all gone – to paraphrase employees of Tech Bureau's Zaif exchange in Japan.
The hack itself actually took place over a period of about two hours until 7pm Osaka time on Friday, the Japan Times reports, but a system abnormality wasn't detected until Monday, Zaif didn't realise the money was gone until Tuesday and news didn't break until Thursday. So someone at Zaif is really having a hellish week.
The timing of the attack, coming in right at the end of business hours on a Friday, is almost certainly no coincidence. It looks like the attacker aimed to buy some time over the weekend, and it seems to have worked.
It's being reported that about US$60 million of cryptocurrency, including bitcoin, Monacoin and Bitcoin Cash, was pulled out of the exchange's hot wallet. One-third of the funds belonged to the exchange, while the other two-thirds was customer money.
Japan's exchanges and regulators went on high alert following the monumental CoinCheck heist, in which about half a billion dollars were pulled out of Japan's CoinCheck exchange. It remains one of cryptocurrency's largest single thefts to date.
In the aftermath of CoinCheck, Japan's Financial Services Authority (FSA) swept 15 exchanges across the country, including Zaif.
Of the exchanges swept, seven were ordered to carry out certain improvements while two were ordered to suspend trading. The investigation in general found an industry full of security holes, and occasionally marred by exchange staff toying with customer funds for personal use.
Zaif might have been somewhere in the middle of the pack. It's been slapped with two FSA business improvement orders this year, but there was nothing so egregious that it was ordered shuttered. But just like CoinCheck, this particular attack went after an exchange's hot wallet.
Current crypto industry best practice is for as much of the funds as possible, typically over 90% of all customer funds, to be kept in an offline cold wallet at any given time. Most security experts would probably agree that Zaif had no business leaving so much money in a hot wallet.
After the hack, Tech Bureau said it agreed to receive a $44.59 million bailout from Fisco Ltd. In exchange, Fisco would get majority ownership. The value of Fisco's investment is still subject to change though, it said, if further investigation uncovers a different value of funds stolen.
If there's anything to be learned from the ongoing tendency of Japan's exchanges to experience enormous hacks, other than not to leave millions of dollars in a hot wallet, it's that Japan's crypto exchanges are still doing roaring business, and that exchange security should not be taken for granted.
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and ADA.