Cryptocurrency exchange Coincheck, based in Tokyo, has announced a plan to compensate roughly 260,000 NEM holders for $523 million XEM that was illegally removed from CoinCheck last week. According to a notice on the company’s website the hack itself is still under investigation.
On January 26th, CoinCheck suspended some of its functions after a suspicious event occurred in the early hours of the morning. The company noticed unusual activity and issued a notice regarding the temporary suspension of NEM payments. NEM trading was temporarily suspended and few hours later all withdrawals of fiat currency including JPY were suspended, followed by the temporary suspension of trading of al cryptocurrency with the exception of BTC. Eventually, exchange executives confirmed the theft near the end of the day.
It is believed that CoinCheck will refund NEM holders in Japanese yen to their CoinCheck wallets.
$400 mn. STOLEN Cryto is to be refund … just bcoz it could be traced.
— Sangeetha #CIT150 (@SangitaSri) January 28, 2018
CoinCheck will calculate the compensation price using the weighted average of the volume, with reference to the Zaif XEM currency exchange operated by Tek Bureau Inc. The calculation period is the time of the sale stop, 12:09 Japan time on Jan. 26, to the release delivery time, 23:00 Japan time on Jan. 27.
The compensation amount will be 88.549 yen times the number of units held.
The exchange stated that it is committed to resuming services, to investigate the causes of the illegal remittance and to strength its security system. It also apologized for any inconvenience caused to business partners, customers and related parties.
Coincheck also said it will continue its efforts to seek registration of virtual currency exchanges to the Financial Services Agency.
During a press conference following the suspension of activity, CoinCheck executives revealed several details about the hack and specifically the infrastructure of the CoinCheck cryptocurrency exchange. Yuji Nakamura, a technology reporter based in Japan, reported that the Coincheck trading platform had not implemented multi-signature technology, stored all of the hacked funds in a hot wallet, and that the developers of CoinCheck were still not sure how the exchange was hacked.
Most major cryptocurrency exchanges such as Kraken, Coinbase, and Bitfinex have multi-signature security measures in place, which prevent funds from being processed on public blockchain networks until a third-party security service provider confirms the legitimacy of transactions.
The lack of a multi-signature service is a critical security flaw for any cryptocurrency exchange. If multi-signature technology was integrated, the security breach could have been prevented.
Funds Stored In ‘Hot Wallet’
In addition to not having implemented multi-signature security measures, Coincheck kept all of its funds in a hot wallet. In cryptocurrency, a hot wallet is defined as a wallet that is connected to the Internet, while a cold wallet is described as a wallet which is stored offline. For large sums of user funds, cryptocurrency exchanges usually store cryptocurrencies in cold storage, to ensure that even in an event of a hacking attack, hackers cannot access user funds.
The malpractice of Coincheck of storing funds in a hot wallet and not implementing a multi-signature system ultimately led to the loss of user funds.