Skip to content
Naked Security Naked Security

$500m cryptocoin heist could be biggest cybertheft ever

Japanese cryptocoin exchange Coincheck has been hacked out of 523 million NEM coins, worth about a dollar each.

You’ve probably heard of Bitcoin – the cryptocurrency world’s first and best-known child, with a value that soared during 2017 from about $1000 to almost $20,000.
Even though Bitcoin has plummeted in the past month, BTC 1 will still cost you $11,000.
You may know about Monero, or XMR for short, a cryptocoin that has been in the headlines for all the wrong reasons recently – crooks have taken to mining it via JavaScript in your browser, so that visiting a booby-trapped website will essentially “borrow” your CPU (and electricity) to make money for them.
And if you did the Naked Security #sophospuzzle crossword at New Year, you’ll have heard of Ethereum, a combination of cryptographic blockchain, distributed computational environment and cryptocurrency.

We won’t be surprised if you’re not familiar with NEM, a public blockchain (a form of distributed database) and cryptocurrency that is probably best known in Japan.
NEM promotes itself through a product called Mijin, which is effectively a way of using NEM’s technology to run a private blockchain of your own, for example for processing financial transactions, keeping track of stock movements, and more.
We hadn’t even heard of NEM until this morning…
…when a Japanese cryptocurrency exchange called Coincheck admitted that it had, well, “lost” NEM523,000,000.
(We’ll call them NEM coins from now on, although they aren’t coins in the traditional sense, and NEM doesn’t have the word “coin” in its name.)
Unlike Bitcoin, the number of which will gradually increase until there are a maximum of 21,000,000 in circulation, NEM started out in 2015 with 9 billion “preminted” coins (actually 8,999,999,999) for its ecosystem.
Two years ago, NEMs were worth just four-thousandths of a US cent each – although with 9 billion NEMs in the world that nevertheless gave the NEM currency an astonishing overall valuation of $3,600,000.
Today, they are, even more astonishingly, worth about a dollar each, for what the cryptocoin industry buoyantly refers to as a market capitalisation of about $9 billion – that’s a hard-to-get-your-head-around valuation that make NEM alone worth as much as 1% of Apple.
With that sort of value, you’d imagine that anyone who had been entrusted with a large stash of NEM coins would take care not to lose them – especially if those NEMs belonged to other people and were being held for the purposes of trading.
Indeed, you’d think that any major-league cryptocoin exchange would be extra careful given the history of high-value security implosions in the cryptocurrency scene, such as:

Biggest cryptoheist ever?

Well, all cryptocurrency carelessness records may just have been broken by Japanese exchange Coincheck.
According to the company’s own blog, it recently lost NEM 523,000,000 belonging to approximately 260,000 different users.
The company has said it will offer reparations to affected users, paying them out at JPY 88.549 ($0.81) per NEM coin they had held.
That means the company has to come up with more than $400 million in cash.
As you can imagine, that might take a while:

We are currently deciding on the best method for applying for reparations and the period in which they will be made. The principal used for reparations will be derived from company funds.
We realize that this illicit transfer of funds from our platform and the resulting suspension in services has caused immense distress to our customers, other exchanges, and people throughout the cryptocurrency industry, and we would like to offer our deepest and humblest apologies to all of those involved. In moving towards reopening our services, we are putting all of our efforts towards discovering the cause of the illicit transfer and overhauling and strengthening our security measures while simultaneously continuing in our efforts to register with the Financial Services Agency as a Virtual Currency Exchange Service Provider.
Thank you for your attention and your support.

What to do?

Cryptocoins can be stored in what’s called a hot wallet, meaning that the cryptographic secrets needed to spend them are trusted to an exchange like Coincheck, making those coins easier to use, or a cold wallet, where you keep the coins offline.
That’s a bit like the difference between having shares lodged with online broker, where you can trade them directly, or having shares issued as share certificates that you can keep under the mattress at home.
Good advice is to keep the bulk of your cryptocurrency stash offline, keeping only a modest amount online for your immediate needs.
In this case, the average NEM coinholder had apparently entrusted about NEM 2000 to the Coincheck exchange – not a lot, at least in hard currency, until fairly recently, when the value of NEM reached about one dollar.
Even at $2000, many users may have thought that their online balances were reasonable enough, perhaps assuming that an attack that drained hundreds of thousands of accounts at the same time was unlikely.
If you do have cryptocurrency holdings, now is a good time to reconsider how much you keep hot (online), and how much you keep in cold wallets (for example backed up on various encrypted USB devices in multiple locations).
Large fluctuations in cryptocoin values mean that a hot wallet deposit that seemed almost trivially modest a few months ago might by now be worth more than your car…


Correction for first sentence statement: “..with a value that soared during 2017 from about $100 to almost $20,000.” Should read: ..with a value that soared during 2017 from about $1000 to almost $20,000.”


Typo, fixed – thanks.
Mind you, I just asked a physicist and he insisted that $100 is not merely “about $100” but can be considered “almost $1000”, and thus as first approximations they can be considered identical.


Sounds like a theoretical physicist to me :)
An experimental physicist, or engineer, or accountant would not intentionally put such a big envelope around even an approximate number.
But more seriously, thank you for this and the many other good articles. NakedSecurity is one of the best cyber security websites out there.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!