For young crypto-traders such as Ms Yamazaki, "to Gox" has entered the vocabulary as the verb for an exchange's collapse. But for the Japanese authorities, which have led the world in legitimising cryptocurrencies through regulation, it is a horrifying reminder of what financial innovation can cost.

A third of the world's bitcoin exchanges were hacked between 2009 and 2015, say US authorities. Technical and legal advisers to the Japanese government are even blunter about the vulnerabilities. As the Coincheck debacle unfolds, the credibility of the Financial Services Agency hangs in the balance.

The Coincheck robbery comes amid a wider wobble in cryptocurrencies. Bitcoin and others are on the slide after an astounding boom that in some cases propelled prices a hundred-fold higher in the final few months of 2017. Japanese investors fuelled that run, their often leveraged trading running at 40 per cent of the global total.

As China and South Korea attempt to ban virtual currencies, while questions build over the Taiwanese-based exchange Bitfinex and the cryptocurrency Tether, the future of the boom may depend on whether Ms Yamazaki gets her XEM back.

Yusuke Otsuka, Coincheck's chief operating officer, enjoyed the cryptocurrency boom as much as anybody. At 5pm on Thursday January 25, just hours before the robbery, he was bragging about it. "It's a modern-day gold rush," he told a reporter from the Nikkei business daily. "Cryptocurrency exchanges are already down to 1.5 players. We're top and bitFlyer are about half our size."

Coincheck had a reputation as the simplest, most user-friendly exchange in Japan and the country was going crypto-crazy. Its managers, led by 27-year-old chief executive Koichiro Wada, were becoming very, very rich.

In the early hours of January 26 a different kind of user found Coincheck all too friendly. Like a cat burglar in the dead of night, a hacker penetrated the company's security and found a fortune in XEM sitting in a "hot wallet", a computer connected to the internet. Best practice is to keep cryptocurrency in a "cold wallet", isolated from the network.


There is still no information on the location of the hacker, their identity or how the theft was carried out. But some details are visible in the XEM blockchain. At two minutes past midnight, as if doubting the treasure before their eyes, the hacker sent just 10 XEM, worth about $US10, from Coincheck to their own traceable wallet. Then they plunged in and rifled the digital vault.

Scene of the crime.The building housing the headquarters of Coincheck in Tokyo. Akio Kon

Over the next eight minutes, in six separate transactions, the hacker stole 520m XEM. Valuing the XEM at the relevant market price, around $US1 per coin, it was one of the largest thefts in history, on a level with the capers pulled by bank robbers or art thieves.

Perhaps shocked by their haul, the hacker did nothing for the next couple of hours; or at least there was no movement on the blockchain. At around 3am, the hacker started to send the coins on to other digital wallets, but Coincheck's systems were still wide open. At 3.35am, they took another 1.5m coins. At 4.33am, it was 1m more, then at 8.26am, they helped themselves to the last 800,000. Coincheck was cleaned out.

Business as usual

The vault was empty, but it took time for the bank manager to realise it. Coincheck staff went to work on Friday as usual. But it was 11.25am before they noticed something wrong, starting a desperate scramble as word dripped out and a crowd of investors and journalists began to gather outside their office in Tokyo's trendy Shibuya district.

Late in the evening, almost 24 hours after the hacker struck, an ashen-faced Mr Wada and Mr Otsuka bowed in apology to the TV cameras. "I deeply apologise to the customers we have troubled," Mr Otsuka said.

XEM, pronounced "Zem", is the built-in digital currency of a system called NEM, one of a number of second-generation blockchains, such as Ethereum, designed as a platform for companies to build applications. From less than one US cent in January 2017, the price of XEM had risen more than 10,000 per cent by the time of the hack. Coincheck has vowed to repay the 260,000 affected customers at a rate of 80 cents per XEM — a total of $US422m. The crucial question for investors such as Ms Yamazaki is whether it has the funds to do so.


The company declined to comment on its finances, but based on its trading volumes, rivals estimate that Coincheck may have earned revenues of $US2m-$US3m a day during the cryptocurrency boom, with customer assets in bitcoin and other cryptocurrencies as well as XEM of $US5bn at the time of the hack. The value of those assets will have fallen in line with the cryptocurrency sell-off.

A crucial question is whether Coincheck has large cryptocurrency holdings on its own account. That could give it the reserves needed to pay. It is also common to negotiate with hackers, say rivals, and Coincheck may be able to ransom its coins for a lesser sum in bitcoin or another more usable currency.

The NEM Foundation, which issues XEM, cannot recover the coins. But it has tagged them, like banknotes with serial numbers, so exchanges can tell if the hacker tries to upload stolen coins.

Winners and losers

That highlights the curious nature of the crime. Coincheck and its customers have lost but it is not clear who has gained. "If those XEM are never moved or spent, that decreases the supply and makes the rest of the XEM in the system more scarce and thus more valuable," says Jeff McDonald, NEM Foundation vice-president. "But if a hacker is able to sell them, he can flood the market and sell for cheap. That's the opposite example of high supply and low demand. Time will tell which scenario plays out."

As the broader crypto market slides, the price of XEM dropped to 50 US cents on Friday. For Japan's FSA, humiliated by a hack its regulation was supposed to prevent, Coincheck has exposed the agency's lack of crypto competence, say critics.

"They cannot understand what the token is, the real function of the blockchain, what is the hot wallet, what is the cold wallet. At the beginning of last year their knowledge was very limited," says Ken Kawai, legal adviser to the Japan Cryptocurrency Business Association.

The FSA's instinct now is to crack down. It raided Coincheck yesterday and has warned Japan's remaining 31 exchanges to improve their security. It has also hired external IT experts to conduct inspections and set information security guidelines. Roughly 100 operators who have applied for licences now face a long wait.


Yet the FSA does not want to snuff out an entrepreneurial hotspot. So-called fintech, with cryptocurrencies a prime example, is part of Tokyo's industrial strategy. The aim is to create growth in the country's moribund financial sector.

"When they [the FSA] were considering this regulation, they thought of the entities involved as start-ups, not as big companies. For that reason, they thought the securities law was not suitable: it was too heavy and would kill innovation," says Mr Kawai. "Because of what the FSA did, Japan became the first country in the world to define a crypto exchange business. Now it seems they want to regulate crypto but continue to encourage innovation on blockchain."

But even as the regulator plans its next move, Coincheck ponders extinction and the price of bitcoin falls 40 per cent since the start of the year, Ms Yamazaki and other investors are defiant in their support.

"We are still crazy for crypto," she says checking the prices on her phone. "If I'm worried about anything, it's that Coincheck said they would refund us in yen. That is rude. We want to be paid back in XEM."

Financial Times