On July 12, 2019, Tokyo-headquartered cryptocurrency exchange Bitpoint promptly suspended its services after noticing an error in the outgoing funds transfer system. Soon, an official announcement followed, revealing that the trading platform had lost around 3.5 billion yen (roughly $32 million) as a result of a security breach. The exchange’s administration has managed to find a portion of the missing funds since the initial announcement was published. Nevertheless, the security breach seems to continue the streak of hacks targeting Japan-based exchanges.
Details of the hack
According to the breakdown of the hack published by Bitpoint’s parent firm, Remixpoint Inc., Bitcoin (BTC) accounted for the highest share of total losses. The total amount of stolen BTC (1,225) is worth over 15 billion yen (just over $138 million). Further, over 28 million XRP (10 billion yen, or $92 million) and 11,169 ETH (3.3 billion yen, or $30 million were taken away by the hackers. Additionally, the fraudsters stole 1,985 Bitcoin Cash (BCH) and 5,108 Litecoin (LTC), worth 1,2 billion yen, or $11 million.
The breach occurred due to unauthorized access to the private keys of its hot wallet, Remixpoint Inc. indicated in the document. Bloomberg has reported that shares of the company shed 19% after the news of the incident surfaced and became untraded in Tokyo at some point due to what the publication called “a glut of sell orders.”
Later, on July 14, local English-language publication The Mainichi reported that Bitpoint has discovered over 250 million yen (around $2.3 million) in cryptocurrency on overseas exchanges that were using a trading system provided by Bitpoint Japan. The exchange’s spokesperson reportedly told The Mainichi that the recent discovery brings the total sum of lost founds down from 3.5 billion yen (about $32 million) to 3.02 billion yen (approximately $28 million).
Genki Oda, founder and CEO of Bitpoint, told Cointelegraph that his platform is going to compensate its users, although without mentioning any specific time frame. Additionally, Oda said it was in touch with fellow exchanges Binance and Huobi regarding the freezing of stolen funds that have allegedly ended up in their wallets following the security breach. Such collaboration with other trading platforms is a common method of mitigating cryptocurrency hacks, as it prevents fraudsters from cashing-in on their loot. “If you know other way for locking or getting back the hacked crypto, please let us know the ways,” Oda added.
Moreover, Bitpont has announced it is going to compensate customers in cryptocurrencies rather than in their equivalent fiat value.
The FSA and Japan’s regulatory regime
Although Japan is one of the very few countries where cryptocurrencies can be used as legally accepted means of payment, the Japanese Financial Services Agency (FSA) — the country’s financial watchdog — has been noticeably nervous ever since the infamous Coincheck and Mt. Gox hacks. Since the amendment of Japan’s Payment Services Act in April 2017, all crypto exchanges in the country are required to register with the FSA.
Notably, Bitpoint was one of the approximately 16 local exchanges that has been licensed by the regulator as a result of its rigorous inspections of industry players, which include on-site inspections. According to Nikkei Asian Review, Bitpoint received an operational improvement order from the FSA last year, as the regulators concluded that “its internal controls were flawed,” but it was lifted at the end of last month — just two weeks before the hack occurred.
Koji Higashi, a Japanese market analyst and the founder of Koinup, told Cointelegraph that the FSA’s scrutiny does not necessarily ensure that its subjects have stronger protection in place. Conversely, it could lead to a reduction in safety, Higashi continued:
“I don't think it's a reasonable assumption that being regulated by the FSA closely ensures safety of exchanges. After two major hack incidents that took place in Japan, the FSA tightened the enforcement significantly to prevent any more hacks, but they are by no means security experts. Also, as far as I understand, their main focus seemed to be more on KYC/AML. In some situations, I have heard before that their scrutiny is the reason to put pressure on exchanges financially and lose its focus on security.”
Maurizio Raffone, CEO at Tokyo-based Finetiq Ltd., sees these hacks “as teething problems for a developing market.” He told Cointelegraph:
“Japan’s cryptocurrency exchanges are suffering from their own success as volumes are strong and attract the unwanted attention of cyber attacks. The FSA is actively reviewing the exchange’s operations, issuing improvement orders and so forth but there will always be human error, particularly in an industry that has grown so much, so quickly.”
Jeff Wentworth, co-founder of Curvegrid, another blockchain startup based in Tokyo, seems to agree with that statement, stressing that the hacking problem is not exclusive to Japan:
“I don’t think any country has been immune to financial system hacks, including crypto exchange hacks. Japan is probably seen to be more targeted because it has a larger number of well-capitalized crypto/fiat exchanges versus other jurisdictions.”
Some experts believe the FSA might strengthen its regulation even further as a result of the hack. Wentworth told Cointelegraph:
“I’m sure there will be additional regulatory scrutiny which could lead to tighter requirements for getting licensed. The FSA has shown itself to be both fairly pro-active and fairly fluent in cryptocurrency, so it might just mean an acceleration of already in-flight measures. Computer security is hard, and just as traditional banks will continue to battle hackers, so will crypto exchanges.”
Higashi, on the other hand, is not certain it could be the case, saying:
“According to this website which tracks and compares BTC stock trading volume in Japan, Bitpoint ranks just 7th and their reported BTC trading share is just 2.5% in June. From that standpoint, this incident was minor compared to the Coincheck and Zaif hacks and thus it's possible that the incident may have a minimal impact on the regulation.”
As for now, it seems safe to assume that the level of the FSA’s scrutiny does not necessarily correlate with the safety of the exchanges it oversees. Nevertheless, this year has seen an unprecedented amount of security breaches in the crypto space, which means that some proactive steps should be taken by both players and participants.