Story image

Coincheck promises £380m refund after massive cryptocurrency breach

30 Jan 18

​Tokyo-based cryptocurrency company Coincheck announced on Sunday that it would refund around £380 million of the virtual money it recently had stolen.

This amounts to almost 90 percent of the 58 billion yen worth of NEM coins the company lost from its roughly 260,000 customers.

CEO of web security company High-Tech Bridge Ilia Kolochenko says both the breach and Coincheck’s actions afterwards are groundbreaking.

"This case is undoubtedly the largest breach in the foggy realm of crypto-currencies,” says Kolochenko.

“Nonetheless, I would certainly refrain from panic: Coincheck's announcement to compensate the victims of the breach is laudable and boosts trust towards digital currencies.”

Coincheck discovered the attack on Friday last week and was forced to suspend withdrawals of all cryptocurrencies except bitcoin.

The company held a press conference on late Friday and disclosed that its NEM coins were stored in a ‘hot wallet’ as opposed to the more secure ‘cold wallet’ outside the Internet.

When asked why, Coincheck president Koichiro Wada pointed to technical difficulties and a lack of sufficient staff capable of dealing with them.

Incident detection in eight hours is also comparatively good timing: many large companies detect similar incidents in a few months. We can clearly see the difference between amateurs operating Mt. Gox in 2014, and well-prepared professionals behind Coincheck,” says Kolochenko.

“It is unclear how the breach took place, but I would not exclude insider activities or a at least an accomplice. Hopefully, a technical investigation will shed some light on the incident.”

Kolochenko says the steady growth and wider adoption of digital coins continuously increases their attractiveness for cybcercriminals.

“Unlike fraudulent bank or PayPal transactions, theft of digital coins is very difficult to trace and virtually impossible to revert,” Kolochenko says.

“Despite persistent lack of qualified personnel and insufficient governmental funding, law enforcement agencies managed to build decent teams and effective processes to detect, investigate and prosecute theft from bank accounts.”

And in spite of the recent and growing spate of attacks involving cryptocurrencies, Kolochenko says proper investigation of incidents is still nascent in most countries.

“Lack of regulation, opaque ownership and decentralization - make digital coins a low hanging fruit for cyber gangs who can easily grow their profits without increasing their efforts. I would expect many similar incidents in 2018, unfortunately,” Kolochenko concludes.

How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
It's time to rethink your back-up and recovery strategy
"It is becoming apparent that legacy approaches to backup and recovery may no longer be sufficient for most organisations."