The cryptocurrency space has been hit with another exchange hack. A cryptocurrency exchange based in Osaka, Japan called Zaif has disclosed that they indeed had been hacked two days ago and lost upwards of $60 million in crypto assets. Of the entire 6.7 billion yen stolen, 2.2 billion or 32 percent were Zaif funds. The rest were customer funds.
The hacked funds were both company and user funds. As per their disclosure, Zaif has said that they found out about the security breach on September 17th. They officially reported the incident to authorities the following day.
Following the hack, the exchange quickly banned all deposits and withdrawals. Their staff is said to currently be ‘making sure’ that the hacker is kicked out of their exchange for good, but the heist still came out to a hefty loss. Although the details are still spotty, investigators have said that the hack occured somewhere between 17:00 and 19:00 local time on Sept 14th. It was during that time that the hacker siphoned off three different types of cryptocurrencies from Zaif’s ‘hot wallet.’
A hot wallet is supposed to have lighter security than ‘cold wallets’ which are stored and not touched as backup; however, this also means that en exchange should also be monitoring hot wallets for their vulnerability. It is quite concerning that Zaif did not notice this security breach until days later, especially considering it was taken from their hot wallet. Even worse, they waited until the 19th to suspend deposits and withdrawals and made the official announcement about the breach today. The lack of authentication purposes necessary to access the hot wallet likely made the entire hack easier than it should have been.
About $38 million of the entire $60 million reportedly stolen was Bitcoin and the Zaif team is still tracking its whereabouts. However, they also said that they have not yet finished counting the amount of Bitcoin Cash and MonaCoin stolen so it is possible the amount is much higher.
The poor organization demonstrated by the Zaif exchange will likely piqued the interest of Japanese regulators who have been more strict on formally auditing Japanese-based crypto exchanges. Disclosure about security practices is necessary to getting a license to run an exchange in Japan and it seems that Zaif will have some serious issues in explaining themselves. Regulators will likely also pressure Zaif to reimburse for damages similar to how Coincheck was forced to pay by Japanese regulators some $530 million to customers after the 2017 hack they experienced.
Zaif has said that they are planning on securing a 5 billion yen loan to pay back all the affected customers. We’ll see if they keep to their word.