The beleaguered Japanese crypto exchange, Bitpoint, is beginning to reveal details of its recent compromise that occurred on July 12th of this month. It was originally reported that $32 million had disappeared from “Hot Wallets” at the exchange, but this figure has been reduced to $28 milliion. $19 million related to customer accounts, and $9 million came from company coffers. Bitpoint president Genki Oda also pledged, “to repay victims (in cryptocurrency) once standard trade resumes”.
The tokens stolen were primarily the “majors”, including 1,225 Bitcoin, 1,985 Bitcoin Cash, 11,169 Ether, 5,108 Litecoin, and 28 million Ripple, the five cryptos that the exchange supported. In a Tokyo press conference, Oda noted that roughly 55,000 client accounts had been compromised. The criminals had targeted only “Hot Wallets”, a recurring theme that professional hacking gangs seem to employ at will. There was no indication of who the perpetrator might be, but speculation may follow previous storylines that point the finger at nefarious groups working on behalf of the North Korean government.
Japanese and South Korean crypto exchanges have been favored targets by these organized hacking gangs. The current estimate of hacking losses in Japan, including Mt. Gox up to the present with Coincheck’s $520 million loss in January of 2018, has been put at more than $1 billion, which prompted the Financial Services Agency (FSA), the regulatory watchdog of Japan, to institute a rather arduous re-registration process for all existing and potentially new crypto exchanges.
The FSA process was two-fold. Phase I required roughly four months, completing lengthy questionnaires, and having onsite visits by auditors to verify in person its policies regarding its business plan, governance, cybersecurity, management system, and anti-money laundering (AML) and counter-terrorist financing. A two-month review process followed in which the FSA staff would make a decision and offer recommendations.
By mid 2018, the FSA, as a result of its onsite investigations, issued improvement orders to six exchanges that were already operating with a license in Japan “to reform their business practices”. Bitpoint was one of these notified firms. The FSA’s primary concerns with the firm had to do with its Anti-Money Laundering and Know Your Customer requirements, but it also noted that, “Customer funds were not being kept sufficiently separate from those of the exchanges”.
According to an early report:
Bitpoint halted all services including trading, deposit and withdrawal of all crypto assets on Friday morning after it noticed an irregular withdrawal from its hot wallet on Thursday.
The firm’s belief at this stage is that the breach occurred due to unauthorized access to the private keys of its hot wallets. It plans to move all remaining customer funds to cold wallets, which have not been breached. After the theft was announced, the firm’s parent company, Remixpoint Inc., which is traded on the Tokyo Stock Exchange, saw its shares drop 19% before trading was suspended.
It was also estimated that the losses represented 13% of all customer amounts. The reduction from $32 million to $28 million in losses followed the fortunate discovery of missing funds on other global exchanges that were using Bitpoint software. The firm is monitoring the situation and will not resume services until a comprehensive review of all security measures has been completed. The exchange is also cooperating fully with the Japan Virtual Currency Exchange Association (JVCEA), a self-regulatory crypto exchange association that was formed in March of last year at the behest of the FSA.