Zaif Exchange Hack — September 14, 2018
What Happened
Hackers stole approximately $60M in BTC, Monacoin, and Bitcoin Cash from Japanese cryptocurrency exchange Zaif (operated by Tech Bureau) over a 2-hour window on September 14, 2018. The breach was not detected until September 17 due to a server error.
Stolen Assets
5,966 BTC (the largest portion)
• Undisclosed amounts of Monacoin and Bitcoin Cash
• Total value: ~JPY 6.7B (~$60M at the time)
Loss Allocation
• ~JPY 2.2B (~$20M): Zaif/Tech Bureau company-owned funds
• ~JPY 4.5B (~$40M): Customer-owned funds in hot wallets
Technical Detail
• Hot wallet compromise (specific attack vector not publicly disclosed)
• Tech Bureau had previously been issued a business improvement order in March 2018 by Japan's FSA after a separate February glitch that briefly let users buy BTC for free
• Indicates pre-existing security controls deficiency
Company Response
• Tech Bureau enlisted investment group Fisco to cover customer losses
• Fisco provided JPY 5B (~$45M) in exchange for majority ownership of Tech Bureau
• All affected user balances eventually reimbursed
• Tech Bureau wound down Zaif operations
• Japan's Financial Services Agency tightened registration & audit requirements for crypto exchanges as a result
Significance
• One of the major Japanese exchange hacks following Mt.Gox (2014) and Coincheck (Jan 2018, $530M)
• Drove Japan to become one of the strictest crypto regulatory jurisdictions
• Showed pattern of weak hot wallet security at early Asian exchanges
References