Japanese cryptocurrency exchange ZAIF is hacked

Japanese cryptocurrency exchange Zaif announced today that it lost $60 million worth of company and user funds during a security incident that took place last week.

The company said it discovered the hack on Monday, September 17, and confirmed it a day later, when it reached out to authorities and reported the incident.

The Zaif team suspended user deposits and withdrawals earlier today, while its staff is making sure the hacker(s) is out of their network for good.

Investigators are still gathering details, but Zaif said the hack took place on September 14, between 17:00 and 19:00 local time, when the attacker siphoned off three types of cryptocurrencies from the company’s “hot wallets.”

A “hot wallet” is a term used to describe a cryptocurrency addresses with light security measures where a cryptocurrency exchange keeps funds for immediate transactions, such as cryptocurrency-to-cryptocurrency or cryptocurrency-to-fiat (and vice versa) operations. The opposite of a hot wallet is a cold wallet, where an attacker needs to pass through multiple authentication systems to get access to funds.

Zaif says the hacker stole Bitcoin, Bitcoin Cash, and MonaCoin from its hot wallet, all three worth 6.7 billion Japanese yen (roughly $59.67 million) when combined.

Of the $60 million, $37.8 million were Bitcoin funds(5,966 BTC). Zaif is still investigating the hacked server to determine the exact amount of stolen Bitcoin Cash and MonaCoin.

Of the 6.7 billion stolen yen, 2.2 billion yen –32 percent– were Zaif funds, while 4.5 billion yen were customer funds.

Zaif plans to secure a 5 billion yen loan to pay back affected customers but has not revealed any other details. Earlier this year, Japan’s financial regulator intervened and forced Coincheck to pay back customers after a $530 million 2017 hack.

Zaif is a cryptocurrency exchange established in 2014, based in Osaka, Japan.

Coincheck hacked – 523M US$ NEM coins stolen

Hackers have stolen roughly 58 billion yen ($532.60 million) from Tokyo-based cryptocurrency exchange Coincheck, raising questions about security and regulatory protection in the emerging market of digital assets.

What Is NEM?

NEM is a cryptocurrency launched in March 2015 by a team of five developers identifying themselves as Pat, Makoto, Gimre, BloodyRookie and Jaguar. Its acronym stands for New Economy Movement and, like other cryptocurrencies, markets itself as a digital coin outside the control of governments and central banks, which can be used for fast, global transactions.

It is now the tenth largest cryptocurrency, with $9 billion worth of NEMs in circulation, trading at just below $1 per coin.

NEM was launched to rectify the high concentration of wealth that some in the cryptocurrency community believe to be one of the key weaknesses of bitcoin, the world’s most widely known cryptocurrency, whose early adopters have turned into multi-billionaires.

For bitcoin transactions to clear, computers compete to find the solution to a computational problem, which NEM developers say makes the rich richer as those who have money can afford more hardware to solve such problems.

NEM rewards accounts that participate in the economy. The balance of an account, who transacts with that account, and how much it transacts with others are all combined to calculate an account’s importance, based on which transactions are cleared.

How Was Coincheck Hacked?

Many details are still unclear.

Yusuke Otsuka, Coincheck’s chief operating officer, said on Friday that around 523 million NEM coins were sent from a NEM address at Coincheck at around 3 a.m. local time. Over eight hours later, Coincheck noticed an abnormal decrease in the balance.

Coincheck said the NEM coins were stored in a “hot wallet” instead of a “cold wallet.” Company President Koichiro Wada cited technical difficulties and a shortage of staff.

What Is a Hot Wallet

Hot wallets are connected to the internet, therefore vulnerable to hacking. Experts warn that holding large sums in hot wallets is the equivalent of carrying large amounts of cash in person.

Cold wallets, such as Trezor and Ledger Nano S, are devices which can be as small as a USB stick and can be stored offline. Some keep them in a safe.

How Are Crypto Exchanges Regulated in Japan?

Japan’s government in April recognized bitcoin as a legally accepted means of payment, and required exchange operators to register with the financial regulator.

The move — which came in the wake of the 2014 collapse of Tokyo-based Mt. Gox, then the world’s largest bitcoin exchange — was designed to protect consumers and clamp down on illegal use of cryptocurrencies. It also formed part of Prime Minister Shinzo Abe’s push to stimulate growth via the fintech sector.

The Financial Services Authority’s requirements for would-be exchanges include robust computer systems and segregation of cash and cryptocurrency accounts, checks on traders’ identities and risk management systems.

As of Jan. 17, the FSA had approved the registration of 16 Japanese cryptocurrency exchanges. A further 16 or so exchanges that were operating before the regulation was introduced — including Coincheck — have been allowed to continue operating on a provisional basis as their applications are assessed.

 

NiceHash CEO Confirms Bitcoin Theft Worth $78 Million

Cryptocurrency mining marketplace NiceHash has confirmed that yesterday’s hack resulted in the loss of over 4,700 BTC, an amount worth more than $78 million at press-time prices.

In a video update streamed live on Facebook, CEO and co-founder Marko Kobal provided an update to yesterday’s dramatic announcement that the company, founded in 2014, had incurred a hack and subsequent theft. The news followed growing reports of emptied wallets, as well as an extended downtime period for the service’s website.

According to Kobal, the attack began in the early hours of Dec. 6 after an employee’s computer had been compromised. Kobal, who said that the team is working with law enforcement, explained that “we’re still conducting forensic analysis” to determine how it happened.

Over the course of several hours, Kobal said, those behind the theft gained access to their systems, and that at 3:34 am CET began to siphon off funds from the company’s accounts. As reported yesterday, a wallet address circulated by users showed approximately 4,736.42 BTC being held – an amount worth approximately $78.3 million according to CoinDesk’s Bitcoin Price Index (BPI).

As of press time, the funds are still being held in the address in question.

Kobal went on to say he couldn’t provide additional details, though he added that the attack appears to be “incredibly coordinated and highly sophisticated attack.” He said the company would release additional details on possible recovery methods in the future.

“We are doing everything we can right now. However, this will take time,” Kobal said.

Major Wallet Vulnerability Revealed As User Barely Reclaims 9 BTC

An anonymous Pastebin user claimed to have discovered evidence that some Bitcoin wallet software can generate private keys that can be easily identified and hacked.

The reveal comes after another person has made a Reddit post describing how they lost nine BTC due to a transaction error on the Blockchain.info wallet service.

The Pastebin user, however, didn’t reveal the specific wallet software that can be possibly affected and whether the software vulnerability is intentional or just a simple coding error.

According to the anonymous user, several users of Blockchain.info platform are already aware of the vulnerability and have ‘played’ with the chain by sending small amounts of Bitcoins to the addresses corresponding to the private keys generated by the malicious software.

“If you peer into the Blockchain, you will find that people have ‘played’ with the chain by sending small amounts of Bitcoins to addresses corresponding to private keys generated using Sha256… It’s quite obvious these were _meant_ to be found. It turns out there are a lot of these addresses. (Keep looking and you will easily find some.) This is nothing new and has been known to the Bitcoin community for a while.”

How the user discovered the malicious software

According to the Pastebin user, he used several pieces of publicly available data on the Blockchain to determine if they could have been used to create wallets. He utilized block hashes for every block since the Genesis Block, Merkle roots from every block, common words and phrases that have been hashed a number of times, and eventually started testing all the Bitcoin addresses.

He also downloaded a complete index of all Bitcoin addresses that were listed publicly on Blockchain and began to discover keys that could have a few bits associated with them. In his experiments, he discovered more than 40 Bitcoin addresses that were used at certain points over the past seven years as of November 2017 to send Bitcoin.

The Pastebin user has also suspected that some third-party wallet custodial service like gambling site, mining pool or a straight-up web wallet could have malicious code in their backend that can generate private keys based on public addresses.

As of press time, the Blockchain.info user has confirmed that the funds have been returned:

“The nine BTC have been returned, the person found my Reddit post & reached out to me this morning. He wants to remain anonymous however he has found an issue with Blockchain.info and is currently working with them to resolve the issue.”

90% of Crypto Mobile Apps In Trouble, Security Report Claims

The vast majority of mobile cryptocurrency wallet apps employ poor security.

Or so claims new research from San Francisco security firm High-Tech Bridge based on an analysis of more than 2,000 apps on Google Play. Of the first 30 crypto apps with up to 100,000 total installations, 93 percent contain at least three “medium-risk” vulnerabilities and 90 percent contain at least two “high-risk” issues.

Among the most-downloaded apps, the numbers are a little better, but not by much. Ninety-four percent of apps with over 500,000 installations contain at least three “medium-risk” vulnerabilities and 77 percent contain at least two high-risk vulnerabilities.

The most common vulnerabilities, according to the analysis, include “insecure data storage,” which means information that should be private can leak unintentionally, and “insufficient cryptography,” which indicates some form of cryptography was implemented to shield data, but was used incorrectly.

In short, this means users might be at risk.

“Depending on the application functionality, design and vulnerabilities, a wide spectrum of nuisances is possible, up to sensitive data and even the wallet (private key) theft,” said Ilia Kolochenko, CEO and founder of High-Tech Bridge.

He added: “Unfortunately, I am not surprised with the outcomes of the research.”

Kolochenko attributes the poor scores to a lack of emphasis on security across mobile development.

“For many years, cybersecurity companies and independent experts were notifying mobile app developers about the risks of ‘agile’ development that usually imply no framework to assure secure design, secure coding and hardening techniques or application security testing,” he added.

Users and developers can use the company’s free security analysis tool, Mobile X-Ray, to plug in mobile apps and see the vulnerabilities for themselves.

However, when it comes to securing funds, there’s plenty that can go wrong. The tech firm implies that its own research doesn’t go far enough. Its analysis, for instance, only looks at the frontend of the apps, and there could be other problems in the backend.

The report remarks: “This is just the tip of the iceberg.”