Shock hack of ‘licensed’ Japanese exchange Zaif

Initial reports indicate that Bitcoin, Bitcoin cash and Monacoin was lifted from the Exchange’s hot wallet, and both exchange and user funds were affected.

Zaif has confirmed that 5966 BTC (worth ~34.5 million USD based on BTC’s September 14th price) was lifted, while the total amount of BCH and MONA lost is yet to be calculated.

The exchange is currently working to re-enable deposits and withdrawals on the platform, currently frozen as part of the investigation into the illegal activity.

Zaif advises that it has contacted Japan’s treasury department and Financial Services Authority to report the incident, and a third party, the Kaichi Corporation, have been employed to investigate possible causes and roots of the vulnerability.

In an unexpected twist, Zaif is one of the 16 crypto exchanges which have been issued a license by Japan’s Financial Services Authority. In fact, Zaif was one of the earliest to be approved – achieving its accreditation with the initial batch of 11 in September 2017.

The exchange is also a founding member of the ‘Japanese Virtual Currency Exchange Association‘ established in April this year other members include Bitflyer, Money Partners and Quoine.

The association was formed after incidents such as the Coincheck hack in January, to keep a check on future cavalier operations undertaken by any Japanese crypto exchange.

This incident puts yet another dent in the credibility of crypto exchange regulation within Japan, and how it chooses to reprimand Zaif should be worth observing.

Stolen Bitcoin was mostly customer funds

Zaif’s press release states that of the funds lost, ~67% were user funds, with the rest being company owned funds. This ratio clearly raises concerns about the liquidity management techniques used by Zaif and potentially other exchanges.

Typically, an exchange will take a percentage of customer funds and place them in an asset pool that is used to facilitate transactions.

The analogy in a bricks and mortar retail store context would be the placing of a cash ‘float’ in the cash register at the start of the day to provide change for customer transactions.

From a customer perspective a best case scenario is an exchange that uses its own money to provide the float.

The fact that such a high proportion of customers’ assets were exposed in Zaif hot wallets is surprising, particularly given how vulnerable such wallets are. By comparison, major US exchange Coinbase has previously stated that 98% of customer funds are kept in cold storage.

Zaif has clearly been shaken by the incident and is already making sweeping changes. Its current head of security and other senior management, appear to been made redundant/retired as result of the breach, while power over the Zaif platform and its operations have been handed over to Fisco Ltd, a JASDAQ listed company, which will now become Zaif’s majority shareholder. It is understood that Fisco will provide $5 billion Yen (44.5 million USD) to support the reimbursement of the funds lost as a result of the attack.