On September 20th, Tech Bureau Corporation, the owners of Zaif, released a statement acknowledging that the exchange’s hot wallets were compromised and $60m had been stolen.
Prior to the hack, Zaif was a top 25 exchange by volume according to Coinmarketcap.com, and in March of this year was ordered to improve its operations or face severe penalties.
No fines or penalties were ever issued.
Of the $60m stolen, roughly $20m of the coins belonged to the exchange, which means about $40m of customer deposits were taken in the theft.
The exact breakdown of what was stolen has still not been released, but we do know that 5,966 Bitcoins were stolen (~$40m), leaving $20m between Mona Coin and Bitcoin Cash still unaccounted for.
The method the hacker used to gain access to the three separate hot wallets may not be public information for some time, but it reflects poorly on Zaif’s security protocols.
A single compromised hot wallet could be a one-time phishing scam or security bug. However, three separate hot wallet hacks indicates a systemic lack of robust security, the blame for which falls squarely on Tech Bureau.
Further adding to the concern is that Zaif was one of 16 government licensed exchanges in Japan, a distinction that supposedly implies Zaif passed stringent security and AML tests.
This hack brings into question the FSA’s (the Japanese government body regulating crypto exchanges) competence at vetting exchange’s security practices.
In an effort to cover lost customer assets, Tech Bureau Corp has announced they intend to sell off the majority of the exchange to Fisco Digital Asset Group in exchange for $44.5m. Exact charges or penalties at this stage are unknown, but executives at Tech Bureau have announced they will be stepping down.
The two plan to host shareholder meetings in late October to vote on the proposed deal before the transfer is executed on November 22nd.
“We decline to comment on the details of how this illegal access occurred, as it is a crime and we’ve already asked the authorities to investigate,” Tech Bureau said in a statement.
It is still unknown if customers will be made whole, but the expectation seems to be that the entire $44.5m investment from Fisco will be used to refund customer deposits. Although, since nothing will likely be paid out until the investigation by Japanese police is complete, customers may have to wait months to receive any form of settlement money.
Zaif customers should consider themselves lucky since they have a chance of being repaid eventually. Yet, customers will still have to manage uncertainty for quite some time. This hack serves as another reminder to not leave your assets unprotected.