The following is primarily a translation of this blog post.
On September 20, 2018, Tech Bureau sent out a notice that they suspended deposits and withdrawals for three currencies (BTC, MONA, BCH) on the Zaif cryptocurrency exchange due to unauthorized access to its systems. This post is an aggregation of the details of that event.
Press Releases
Tech Bureau
- September 20, 2018 仮想通貨の入出金停止に関するご報告、及び弊社対応について (Regarding the suspension of cryptocurrency deposits/withdrawals and how to contact us about it.)
Incident Timeline
| Time | Event |
|---|
| 2018.09.14 between 17:00-19:00 | Approximately 6.7 billion JPY worth of assets were withdrawn without authorization. |
| 2018.09.17 | Tech Bureau detected an anomaly within the environment. |
| - evening | Tech Bureau suspended withdrawals/deposits for 3 currencies on Zaif. |
| 2018.09.18 | Tech Bureau identified they had suffered a hacking incident. |
| - same day | Tech Bureau reported the incident to the local finance bureau and started filing papers with the authorities. |
| - same day | The official Zaif Twitter account tweeted that customer financial assets are safe. |
| - same day | In accordance with the Payment Services Act, the FSA issued a Request for Report to Tech Bureau. |
| Post-identification | Tech Bureau enters into a contract with Fisco for financial support. |
| Post-identification | Tech Bureau enters into a contract with CAICA for assistance in improving security. |
| 2018.09.20 ~2am | Tech Bureau issues a press release declaring that deposits/withdrawals were suspended due to a hacking operation. |
| - same day | The Japan Cryptocurrency Business Association appealed for a member to perform an emergency inspection. |
| - same day | The FSA sent an on-site inspection crew to Tech Bureau. |
| 2018.09.21 | ETA for the FSA to issue a report on its investigation about the status of customer assets to the cryptocurrency exchange's traders. |
Damage
- Approximately 6.7 billion JPY worth of 3 different currencies were withdrawn externally without authorization.
- Withdrawals and deposits for the 3 affected currencies have been suspended since the evening of 17 September.
Itemization of damages
| Tech Bureau's own assets | ~2.2 billion JPY |
| Customer assets | ~4.5 billion JPY |
- Tech Bureau has shown that they can cover the 4.5b loss of customer assets through financial assistance from the FDAG subsidiary.
- Funds were withdrawn from the server managing the Zaif hot wallet.
- Tech Bureau is still investigating the exact method of intrusion, but it doesn't look like they'll publicly announce it as a protective measure.
Details on the unauthorized transactions
Total (estimated) damages on the 3 currencies
| Currency | Amount transferred | JPY conversion | USD conversion |
|---|
| Bitcoin | 5966 BTC | 4.295 billion JPY | 38.207 million USD |
|
| Monacoin | Under investigation, but sources estimate 6,236,810 MONA | 650 million JPY | 5.782 million USD |
| Bitcoin Cash | Under investigation, but sources estimate 42,327 BCH | 2.019 billion JPY | 17.954 million USD |
Assumed recipient addresses of the hack
work in progress
Disclaimer: I make no guarantees of the accuracy of the above article.
Please see the official press releases and/or PR department at Zaif. I am also not affiliated with Zaif or any of the companies mentioned in this article.