The following is primarily a translation of this blog post.
On September 20, 2018, Tech Bureau sent out a notice that they suspended deposits and withdrawals for three currencies (BTC, MONA, BCH) on the Zaif cryptocurrency exchange due to unauthorized access to its systems. This post is an aggregation of the details of that event.
- September 20, 2018 仮想通貨の入出金停止に関するご報告、及び弊社対応について (Regarding the suspension of cryptocurrency deposits/withdrawals and how to contact us about it.)
|2018.09.14 between 17:00-19:00||Approximately 6.7 billion JPY worth of assets were withdrawn without authorization.|
|2018.09.17||Tech Bureau detected an anomaly within the environment.|
|- evening||Tech Bureau suspended withdrawals/deposits for 3 currencies on Zaif.|
|2018.09.18||Tech Bureau identified they had suffered a hacking incident.|
|- same day||Tech Bureau reported the incident to the local finance bureau and started filing papers with the authorities.|
|- same day||The official Zaif Twitter account tweeted that customer financial assets are safe.|
|- same day||In accordance with the Payment Services Act, the FSA issued a Request for Report to Tech Bureau.|
|Post-identification||Tech Bureau enters into a contract with Fisco for financial support.|
|Post-identification||Tech Bureau enters into a contract with CAICA for assistance in improving security.|
|2018.09.20 ~2am||Tech Bureau issues a press release declaring that deposits/withdrawals were suspended due to a hacking operation.|
|- same day||The Japan Cryptocurrency Business Association appealed for a member to perform an emergency inspection.|
|- same day||The FSA sent an on-site inspection crew to Tech Bureau.|
|2018.09.21||ETA for the FSA to issue a report on its investigation about the status of customer assets to the cryptocurrency exchange's traders.|
- Approximately 6.7 billion JPY worth of 3 different currencies were withdrawn externally without authorization.
- Withdrawals and deposits for the 3 affected currencies have been suspended since the evening of 17 September.
- Withdrawals/deposits are still possible on other coins.
Itemization of damages
|Tech Bureau's own assets||~2.2 billion JPY|
|Customer assets||~4.5 billion JPY|
- Tech Bureau has shown that they can cover the 4.5b loss of customer assets through financial assistance from the FDAG subsidiary.
Information around the Zaif hack itself
- Funds were withdrawn from the server managing the Zaif hot wallet.
- Tech Bureau is still investigating the exact method of intrusion, but it doesn't look like they'll publicly announce it as a protective measure.
Details on the unauthorized transactions
Total (estimated) damages on the 3 currencies
|Currency||Amount transferred||JPY conversion||USD conversion|
|Bitcoin||5966 BTC||4.295 billion JPY||38.207 million USD|
|Monacoin||Under investigation, but sources estimate 6,236,810 MONA||650 million JPY||5.782 million USD|
|Bitcoin Cash||Under investigation, but sources estimate 42,327 BCH||2.019 billion JPY||17.954 million USD|
Assumed recipient addresses of the hack
|Currency||Address||Time of transaction|
|Bitcoin||1FmwHh6pgkf4meCMoqo8fHH3GNRF571f9w||2018.09.14, between 17:33:27 and 18:42:30|
|Bitcoin Cash||qrn0jwaq3at5hhxsne8gmg5uemudl57r05pdzu2nyd||2018.09.14, between 17:33:15 and 17:51:24|
|Monacoin||MBEYH8JuAHynTA7unLjon7p7im2U9JbitV||2018.09.14, between 17:39:01 and 18:54:10|
- A source points out a portion of the Bitcoin were sent to an address owned by Binance (exchange).
- As can be seen from Tech Bureau's address, Bitcoin was sent from 1726 accounts to 1 account.
- Tech Bureau informants have confirmed that this transaction is related to the hack in the press release.
- The hacker appears to have used a mixing service for the pooled Bitcoin. (匿名化サービス悪用、追跡困難か Ｚａｉｆ仮想通貨流出,朝日新聞,2018年9月20日)
- The stolen Monacoin (62,389,425 Mona) amounts to about 10% of all mined coins.
- The Bitcoin Cash appears to have been transferred to yet another address (qpyh6tw42h5pyl84py4c3ukqamsz0ucyly04nyz8u7) at around 8:10pm.
work in progress
Disclaimer: I make no guarantees of the accuracy of the above article.
Please see the official press releases and/or PR department at Zaif. I am also not affiliated with Zaif or any of the companies mentioned in this article.