The biggest crypto heist in history at the time it occurred in 2018 was an eye-opener for many reasons, not least of which for the way the stolen assets were being stored. 

Seasoned crypto enthusiasts and early adopters of the disruptive new technology know now that safely storing your digital assets is half the battle, but it wasn’t always so. Insufficiently secured storage was the norm for almost a decade after Bitcoin’s creation, with many people simply keeping their crypto on centralized exchanges, hot wallets, or even just USB sticks without any password protection.

With the $534M Coincheck hack in January of 2018, security and responsible self-custody of crypto assets quickly became a hot topic of discussion in the media and the crypto community.

You’ll see why.

The Full Story Behind the Coincheck Hack

Coincheck is today one of Japan’s largest crypto exchanges, still trading 10’s of millions of dollars worth of crypto each day, denoted in Japanese Yen (JPY). At the time of the attack, it was the largest crypto exchange in Japan, and the attack represented the largest crypto heist of all time in terms of US dollar amount, surpassing the hack of another Japanese Exchange, Mt. Gox.

The incident

At 17:57 UTC on Thursday, January 25th of 2018, an attacker gained access to one of Coincheck’s wallets. The wallet was holding the exchange’s entire supply of 523M NEM tokens (NEM was the 10th-largest cryptocurrency by market cap at the time).

When the attack occurred, the NEM tokens held by the exchange were valued at around $534M. Worse, the tokens were in the custody of the exchange, but most of them actually belonged to the users who were holding or trading NEM tokens on the Coincheck platform.

The attack went unnoticed for nearly 8 and a half hours when at 02:25 UTC on Friday, January 25th, employees at Coincheck realized the wallet had been drained thanks to complaints from users about failed transactions involving NEM tokens.

How did the attacker gain access?

The wallet that the tokens were being held in was a low-security “hot wallet”, some examples of which include Metamask and Phantom. These wallets are convenient for interacting with dApps (decentralized applications) online and storing cryptocurrencies or NFTs for easy access and use. However, they sacrifice security measures to achieve such convenience. Without 2FA (two-factor authentication) enabled, many hot wallets can be accessed with nothing more than the private key (or the 12-24 word seed phrase).

The Coincheck hacker used a phishing scam to install malware on an employee’s computer to obtain the private key to the hot wallet that was holding Coincheck’s NEM token liquidity pool, and was therefore able to access the wallet and drain it of all funds.

The aftermath

Shortly after the breach was identified, Coincheck disabled all withdrawals from the platform and immediately reported the incident to Japanese financial authorities and police. It was dubbed “the biggest theft in the history of the world” at the time, but that’s no longer the case thanks to subsequent thefts that have happened in the crypto industry, mostly in 2021-2022.

Of course, this event started a widespread discussion about cybersecurity pertaining to blockchain technology and safe crypto storage of digital assets at the time. Even though multisig wallets (blockchain wallets that require multiple signees to perform any transaction) existed and were being used by Coincheck for some of their other assets at the time, it would now be inconceivable for an exchange or cryptocurrency project to keep any funds in an unsecured hot wallet; it should be inconceivable for you as well.

Coincheck Returning Lost User Funds

Coincheck, still based in Tokyo’s Shibuya district (the same district which the now defunct Mt. Gox exchange once called home), has continued to operate and maintain its spot as one of Japan’s leading crypto exchanges.

In the end, 260,000 users were affected by the Coincheck hack. However, the exchange promised to return the funds using their own capital to all users who were in possession of NEM on the platform at 23:59:59 JST on Jan. 26, 2018.

They were praised for this move, as it was the exact opposite of how Mt. Gox responded to their 2014 attack, which was to declare bankruptcy and begin a long legal process for returning funds which still hasn’t reached a conclusion in 2022.

Their reimbursement plan was effective from March 12, 2018, and they returned 90% of all funds to users according to the parameters outlined above.

Avatar of Marin Ivezic
Marin Ivezic
Website | Other articles

For over 30 years, Marin Ivezic has been protecting critical infrastructure and financial services against cyber, financial crime and regulatory risks posed by complex and emerging technologies.

He held multiple interim CISO and technology leadership roles in Global 2000 companies.