Crypto-thieves stole as much as $550 million dollars of a cryptocurrency known as NEM from Coincheck exchange. The hackers were selling their NEM on the dark web. Now they have successfully laundered all the money.
*Pictures exclusive to DeepDotWeb, courtesy of Jonathan Foster.*
The cryptocurrency world is no stranger to hacks. On Jan 26, Coincheck was hit by the bombshell that it had lost hundreds of millions of dollars of NEM, which had been stored in a low-security “hot wallet” (connected to the Internet), something incredibly careless for an exchange of Coincheck’s size. Most exchanges keep large amounts of funds in “cold wallets” instead, which would have prevented the hack from ever happening. The fact that most of these funds belonged to Coincheck’s customers means this is an astronomical loss, the biggest cryptocurrency heist of all time.
According to Nikkei, South Korean intelligence suggests that the Coincheck hack was likely orchestrated by North Korean hackers, who apparently sent a “malware-laced email” in order to steal the funds. In fact, in the weeks leading up to the hack, there were “suspicious communications” between Coincheck computers and “unidentified servers,” which were almost certainly related to the hack.
The site used to convert the stolen NEM to other cryptocurrencies.
Soon after the enormous theft, the hackers set up an anonymous website on the dark web (shown above), where they sold their stolen NEM for other cryptocurrencies. Through a completely automated system, anyone could quickly purchase the stolen NEM – at a 15% discount. This discount attracted swarms of criminals looking to take advantage to make a quick profit. As a result, the hackers could trade their stolen funds for “clean” money, which would not be linked to the hack. As shown in the picture, only payments in Bitcoin and Litecoin were accepted.
This was to get around the NEM Foundation’s tracking of the money through a feature known as a “mosaic.” Since NEM has a blockchain, all transactions made are visible to everyone, with each individual account identified by a series of letters and numbers known as an “address.” The “mosaic” followed the tainted NEM, and tagged any associated wallets/accounts.
The Foundation also showed exchanges how to recognize a tagged wallet and instructed them to freeze all accounts with tainted NEM.
In addition, Coincheck has promised to pay back about 400 million worth of yen to its customers, although the site remains closed until further notice. It remains to be seen exactly when this will happen.
The website, first advertised on the social media site Reddit, conducted hundreds of transactions, with the hackers receiving currency worth more than $100 million in value. Eventually, the hackers will exchange this to cash, through various anonymous methods. For example, they may use false identification documents to register accounts on peer to peer websites such as LocalBitcoins.
Criminals could even send questions to the hackers if they had any technical difficulties, as shown in the screenshot below. “Support tickets” could be submitted, which were often replied to within a few days. It was quite clear that the hackers were not native English speakers.
The hacker’s reply to a question is shown in the blue box.
The success of the dark web site, which appeared about two weeks after the hack, showed the futility of the tracking measures used. While the hackers had to do more selling their NEM, the non-profit NEM Foundation found it increasingly hard and expensive to track large numbers of transactions.
In fact, the mosaic system was slow, taking 2-3 minutes to tag each individual account. This meant the criminals simply transferred the NEM between several accounts. They then deposited on an exchange, avoiding the blacklist as their accounts had not been tagged yet.
Despite the hackers’ success with the dark web site, the NEM Foundation maintained that its tracking “was effective at reducing the hacker’s ability to liquidate stolen XEM and provided law enforcement with actionable information.”
But by March 21, the NEM Foundation publicly announced that they had “disabled the tracking mosaic.” It was clear that the hackers had no problems circumventing the measure.
The fallout of the hack has been immense. NEM has plummeted around 75% in value, from about $1 to almost $0.25 at current prices.
While this is mainly due to the sheer quantity of stolen NEM that is being sold back onto the market, many investors we spoke to think public perception has become more negative in the wake of recent events, which could have long-term consequences on the coin. Parallels can be drawn to the hack of the DAO of Ethereum, which also caused temporary damage to its reputation.
While the NEM Foundation could implement a hard fork, which would return all the hacked funds, they have refused to do so, reminding the public that the hack was not a problem with NEM, but with the poor security measures of Coincheck.
Coincheck’s reputation has also suffered. Their failure to put in place simple security measures such as multi-signature wallets, which require authorisation from multiple people before a transaction is made, allowed such a hack to happen.
In a surprising twist to the story, just a few days ago the exchanging features on the dark web site have disappeared. This suggests that the hackers have managed to launder all the NEM from the hack.
The website has been replaced entirely by a photoshopped picture of the North Korean leader Kim-Jong-Un, surrounded by piles of cash; a mocking reference to the amount of money this theft has given them. The site only seems to be up to taunt law enforcement.
Only time can tell if justice will catch up with the hackers, but it is clear what the community does in the aftermath of this hack is important.
Japan, a country where NEM is highly popular with investors, immediately took action. Japan’s financial regulator (FSA) gave Coincheck a list of demands known as a “business improvement order,” which include strengthening security measures to prevent future hacks from happening.
Exchanges also now need to register with the authorities in order to keep running. In the last few weeks, 5 Japanese exchanges (for example bit express and Mr Exchange) have failed to meet the FSA’s requirements, and will be closing services.
But questions remain about what will help in the long term, as increasing amount of exchanges, such as Bittrex and Poloniex, are making it compulsory for users to give many forms of ID just to trade.
Is government regulation becoming a necessary evil in the crypto world? Or should we push for pure decentralisation and Satoshi’s principles to the maximum?
What do you think?