Yesterday, on January 26, CoinCheck executives officially stated in a press conference that $530 million worth of XEM, the native cryptocurrency of the NEM network, was stolen by an unknown group of hackers.
During the press conference, CoinCheck executives revealed several details about the hack and specifically the infrastructure of the CoinCheck cryptocurrency exchange. Yuji Nakamura, a technology reporter based in Japan, reported that the CoinCheck trading platform had not implemented multi-signature technology, stored all of the hacked funds in a hot wallet, and that the developers of CoinCheck are still not sure how the exchange was hacked.
Most major cryptocurrency exchanges such as Kraken, Coinbase, and Bitfinex have multi-signature security measures in place, which prevent funds from being processed on public blockchain networks until a third party security service provider confirm the legitimacy of transactions.
For instance, Kraken and Bitstamp have partnered with BitGo, the largest multi-signature technology and blockchain security firm in the industry, to ensure that hackers cannot withdraw funds from their platforms.
The lack of a multi-signature service is a critical security flaw for any cryptocurrency exchange. If multi-signature technology was integrated, the $530 million security breach could have been prevented.
In addition to not having implemented multi-signature security measures, CoinCheck kept all of its funds in a hot wallet. In cryptocurrency, a hot wallet is defined as a wallet that is connected to the Internet, while a cold wallet is described as a wallet which is stored offline. For large sums of user funds, cryptocurrency exchanges usually store cryptocurrencies in cold storage, to ensure that even in an event of a hacking attack, hackers cannot access user funds.
The malpractice of CoinCheck of storing funds in a hot wallet and not implementing a multi-signature system ultimately led to the loss of $530 million in user funds.
Throughout the press conference, CoinCheck executives and its CEO refused to admit that the exchange was not secure, despite the obvious weaknesses in its infrastructure. Nakamura noted:
It was also revealed that CoinCheck had not filed with the Japanese Financial Services Agency (FSA) because it was confident in its security measures. Yet, the CoinCheck development team is yet to understand how the trading platform was hacked.
If the method of a security breach cannot be unraveled, the exchanges cannot possibly add necessary improvements to prevent similar attacks from happening in the future.
Given the poor and weak infrastructure of CoinCheck, a large-scale hacking attack was inevitable. Developers of the company are likely relieved that other cryptocurrencies on the trading platform such as Ripple or bitcoin were not affected.
As a general rule of cryptocurrency investment, it is extremely insecure to leave funds on centralized platforms. The most secure way of storing cryptocurrencies is to leave them on non-custodial platforms, wherein users have absolute control over their private keys.
Featured image from Shutterstock.