The Crypto Heist in Japan: Regulator’s Dilemma, Consumer’s Detriment

One of Japan’s largest cryptocurrency exchanges, Coincheck,1 reported a hack on January 26, with losses amounting to around USD 534 million (58 billion Yen) worth of the cryptocurrency XEM. Dubbed as one of the largest cryptocurrency heists till date, it has exposed the under-preparedness of regulators in curbing hi-tech crimes and safeguarding consumers from such untoward incidents. The heist is also a major blow to Japanese aspirations to boost economic growth by harnessing innovations in the next generation of Financial Technology (Fintech). As a clear departure from the conservative approach adopted by other countries on cryptocurrencies, Japan has the early mover advantage of providing a conducive environment for the growth of cryptocurrencies as a niche market.

In 2017, the Japanese Financial Services Agency (JFSA) had granted approval for 16 cryptocurrency exchanges to operate in the country. Japan became the first country in the world to recognize Bitcoin as a legal tender. Amendments to Japan’s Bank Act and the Payment Services Act2 in 2016 legitimised the use of cryptocurrencies as payment instruments for both goods and services. In a setback, the heist of January 26 has victimised 260,000 Coincheck customers. Further, it has refreshed the dreadful memories of the 2014 hack on the Tokyo based Mt Gox exchange (losses estimated at USD 474 million at that time),3 which had pushed the world’s largest Bitcoin exchange into bankruptcy. Despite rigorous regulatory requirements and oversight, Japan has fallen victim to another major cryptocurrency hacking incident.

With the amendments to domestic laws, JFSA was tasked to be the regulator and the exchanges were required to obtain a license to conduct business.4 They also formed the legal basis to impose stringent consumer protection requirements, audits, compliance and adherence to information security practices and the prevention of money laundering.5 As per the new regulations and legal framework, the operators of cryptocurrency exchanges are also obliged to verify the identity of the customers.6 The registration process places several requirements on the companies, such as building strong information and cyber security practices and verifying the identity of users to prevent money laundering. These regulations are intended to protect investors from fraud and other abuses, while at the same time supporting Fintech innovation.

The JFSA, like its global counterparts, is walking a tight rope between the imperative of protecting the legitimate interests of consumers and the need to support innovations in Fintech for the next generation of economic growth. Cryptocurrencies are broadly seen as a disruptive innovation in the banking and financial services domain, and they have gained significant traction over the last half a decade. Blockchain, as the underlying technology, has advanced significantly and governments and their regulatory bodies have been brainstorming for measures to either regulate the cryptocurrencies or to just let them proliferate without regulation and interference. The alleged use of cryptocurrencies in terror financing, ransomwares (such as WannaCry), illicit drugs or arms trade and cybercrime has also raised serious concerns among the security and law enforcement agencies.7 Anonymity as well as lack of controls or authority have also led to their quick absorption into the grey and black markets, and other illicit activities of crime and money laundering. For instance, traders and consumers at the infamous marketplace “Silk Road” over DarkWeb accept and make payments in Bitcoins against the sale and purchase of narcotics, hacking tools, small arms, child pornography, stolen credit cards information, and so forth. Cryptocurrencies are also unregulated and uncontrolled, making them a lucrative option for tax evasion. These concerns, along with the possibilities of cryptocurrencies being used for terror financing, dissuade states from legitimizing cryptocurrencies as legal tender or instruments for payments.

Consumers of cryptocurrencies are extremely prone to risks, particularly with their virtual wallets, stored keys or even to theft and irregularities (financial or security) at the exchanges. They can simply lose their holdings in the case of loss of the private encryption key or the storage device/hardware containing the wallet or even due to a theft or hack at any of the stages. The infamous Mt Gox incident has been followed by numerous other cases. Attackers moved about USD 60 million worth of Ether from the account of Decentralized Autonomous Organization (DAO) in June 2016;8 a breach at Bithumb, South Korea’s largest Bitcoin and Ethereum exchange, led to a loss of some USD 1 million worth of cryptocurrencies in June 2017;9 and, hackers hijacked the cryptocurrency trading platform CoinDash in the middle of its initial coin offering and stole USD seven million in July 2017.10 In the entire security ring, wallets and exchanges are apparently the weakest link, on which attackers focus their energy and resources. Even in the case of Coincheck, the hackers targeted the hot wallets of customers, and stole around 520 million units of XEM within eight minutes in six separate transactions.

The Coincheck incident has exposed two major shortcomings, one being the lack of competence with the regulatory bodies to implement requirements and the other is related to their limitations in investigation and identification of the perpetrators. In Japan, 16 virtual currency exchanges have the JFSA approval to operate, and Coincheck was not one of them. The exchange was declined approval due to security concerns. Some of the exchanges have already shut down their operations after the amendments to the law came into effect; however, the existing exchanges had a window of six months to register their respective businesses. Cryptocurrencies are a technical subject, and technical competence is a prerequisite for the effective implementation of the regulations, as well as for investigating crimes. Most of the technical competence lies with the private sector, which is leading innovation in this segment. It also renders a technological void in the regulatory bodies, which are grappling with the advancing Fintech.

Also, cryptocurrencies are decentralised, which means that there is no single authority for mediation or resolving disputes, unlike in the case of the banking system. The transactions in Blockchain are also irreversible and there are hardly any safeguards for consumers against fraudulent activities, leaving a sense of uncertainty over consumer protection and dispute settlement mechanisms. There is little that regulatory bodies can do in this regard, as this is an architectural requisite of Blockchain based cryptocurrencies. The underlying technology ensures anonymity for users, and technically it is next to impossible for investigating agencies to establish the identity of the transacting parties from the public ledger. Moreover, given the transnational nature of such crimes and frauds, it is equally difficult to prosecute the perpetrators and bring them to justice in accordance with domestic laws.

A combination of the all the above factors pose practical challenges for the JFSA. First, in terms of implementation of the requirements laid by law and ensuring compliance. Then, to secure the interests of consumers who have already lost their holdings in XEM. And most difficult of all, the FSA, and for that matter other regulatory bodies across the globe, have limited technical competence to not just execute their day-to-day functions in non-traditional financial systems, but also to investigate frauds and heists. This is another jolt to Japan’s aspirations to assume leadership in Fintech and harness the benefits of technology for both consumers and the economy, without stifling innovation. The dexterity with which Japan handles this case and the follow-up measures it adopts will strongly influence other countries to either liberalise the use of cryptocurrencies or strictly forbid them in the interest of consumers, law enforcement and national security.

Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.

Keywords: Cryptology, Cyber Security