Importance of Security Measures for Crypto Assets: Lessons Learned from Cryptocurrency Outflow Incidents in Japan

It is important to take sufficient security measures to ensure safe transactions related to crypto assets. From a service user’s perspective, it is a concern to use crypto assets related services that do not have them.

In this article, we will present security measures for businesses that offer crypto-asset services, focusing on those measures relevant to crypto-assets.

Importance of Security Measures for Crypto Assets (Virtual Currencies)

It is extremely important to take security measures for businesses that provides services related to crypto assets.

For example, if a system failure occurs due to a cyber attack by hackers, etc., transactions related to crypto assets will be disabled, which will have a serious impact on crypto asset transactions made by service users.

In addition, depending on the content of the service related to crypto assets, the operator may manage the crypto assets of users. If it does not take the sufficient security measures, the user’s crypto assets may be leaked due to cyber attacks.

Furthermore, since crypto assets are traded over the Internet, they are traded across national borders. If crypto assets are leaked across national borders, they may be difficult to trace.

Therefore, as a provider of services related to crypto assets, it is important to protect users by ensuring the security of services and to avoid liablity for damages to users by protecting systems from cyber attacks. For this reasons, security measures for crypto assets are extremely important.

Security Measures for Preventing Cryptocurrency Outflow Incidents

There have been many virtual currency outflows in the past.

The virtual currency outflows show how important it is to take security measures for virtual currency.

The followings are three examples of leakage cases that actually happened in Japan.

Coincheck Co. Ltd. Crypto Asset Leakage Incident (January 2018)

On January 26, 2018, there was a cryptocurrency leak at Coincheck Inc..

The incident involved the hacking of NEM, a cryptocurrency asset managed by users of the service, from the Coincheck system. Coincheck Co., Ltd operates the cryptocurrency exchange from which the NEM was leaked.

The total amount of damage was widely reported due to the huge amount of damage, which was estimated to be around 58 billion yen (about 4 billion dollars). The Coincheck Inc. virtual currency leak has become a major topic of conversation not only in Japan but also overseas.

The reason of the Coincheck Inc. virtual currency outflow incident is reported to have been caused by Coincheck’s low security measures.

Coincheck’s utilization of a hot wallet, which is connected to the internet, resulted in the leak of approximately 58 billion yen (NEM) within just 20 minutes.

As a security precaution, it is commonly recommended that a “cold wallet”, which refers to a wallet that is not connected to the internet, is the preferred option.

Coincheck Co., Ltd. compensated its users but subsequently faced administrative sanctions such as report collection, business improvement orders, and on-site inspections from the Financial Services Agency.

Cryptocurrency outflow incident by Tech Bureau, Inc. (September 2018)

On September 14, 2018, Tech Bureau, Inc. experienced a cryptocurrency leak.

The incident involves the unauthorized access of external parties to Zaif, a crypto asset exchange managed by Tech Bureau, Inc., resulting in the leakage of approximately 7 billion yen worth of crypto assets.

Of the total amount, around 4.5 billion yen was in the form of crypto assets belonging to the service users.

In the Tech Bureau, Inc. crypto-asset leak case, the crypto-assets were stored in hot wallets, which are internet-connected wallets, similar to the crypto-assets leaked by Coincheck, Inc.

Tech Bureau Co., Ltd. was issued three business improvement orders by the Financial Services Agency in response to the cryptocurrency leak issue.

In November 2018, Tech Bureau, Inc. became the first crypto asset exchange service provider to abolish its crypto asset exchange business by transferring its “Zaif” crypto asset trading business.

Bitpoint Japan Co., Ltd. Cryptocurrency Outflow Incident (July 2019)

On July 11, 2019, Bitpoint Japan Co., Ltd. experienced a crypto asset leak.

A breach occurred at Bitpoint Japan Co., Ltd.’s crypto asset exchange, resulting in the leakage of approximately 3.5 billion yen worth of crypto assets.

Around 3.5 billion yen in crypto assets were leaked, out of which approximately 2 billion yen belonged to service users.

In the Bitpoint Japan Co., Ltd. case, a portion of their crypto assets was stored in a hot wallet – a wallet connected to the internet – akin to the aforementioned crypto asset leak incident.

BITPOINT has compensated approximately 2 billion yen worth of crypto assets to users of its service who experienced a leak.

Security Measures Overview

As with the aforementioned virtual currency outflows, once a virtual currency outflow occurs, there is enormous damage and impact. In addition to compensation for virtual currency outflows, there is also the issue of reputational risk.

To avoid such issues, it is crucial to implement adequate security measures.

Article 13 of the “Cabinet Office Ordinance on Crypto Asset Exchange Service Providers” states the following.

Article 13　Cryptoasset exchange service providers must take measures to ensure sufficient control of the electronic data processing system handling the cryptoasset exchange services, in accordance with the details and means of its cryptoasset exchange services.

Furthermore, the Financial Services Agency has released “Volume 3 Financial Business Operators,” which outlines specific regulations for 16 crypto asset exchange companies starting on page 59.

(5) Cyber ​​security management
(i) With regard to cybersecurity, does the board of directors, etc., recognize the importance of cybersecurity and develop necessary systems in light of the increasing sophistication of cyberattacks?
2) With regard to cyber security, in addition to developing an organizational structure and internal rules, are efforts being made to develop the following cyber security management systems?
・Cyber-attack monitoring system
・Report and public relations system in the event of a cyber attack
・Emergency response/early warning system such as CSIRT (Computer Security Incident Response Team) within the organization
・Information collection and sharing system through information sharing organizations
(3) In preparation for cyberattacks, is a multi-layered defense system in place that combines multiple levels of cybersecurity measures according to risk, such as entrance measures, internal measures, and exit measures?
・Intrusion countermeasures (e.g., installation of firewalls, introduction of anti-virus software, introduction of intrusion detection systems/intrusion prevention systems, etc.)
・Internal measures (e.g. proper management of privileged IDs and passwords, deletion of unnecessary IDs, execution monitoring of specific commands, ensuring security of production systems (between servers) (packet filters and communication encryption), development environment (testing) environment), network) separation of the production system environment, separation of network segments according to the purpose of use, etc.)
・Exit measures (e.g. acquisition/analysis of communication logs, event logs, etc., detection/blocking of inappropriate communications, etc.)
4) In the event of a cyber-attack, is there a system in place to quickly implement the following measures in order to prevent the spread of damage?
・Identifying and blocking the attack source IP address
・A function that automatically distributes access to DDoS attacks
・Suspension of all or part of the system, etc.
Also, do you have procedures for post-investigation (forensic investigation) to confirm the scope of impact and investigate the cause, such as saving logs and obtaining image copies?
⑤ Are procedures for regularly collecting, analyzing, and responding to vulnerability/threat information clearly defined and systematically implemented?
Also, regarding system vulnerabilities, are necessary measures taken in a timely manner, such as OS updates and application of security patches?
6) Regarding cyber security, we regularly evaluate the security level and improve security measures by utilizing security diagnosis (vulnerability diagnosis, source code diagnosis, penetration test, etc.) by a third party (external organization). strive to . are you there?
Also, if a cybersecurity breach incident occurs in Japan or overseas, are risk assessments being conducted appropriately?
7) When conducting non-face-to-face transactions using communication means such as the Internet, have you introduced the following appropriate authentication methods according to the risks involved?
・An authentication method that does not rely solely on fixed IDs and passwords, such as variable passwords and electronic certificates.
・Transaction authentication through multiple channels, such as using devices other than PCs and smartphones used for transactions
・Adoption of transaction passwords separate from login passwords, etc.
iii) When conducting non-face-to-face transactions using communication means such as the Internet, are the following anti-fraud measures taken according to the type of industry?
・Block communication from unauthorized IP addresses
・Measures to encourage the installation or update of security software that detects and removes viruses, etc.
・Establishment of a system to detect unauthorized logins, abnormal transactions, etc., and promptly notify users
・Screen display of the last login (logoff) date and time, etc.
(9) Are emergency response plans for cyber-attacks formulated, trained, and reviewed? Also, do you participate in cross-industry exercises where appropriate?
(10) Does the institution formulate and implement a plan for developing and expanding cybersecurity-related human resources?

Cryptocurrency exchange service providers are required to adhere to specific and detailed security measures. As such, it is crucial to review the laws and regulations pertaining to crypto assets, as well as the guidelines established by the Financial Services Agency, to ensure that the appropriate security measures are in place.

Virtual currency exchanges are subject to various regulations in addition to safety measures.

Overview: Talk to a lawyer about legal issues related to blockchain games

We have presented security measures pertaining to crypto-assets for businesses offering services related to crypto-assets.

To ensure adequate security for crypto assets, it is essential to establish an organization capable of implementing robust security measures.

Businesses considering security measures for their crypto assets should seek advice from a lawyer who is knowledgeable in both IT and legal fields. They should then implement appropriate security measures in accordance with relevant laws and guidelines. It is recommended to establish a system that facilitates this process.

Countermeasures Guidance from Our Office

Monolith Law Office is a legal firm that specializes in IT and law, with a particular emphasis on the Internet. Our firm provides comprehensive support for companies dealing with crypto assets and blockchain technology.