{"id":56371,"date":"2023-06-19T17:28:21","date_gmt":"2023-06-19T08:28:21","guid":{"rendered":"https:\/\/monolith.law\/en\/?p=56371"},"modified":"2023-09-22T16:55:19","modified_gmt":"2023-09-22T07:55:19","slug":"cryptoassets-security","status":"publish","type":"post","link":"https:\/\/monolith.law\/en\/it\/cryptoassets-security","title":{"rendered":"Importance of Security Measures for Crypto Assets: Lessons Learned from Cryptocurrency Outflow Incidents in Japan"},"content":{"rendered":"\n<p>It is important to take sufficient security measures to ensure safe transactions related to crypto assets. From a service user&#8217;s perspective, it is a concern to use crypto assets related services that do not have them.<\/p>\n\n\n\n<p>In this article, we will present security measures for businesses that offer crypto-asset services, focusing on those measures relevant to crypto-assets.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_53 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/monolith.law\/en\/it\/cryptoassets-security\/#Importance_of_Security_Measures_for_Crypto_Assets_Virtual_Currencies\" title=\"Importance of Security Measures for Crypto Assets (Virtual Currencies)\">Importance of Security Measures for Crypto Assets (Virtual Currencies)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/monolith.law\/en\/it\/cryptoassets-security\/#Security_Measures_for_Preventing_Cryptocurrency_Outflow_Incidents\" title=\"Security Measures for Preventing Cryptocurrency Outflow Incidents\">Security Measures for Preventing Cryptocurrency Outflow Incidents<\/a><ul class='ez-toc-list-level-3'><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/monolith.law\/en\/it\/cryptoassets-security\/#Coincheck_Co_Ltd_Crypto_Asset_Leakage_Incident_January_2018\" title=\"Coincheck Co. Ltd. Crypto Asset Leakage Incident (January 2018)\">Coincheck Co. Ltd. Crypto Asset Leakage Incident (January 2018)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/monolith.law\/en\/it\/cryptoassets-security\/#Cryptocurrency_outflow_incident_by_Tech_Bureau_Inc_September_2018\" title=\"Cryptocurrency outflow incident by Tech Bureau, Inc. (September 2018)\">Cryptocurrency outflow incident by Tech Bureau, Inc. (September 2018)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/monolith.law\/en\/it\/cryptoassets-security\/#Bitpoint_Japan_Co_Ltd_Cryptocurrency_Outflow_Incident_July_2019\" title=\"Bitpoint Japan Co., Ltd. Cryptocurrency Outflow Incident (July 2019)\">Bitpoint Japan Co., Ltd. Cryptocurrency Outflow Incident (July 2019)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/monolith.law\/en\/it\/cryptoassets-security\/#Security_Measures_Overview\" title=\"Security Measures Overview\">Security Measures Overview<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/monolith.law\/en\/it\/cryptoassets-security\/#Overview_Talk_to_a_lawyer_about_legal_issues_related_to_blockchain_games\" title=\"Overview: Talk to a lawyer about legal issues related to blockchain games\">Overview: Talk to a lawyer about legal issues related to blockchain games<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/monolith.law\/en\/it\/cryptoassets-security\/#Countermeasures_Guidance_from_Our_Office\" title=\"Countermeasures Guidance from Our Office\">Countermeasures Guidance from Our Office<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Importance_of_Security_Measures_for_Crypto_Assets_Virtual_Currencies\"><\/span>Importance of Security Measures for Crypto Assets (Virtual Currencies)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/monolith.law\/wp-content\/uploads\/2022\/09\/Shutterstock_1225074202.jpg\" alt=\"\u6697\u53f7\u8cc7\u7523\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u306e\u91cd\u8981\u6027\u306b\u3064\u3044\u3066\" class=\"wp-image-51791\" \/><\/figure>\n\n\n\n<p><strong>It is extremely important to take security measures<\/strong> for businesses that provides services related to crypto assets.<\/p>\n\n\n\n<p>For example, if a system failure occurs due to a cyber attack by hackers, etc., transactions related to crypto assets will be disabled, which will have a serious impact on crypto asset transactions made by service users.<\/p>\n\n\n\n<p>In addition, depending on the content of the service related to crypto assets, the operator may manage the crypto assets of users. If it does not take the sufficient security measures, the user&#8217;s crypto assets may be leaked due to cyber attacks.<\/p>\n\n\n\n<p>Furthermore, since crypto assets are traded over the Internet, they are traded across national borders. If crypto assets are leaked across national borders, they may be difficult to trace.<\/p>\n\n\n\n<p>Therefore, as a provider of services related to crypto assets, it is important to protect users by ensuring the security of services and to avoid liablity for damages to users by protecting systems from cyber attacks. For this reasons, security measures for crypto assets are extremely important.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Security_Measures_for_Preventing_Cryptocurrency_Outflow_Incidents\"><\/span>Security Measures for Preventing Cryptocurrency Outflow Incidents<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/monolith.law\/wp-content\/uploads\/2022\/09\/Shutterstock_1966912852.jpg\" alt=\"\u6697\u53f7\u8cc7\u7523\u6d41\u51fa\u4e8b\u6848\u306b\u3064\u3044\u3066\" class=\"wp-image-51792\" \/><\/figure>\n\n\n\n<p>There have been many virtual currency outflows in the past.<\/p>\n\n\n\n<p>The virtual currency outflows show how important it is to take security measures for virtual currency.<\/p>\n\n\n\n<p>The followings are three examples of leakage cases that actually happened in Japan.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Coincheck_Co_Ltd_Crypto_Asset_Leakage_Incident_January_2018\"><\/span>Coincheck Co. Ltd. Crypto Asset Leakage Incident (January 2018)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>On January 26, 2018, there was a cryptocurrency leak at Coincheck Inc..<\/p>\n\n\n\n<p>The incident involved the hacking of NEM, a cryptocurrency asset managed by users of the service, from the Coincheck system. Coincheck Co., Ltd operates the cryptocurrency exchange from which the NEM was leaked.<\/p>\n\n\n\n<p>The total amount of damage was widely reported due to the huge amount of damage, which was estimated to be around 58 billion yen (about 4 billion dollars). The Coincheck Inc. virtual currency leak has become a major topic of conversation not only in Japan but also overseas.<\/p>\n\n\n\n<p>The reason of the Coincheck Inc. virtual currency outflow incident is reported to have been caused by Coincheck&#8217;s low security measures. <\/p>\n\n\n\n<p>Coincheck&#8217;s utilization of <strong>a hot wallet, which is connected to the internet<\/strong>, resulted in the leak of approximately 58 billion yen (NEM) within just 20 minutes.<\/p>\n\n\n\n<p>As a security precaution, it is commonly recommended that a &#8220;cold wallet&#8221;, which refers to a wallet that is not connected to the internet, is the preferred option.<\/p>\n\n\n\n<p>Coincheck Co., Ltd. compensated its users but subsequently faced administrative sanctions such as report collection, business improvement orders, and on-site inspections from the Financial Services Agency.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Cryptocurrency_outflow_incident_by_Tech_Bureau_Inc_September_2018\"><\/span>Cryptocurrency outflow incident by Tech Bureau, Inc. (September 2018)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>On September 14, 2018, Tech Bureau, Inc. experienced a cryptocurrency leak.<\/p>\n\n\n\n<p>The incident involves the unauthorized access of external parties to Zaif, a crypto asset exchange managed by Tech Bureau, Inc., resulting in the leakage of approximately 7 billion yen worth of crypto assets.<\/p>\n\n\n\n<p>Of the total amount, around 4.5 billion yen was in the form of crypto assets belonging to the service users.<\/p>\n\n\n\n<p>In the Tech Bureau, Inc. crypto-asset leak case, <strong>the crypto-assets were stored in hot wallets, which are internet-connected wallets,<\/strong> similar to the crypto-assets leaked by Coincheck, Inc.<\/p>\n\n\n\n<p>Tech Bureau Co., Ltd. was issued three business improvement orders by the Financial Services Agency in response to the cryptocurrency leak issue.<\/p>\n\n\n\n<p>In November 2018, Tech Bureau, Inc. became the first crypto asset exchange service provider to abolish its crypto asset exchange business by transferring its &#8220;Zaif&#8221; crypto asset trading business.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Bitpoint_Japan_Co_Ltd_Cryptocurrency_Outflow_Incident_July_2019\"><\/span>Bitpoint Japan Co., Ltd. Cryptocurrency Outflow Incident (July 2019)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>On July 11, 2019, Bitpoint Japan Co., Ltd. experienced a crypto asset leak.<\/p>\n\n\n\n<p>A breach occurred at Bitpoint Japan Co., Ltd.&#8217;s crypto asset exchange, resulting in the leakage of approximately 3.5 billion yen worth of crypto assets.<\/p>\n\n\n\n<p>Around 3.5 billion yen in crypto assets were leaked, out of which approximately 2 billion yen belonged to service users.<\/p>\n\n\n\n<p>In the Bitpoint Japan Co., Ltd. case, <strong>a portion of their crypto assets was stored in a hot wallet &#8211; a wallet connected to the internet<\/strong> &#8211; akin to the aforementioned crypto asset leak incident.<\/p>\n\n\n\n<p>BITPOINT has compensated approximately 2 billion yen worth of crypto assets to users of its service who experienced a leak.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Security_Measures_Overview\"><\/span>Security Measures Overview<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/monolith.law\/wp-content\/uploads\/2022\/09\/Shutterstock_1793468572.jpg\" alt=\"\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u306e\u6982\u8981\" class=\"wp-image-51793\" \/><\/figure>\n\n\n\n<p>As with the aforementioned virtual currency outflows, once a virtual currency outflow occurs, there is enormous damage and impact. In addition to compensation for virtual currency outflows, there is also the issue of reputational risk.<\/p>\n\n\n\n<p>To avoid such issues, it is crucial to implement adequate security measures.<\/p>\n\n\n\n<p>Article 13 of the &#8220;<a href=\"https:\/\/elaws.e-gov.go.jp\/document?lawid=429M60000002007_20220401_504M60000002013\">Cabinet Office Ordinance on Crypto Asset Exchange Service Providers<\/a>&#8221; states the following.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>Article 13\u3000Cryptoasset exchange service providers must take measures to ensure sufficient control of the electronic data processing system handling the cryptoasset exchange services, in accordance with the details and means of its cryptoasset exchange services.<\/p>\n<\/blockquote>\n\n\n\n<p>Furthermore, the Financial Services Agency has released &#8220;<a href=\"https:\/\/www.fsa.go.jp\/common\/law\/guide\/kaisya\/index.html\">Volume 3 Financial Business Operators,<\/a>&#8221; which outlines specific regulations for 16 crypto asset exchange companies starting on page 59.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\">\n<p>(5) Cyber \u200b\u200bsecurity management<br>(i) With regard to cybersecurity, does the board of directors, etc., recognize the importance of cybersecurity and develop necessary systems in light of the increasing sophistication of cyberattacks?<br>2) With regard to cyber security, in addition to developing an organizational structure and internal rules, are efforts being made to develop the following cyber security management systems?<br>\u30fbCyber-attack monitoring system<br>\u30fbReport and public relations system in the event of a cyber attack<br>\u30fbEmergency response\/early warning system such as CSIRT (Computer Security Incident Response Team) within the organization<br>\u30fbInformation collection and sharing system through information sharing organizations<br>(3) In preparation for cyberattacks, is a multi-layered defense system in place that combines multiple levels of cybersecurity measures according to risk, such as entrance measures, internal measures, and exit measures?<br>\u30fbIntrusion countermeasures (e.g., installation of firewalls, introduction of anti-virus software, introduction of intrusion detection systems\/intrusion prevention systems, etc.)<br>\u30fbInternal measures (e.g. proper management of privileged IDs and passwords, deletion of unnecessary IDs, execution monitoring of specific commands, ensuring security of production systems (between servers) (packet filters and communication encryption), development environment (testing) environment), network) separation of the production system environment, separation of network segments according to the purpose of use, etc.)<br>\u30fbExit measures (e.g. acquisition\/analysis of communication logs, event logs, etc., detection\/blocking of inappropriate communications, etc.)<br>4) In the event of a cyber-attack, is there a system in place to quickly implement the following measures in order to prevent the spread of damage?<br>\u30fbIdentifying and blocking the attack source IP address<br>\u30fbA function that automatically distributes access to DDoS attacks<br>\u30fbSuspension of all or part of the system, etc.<br>Also, do you have procedures for post-investigation (forensic investigation) to confirm the scope of impact and investigate the cause, such as saving logs and obtaining image copies?<br>\u2464 Are procedures for regularly collecting, analyzing, and responding to vulnerability\/threat information clearly defined and systematically implemented?<br>Also, regarding system vulnerabilities, are necessary measures taken in a timely manner, such as OS updates and application of security patches?<br>6) Regarding cyber security, we regularly evaluate the security level and improve security measures by utilizing security diagnosis (vulnerability diagnosis, source code diagnosis, penetration test, etc.) by a third party (external organization). strive to . are you there?<br>Also, if a cybersecurity breach incident occurs in Japan or overseas, are risk assessments being conducted appropriately?<br>7) When conducting non-face-to-face transactions using communication means such as the Internet, have you introduced the following appropriate authentication methods according to the risks involved?<br>\u30fbAn authentication method that does not rely solely on fixed IDs and passwords, such as variable passwords and electronic certificates.<br>\u30fbTransaction authentication through multiple channels, such as using devices other than PCs and smartphones used for transactions<br>\u30fbAdoption of transaction passwords separate from login passwords, etc.<br>iii) When conducting non-face-to-face transactions using communication means such as the Internet, are the following anti-fraud measures taken according to the type of industry?<br>\u30fbBlock communication from unauthorized IP addresses<br>\u30fbMeasures to encourage the installation or update of security software that detects and removes viruses, etc.<br>\u30fbEstablishment of a system to detect unauthorized logins, abnormal transactions, etc., and promptly notify users<br>\u30fbScreen display of the last login (logoff) date and time, etc.<br>(9) Are emergency response plans for cyber-attacks formulated, trained, and reviewed? Also, do you participate in cross-industry exercises where appropriate?<br>(10) Does the institution formulate and implement a plan for developing and expanding cybersecurity-related human resources?<\/p>\n<\/blockquote>\n\n\n\n<p>Cryptocurrency exchange service providers are required to adhere to specific and detailed security measures. As such, it is crucial to review the laws and regulations pertaining to crypto assets, as well as the guidelines established by the Financial Services Agency, to ensure that the appropriate security measures are in place.<\/p>\n\n\n\n<p>Virtual currency exchanges are subject to various regulations in addition to safety measures. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Overview_Talk_to_a_lawyer_about_legal_issues_related_to_blockchain_games\"><\/span>Overview: Talk to a lawyer about legal issues related to blockchain games<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>We have presented security measures pertaining to crypto-assets for businesses offering services related to crypto-assets.<\/p>\n\n\n\n<p>To ensure adequate security for crypto assets, it is essential to establish an organization capable of implementing robust security measures.<\/p>\n\n\n\n<p>Businesses considering security measures for their crypto assets should seek advice from a lawyer who is knowledgeable in both IT and legal fields. They should then implement appropriate security measures in accordance with relevant laws and guidelines. It is recommended to establish a system that facilitates this process.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Countermeasures_Guidance_from_Our_Office\"><\/span>Countermeasures Guidance from Our Office<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Monolith Law Office is a legal firm that specializes in IT and law, with a particular emphasis on the Internet. Our firm provides comprehensive support for companies dealing with crypto assets and blockchain technology. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>It is important to take sufficient security measures to ensure safe transactions related to crypto assets. From a service user&#8217;s perspective, it is a concern to use crypto assets related service [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":56618,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16],"tags":[20,19],"acf":[],"_links":{"self":[{"href":"https:\/\/monolith.law\/en\/wp-json\/wp\/v2\/posts\/56371"}],"collection":[{"href":"https:\/\/monolith.law\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/monolith.law\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/monolith.law\/en\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/monolith.law\/en\/wp-json\/wp\/v2\/comments?post=56371"}],"version-history":[{"count":8,"href":"https:\/\/monolith.law\/en\/wp-json\/wp\/v2\/posts\/56371\/revisions"}],"predecessor-version":[{"id":59114,"href":"https:\/\/monolith.law\/en\/wp-json\/wp\/v2\/posts\/56371\/revisions\/59114"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/monolith.law\/en\/wp-json\/wp\/v2\/media\/56618"}],"wp:attachment":[{"href":"https:\/\/monolith.law\/en\/wp-json\/wp\/v2\/media?parent=56371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/monolith.law\/en\/wp-json\/wp\/v2\/categories?post=56371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/monolith.law\/en\/wp-json\/wp\/v2\/tags?post=56371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}