Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 005Private Key Compromise

Coincheck NEM Heist

523M XEM ($530M) drained from Japan's Coincheck, which stored its NEM reserves in one hot wallet with no multi-signature. Customers were reimbursed in yen.

Date
Victim
Coincheck
Chain(s)
NEM
Status
Partially Recovered

In the early hours of January 26, 2018, an attacker drained 523 million XEM — worth roughly ¥58 billion / $530 million at the time — from Coincheck, then one of Japan's largest cryptocurrency exchanges. Eight hours passed before Coincheck's systems flagged the abnormal balance.

What happened

The bulk of Coincheck's NEM reserves were stored in a single hot wallet, with no multi-signature protection — a significant departure from the security posture other Japanese exchanges had adopted post-Mt. Gox. The exact compromise vector was never fully disclosed, but the conventional view in the post-incident investigations is that private keys leaked through endpoint compromise or insider exposure, allowing the attacker to issue a single fully-valid withdrawal authorisation.

The transaction itself was unremarkable — a single outbound XEM transfer of 523M tokens — but the volume meant it took hours for any internal monitoring to flag the drained balance.

Aftermath

  • Coincheck paused withdrawals of all cryptocurrencies the same day.
  • The exchange announced it would reimburse all 260,000 affected customers in yen from corporate reserves — roughly ¥46.3 billion (~$430M) at the chosen redemption rate.
  • The Japanese Financial Services Agency conducted its first-ever raid of a cryptocurrency exchange, prompting nationwide exchange inspections and accelerating Japan's exchange-registration regime.
  • Most of the stolen XEM was laundered through a network of dark-market sites set up by the attacker; Japanese law enforcement recovered a portion in 2021 from connected individuals.

Why it matters

Coincheck was the second time (after Mt. Gox) that a major Japanese exchange suffered a catastrophic hot-wallet compromise — and the first time the operator made customers whole out of corporate reserves. Together with Mt. Gox it shaped Japan's strict licensing regime, which today imposes specific cold-storage ratios, insurance reserve requirements, and multi-sig minimums on every registered exchange.

Sources & on-chain evidence

  1. [01]en.wikipedia.orghttps://en.wikipedia.org/wiki/Coincheck
  2. [02]fortune.comhttps://fortune.com/crypto/2018/01/29/coincheck-japan-nem-hack/
  3. [03]money.cnn.comhttps://money.cnn.com/2018/01/29/technology/coincheck-cryptocurrency-exchange-hack-japan/

Related filings