Transcript for the Coincheck Hack Interview
This is a special announcement about the theft of XEM coins from the Coincheck exchange on January 26, 2018, 3:00 pm UTC. I’m going to explain what the NEM team knows about the situation and what NEM’s response will be. NEM Foundation VP Jeff McDonald is my guest.
You can watch the full video here:
Alex: So I have Jeff McDonald who is the NEM Foundation VP with me here today and we are going to talk about a special announcement where we had the theft of some XEM coins from the Coincheck Exchange yesterday. The NEM team and the Coincheck team has been working together to try and resolve the best they can this situation. So I brought in Jeff because there has been a lot of speculation going around and Jeff if you could give us an overview of the situation for people who are just tuning in and your stance on what you think will happen over the next few days.
Jeff: There is still a lot of unknowns but I can say that I’ve had a meeting with the Coincheck team and we feel very bad for their losses. What we know is that someone has removed more than 500 million XEM from their wallet and the Coincheck team is trying to do as much as they can to figure out what happened. And the NEM Foundation is reaching out to them and talking to them and trying to support them as much as we can. Right now, there’s still a lot of information that needs to be known. Generally speaking we are trying to help them. We are tracking the funds that were taken and the NEM Foundation is tagging every account that has the funds in them. We are are currently reaching out to exchanges and halt any deposits that were made with these XEM. As bad as this situation is, NEM has a very powerful API and adding any 1 API to any deposit will show exchanges if stolen funds were added to any deposit. So we are working with exchanges to see if we can make that happen.
Alex: (Reading live from Inside NEM Twitter) Some of the community is asking if you think the stolen XEM by the hackers will go back to the clients? We have a bunch of questions coming in from Twitter. This is one of their questions.
Jeff: Are you asking if the hacker will give the money back to Coincheck?
Alex: No, is it possible to ever give it back to Coincheck?
Jeff: I don’t want to speculate on that too much. They basically lost half a billion dollars of XEM and if they had a billion dollars in the bank then they would be able to cover the losses pretty easily. I don’t know how much money they have. So that’s really going to be something for them to look into and I haven’t spoken with them about that.
Alex: This is something that you and I have talked about before but with ANY exchange that carries XEM, they are actually buying it out of their own pocket. They are not buying it at a discount. They are buying it at the same price that everyone else gets it at and that’s why we aren’t on every single exchange, right? The NEM Foundation has a very hard stance on selling at a discount. This actually hurts Coincheck a lot because it actually hits their bottom line.
Jeff: Yeah, it does. I feel really bad because I’ve met the Coincheck team in person — they are really nice guys. They were basically known in Japan as being an easy to use exchange and very friendly so they were very popular. But we do know a long time ago because of the way Coincheck operates they did buy 300 million XEM. So its not known how much of the stolen XEM was Coincheck XEM or user funds deposited by users. That remains to be seen. But we can expect there is a mix of both.
Alex: What happened? Did NEM find out right away? Is there an email sent out? A hotline? The community is asking about the visibility into when an exchange gets hacked.
Jeff: Yeah, so. NEM has a hotline. And basically last night when the Coincheck reached out on our hotline we answered their call. Then fairly quickly after that, I was able to have a video conference with them and start to discuss our options. And that is when we found out the NEM Foundation was going to tag and track the fund for Coincheck.
Alex: The community is asking if there is a way to recover the XEM by force? Can’t NEM just stop it? But it doesn’t really work that way. You can’t just stop a transaction like that.
Jeff: A couple of things… when the funds were moved out of Coincheck it would appear that all the funds were in a hot wallet that had an exposed API and probably exposed private key. I really wish they had used NEM’s multi-signature contract and that would have saved them all these problems. That being said, once the funds were taken from Coincheck they are on the blockchain and there is no way to go back and change the history of the blockchain without a hard fork. And for us, a hard fork is not an option. The NEM protocol worked exactly as it was designed to work. And it was a problem that the funds were taken and the only way to try to recover the funds by force is with a hard fork and we don’t consider that an option at all because the NEM system is working correctly. It’s a terrible thing but I think if the funds were going to be returned that it would have to be the hacker returning the coins to Coincheck.
Alex: And they’ve stated that… well to be clear everyone, we have a good relationship with Coincheck. They are good people and they made a mistake by not putting in accurate security measures. Their COO went on live television and talked to the media about this. We’re not interested in throwing anyone under the bus. What we’re interested in is talking about using this as an example of what to do and what not to do. And right now what not to do is to keep all your money on an exchange and not put it into a cold wallet. We’re going to have many tutorials on how to use multi-sig and talk more about those features. This is a scary incident for a lot of people including Coincheck and their customers of what happens when you are not securely putting away your coins.
Jeff: Yeah it is. The users and also the exchanges. Time and time again an exchange after exchange has been hacked. No matter how much security an exchange uses, a hacker will try to get to the next level of security and try to hack that. It’s a constant game of cat and mouse.
Now that being said, I will mention Catapult. We have a major update coming for NEM and in the future we can basically enable an exchange so that even if the exchange got hacked then and the private key was exposed that the funds still couldn’t be stolen. That’s through some of the advanced contracts that are plugged directly into the core of the NEM Catapult system. So we know this is a problem in blockchain and cryptos. Exchanges have been hacked time and time again. NEM is not the first blockchain that’s going to be affected, has been affected or will be affected. There’s been a lot of great solutions and I’m happy to say we thought a lot about this in the past. Had the Catapult update been out and had the exchange properly implemented it then it would have been impossible for this hack to have stolen all of their money.
Alex: I’m getting a lot of notifications on Twitter — hundreds — and what they are asking is if there will be an impact to XEM long-term? Meaning yes… you are tracking it now. Yes you can work with the exchanges so it can’t get redeemed (basically) or its tracked but can this hacker actually manipulate the XEM price down the road?
Jeff: Well thats always a big question and the answer to that is we’re not sure. At this point there is simply no way for the hacker to sell $500 million dollars worth of XEM. The market doesn’t have to be afraid of that. But I’ve been really happy that the biggest exchanges with the most liquidity that we’ve reached out to have been very responsive so far. I’m really pleased with how the community as a whole and the ecosystem of partners building on NEM and using NEM have been very responsive to our contacts and suggestions. We’re working on a system now so that it will be very difficult for the person holding these funds to sell them. I can’t speak for really about how that will look or when it will be implemented but we are already pursuing this and all the accounts with the stolen funds have been tagged.
Alex: So you are 100% sure of the where all that money is and who has it because you were flagging it real time?
Jeff: Well I can’t say for 100% sure but at the last report I got we had 98% accounted for. I need to double check on the last report. But yes we are basically actively watching to see what happens with the funds and see how they are being moved and how we are going to work with exchanges so that everything is going to be ok for our community.
Alex: The community is asking… if you (the exchange) can’t recover the funds that they bought out of pocket … well, there is fear and FUD around could this collapse the exchange?
Jeff: This is something that Coincheck is going to have to look at. I know that we have seen a lot of major hacks… that have gone both ways and that this is something they are going to have to review on their books and they will have to make a public statement on it. But I can say I wouldn’t be surprised either way, really. It’s very possible they might want to stay open… it’s very possible they might want to close down. I really don’t know. Yeah.
Alex: Just to be frank with you I can’t think of any hack that’s been this large in banking that I know of or crypto.
Jeff: Some are calling this the biggest theft of all time. That’s very subjective. Obviously Wall Street has been responsible with you know the housing crisis, Fanny Mae… Freddie Mac. Lots of other things where lots and lots of money has disappeared. But in the cryptocurrency sphere…in the exchange crypto sphere this is the largest exchange hack that I know about with any cryptocurrency ever been taken.
Alex: (Reading Twitter) So some of the feedback is… “So do you have a centralized system where you can play Gods over your currency and track and freeze other people’s money? This is horribly frightening.” That’s what somebody on Twitter said. That’s not quite true…
Jeff: That’s not true. It’s a blockchain. So all the information on the blockchain is always known and open. Now the great thing about NEM is our API which is very easy to integrate and the way it is set up it will make it easy to track money being transferred in real time and communicate that with any partners that want to support Coincheck in this endeavor. Now it’s up to other exchanges whether they want to participate or not. And this is a choice by choice matter. Nobody has absolute control over the blockchain. We can give people the tools to stay aware and alert. This is versus other blockchains where real time tracking of funds cannot be done in an efficient way. Where as NEM it’ll be a simple API call. Where as other blockchains you’ll have to look up transaction hashes which is a terrible and inefficient way of looking up information. So to be clear, the NEM team is not going to do a hard fork. But we can give partners and our ecosystem tools to make sure they aren’t aiding a criminal.
Alex: Would you go back and talk about multi-sig? The reason I’m asking is that we’re getting a lot of questions from the community around “why didn’t they use multi-sig” and “can an exchange actually use multi-sig? They have so many people…hundred of people on their (Coincheck’s) staff and they are trying to approve all these transactions… “ Is multi-sig as we currently know it… would this have helped them? Or are there other options down the road and new features where it would have prevented something like this for partners.
Jeff: So let me back up for a second. Usually an exchange, or exchanges, have multiple tiers of security. And so one thing they would normally do is have a cold wallet and a hot wallet. They would normally like to keep the majority 90–95% of their funds in a cold wallet. That’s what considered a best practice. The second things that an exchange can do is …and that’s with a lot of times other cryptocurrencies that don’t even support multi-sig as a core contract plugged into the consensus mechanism. NEM does that. NEM was the first blockchain ever to provide multi-sig as a part of consensus and as a core mechanism of producing blocks. In Bitcoin they basically tried to figure out how to do multi-sig after the fact. There’s a really popular company called Bitco that handles multi-sig for a lot of the big exchanges. And so a lot of the big exchanges with Bitcoin just outsource their multi-sig to a third-party company. NEm makes it so you don’t have to outsource anything. You just have to plug in the API so it’s a really big shame that 1.) Coincheck wasn’t using a cold wallet system and 2.) that they weren’t using multi-sig over their hot wallet and/or their cold wallet. And again, there’s a lot of things that Coincheck… and I’m not pointing fingers. They are wonderful guys… but there is a lot of things they could have done to have makd this impossible. I hope that other exchanges implement a cold wallet system on either… or… or at least both. That would be awesome. And other exchanges have implemented a cold wallet system. It’s actually the most secure way to secure funds.
Alex: That’s…. That’s another one of the biggest questions the community wants to know. How can you ensure an exchange is actually using something like this? Who is to say that with any other exchange that this couldn’t happen too? I don’t really think that’s something we can answer because we try and work with our partners but at the end of the day they own the exchanges. And we can’t enforce… but we do train them… NEM does show them how to use it…
Jeff: If they reach out to us, yeah. An exchange wants some support and training then we are willing to work with them and give them support and training on how to use the NEM protocol. I will say that some exchanges do… because I’ve talked to a lot of them… some exchanges do have some advanced security features which are really quite good and really impressive. But I’m not going to throw anybody under the rug or name any names of who is doing good or who is not doing good.
Alex: Yeah… I don’t think we need to go there.
Alex: I know that yourself and other members of the NEM team do 3 factor authentication. Right?
Alex: Can you tell people a little bit about how you do 3 factor authentication?
Jeff: Sure. So NEM allows for some really advanced things with the multi-sig so basically a lot of what people have done is that they do multi-sig on multiple machines… some are connected to the internet and some are not connected to the internet. Some transactions are initiated on one machine and approved on another machine and then approved on another machine. So for instance, I could initiate a transaction on my Windows computer then approve it on a TREZOR hardware wallet connected to a Mac and then I could boot up an Abuntu system on Linux on a computer that almost never touches the internet. It’s a little bit unfortunate but the next version of Nanowallet has already incorporated support for offline transaction initiations. And announcing. It’s just that it is coming a little bit too late. But offline transaction support for machines that have literally never touched the internet will be a part of the next Nanowallet release. I’ve already tested and used it. It’s pretty impressive.
Alex: Wow, that’s good. Hurry up Catapult! (laughs) Oh my Gosh.
Jeff: (Laughs) Well the current version of NEM already supports offline transactions. We’ve supported that for a long time. You can look at our NEM.io community projects website and that has what is called the hot/cold wallet. And that is an experimental proof of concept wallet that never touches the internet ever and can be used to send and receive transactions from. Which is a really cool idea. That’s also going to be another option in Nanowallet — the next version of Nanowallet — that will be available in the next week or two. And that will offer support for offline transaction security. So yeah… we’re offering that. And Catapult has two advanced features that i can’t really go into depth on now but if either one of these were being used… it would have made the typical exchange hack impossible. Which is really amazing.
In the future like you said… come on Catapult… there’s not just one way to make sure that a typical exchange hack doesn’t happen but there is two different ways to make sure that doesn’t happen. It’s a really exciting API and protocol that is coming out with Catapult.
Alex: Yeah. Right now… the confusion that I’m seeing with a lot of community that I’m monitoring while we’re having this interview is that they are really worried about the coin price for NEM and their own coins in Coincheck. And they are trying to better understand as we are flagging the money that it’s not abusing how people can use that in the future to control the coin. But I think that you’ve accurately stated how that works and the fact that it’s on the blockchain and anyone can see it and it’s not something we can control. We can flag it and let people know about it but we are doing what we can with the exchanges and all the exchanges have been receptive to our feedback and working with us on this issue.
Jeff: Yeah, right. And again, hard forking is not an option. That is off the table. But the power of NEM is that it’s really easy to tag things on the blockchain and make it really easy for exchanges to be alerted if somebody is trying to deposit money from them from Coincheck.
Alex: There’s a lot we could talk to you about but I want the community to know that I’m working in tandem with you — not just making it up — and that NEM Official will actually be rolling out a larger conversation on this through the blog post… and through our press release… Lon (our President) has been very vocal about letting folks know when it happened and working with Coincheck… you are doing the interview today… so this is not the last that the community will hear about it. We will be engaging and continuing to do discovery but you will be talking about this more with partners as discovery and as Coincheck has an opportunity to do more investigating around it.
Jeff: Definitely, yes. We will continue to keep everybody updated and we appreciate you helping us through that, Alex. Thank you.
Alex: I want to say thank you to the community for helping to control the FUD and to remind everyone we are doing the best that we can to ensure that our partner, Coincheck, is in the best hands with what we can do with the product. Because again, once it leaves our hands it is in their security measures. So please…let the rest of the community know that NEM has multi-sig and to be hyper hyper hyper good about how you manage your cryptos both on the exchanges and in your wallets. So thanks, Jeff.
Jeff: Yup, yup, yup. And also when possible get a hardware wallet. We have support for TREZOR and that’s a great way to keep your funds too.
Alex: Alright I’m going to share this with the community so thank you and we’ll touch base with you soon.