Expert says stolen NEM being traded on dark web
TOKYO (The Japan News/ANN) - Virtual currency stolen from Coincheck Inc. is being bought at a discount on the dark web, a part of the internet that cannot be reached by regular searches, and traded for other currencies at other currency exchange operators, an analysis by a data security expert has shown.
The expert found signs that multiple addresses have been used for these transactions, indicating that third parties were profiting by buying and selling.
¥1 billion exchanged?
The equivalent of about ¥58 billion in NEM was stolen from Coincheck, a virtual currency exchange operator based in Shibuya Ward, Tokyo. Of this, up to about ¥1 billion worth of NEM, based on its latest market value, is feared to have been already exchanged through these and other types of transactions, the expert said.
Around Feb. 7, a website offering to exchange NEM for bitcoin and other currencies appeared on the dark web, which can be accessed using anonymization software, allowing users to keep their identities secret.
Messages containing this website’s access point and suggesting that NEM could be purchased at “15% OFF” were sent to multiple addresses from the address of the hackers that apparently stole the NEM.
Over 200 remittances
The specialist, who is following the history of remittances of the stolen NEM, has identified an address believed to have used the website on the dark web to sell NEM. The NEM was sent from this address to several other addresses, then NEM was repeatedly sent from those addresses to a certain virtual currency exchange operator that works in Russian, Chinese and other languages, the specialist said.
This exchange operator does not require users to give their identities when they open accounts.
“It seems that third parties who acquired discounted NEM sell it via a vendor that makes it difficult to determine their identities. After acquiring bitcoin or other currencies, they could repeatedly buy and sell discounted NEM to make a profit,” the specialist said.
The site also shows its NEM “balance,” which has been going up and down. Early Saturday morning, an address that is thought to have used this website to sell NEM was sent the equivalent of ¥6 billion in NEM. The veracity of this balance is unclear, but it may be a sign that the user is replenishing funds.
Through this and other routes, more than 200 remittances have been made to the exchange operator since Feb. 7, which appears to indicate that efforts to exchange the stolen NEM are getting into full swing.
Meanwhile, various opinions have arisen regarding who it was that carried out the hack.
The Metropolitan Police Department analyzed communications records from Coincheck’s intracompany network, finding that before the leak malicious contact was made from servers in the United States, Germany and the Netherlands.
However, malicious access is often carried out by going through multiple servers, so the actual origin of the transmission remains unclear.
Late on Feb. 2, a message in Japanese saying, “A [money] laundering route has been established,” was sent to the address where stolen NEM was sent. However, most of the other messages sent by whoever carried out the malicious access used encrypted text, so it is unknown whether the message in Japanese is genuine or not.
Moreover, South Korea’s National Intelligence Service said on Feb. 5 that North Korea may have been involved in this incident.
Last year, several South Korean virtual currency exchange operators became the victims of cyber-attacks that North Korea is thought to have been involved in. These attacks made off with virtual currency.
Toshio Nawa, a senior analyst at the Cyber Defense Institute Inc., a data security company, said that fake job application files sent via social networking services to those exchange operators were used to infect systems with computer viruses when opened.
“I heard that Coincheck was also recruiting through social networks, so this technique might have been used,” Nawa said.