lae's notebook

Monappy Reopening Announcement (Translation)

The following is a translation of IndieSquare's announcement post.

To begin with, we'd like to extend our apologies to the users of this service and related persons affected by this incident. We're profoundly sorry that it took so long for us to resolve this incident and get to the point of resuming service and for keeping you in the dark.

To briefly recap: on 1 September 2018, an unauthorized party was able to access the hot wallet in use by Monappy and drained the wallet's Monacoin balance. In response, to prevent further damage to customer assets and to perform a root cause analysis, the service was taken offline. Since then, we've completed improvements to secure the system as well as improvements to the administrative side of the service, and are pleased to announce that we are making final preparations to reopen the service on 7 October, 2019.

Going forward, we will be periodically auditing the service and making security improvements wherever possible, and hope to regain your trust in the process.

As the service reopens, affected users will be fully reimbursed for damages. Details are below:

Reimbursement amount: 93078.7316 mona
Reimbursed persons: 7735 people
Reimbursement procedure: Once the service reopens, affected persons may login to their account and be able to withdraw their Monacoin balance as normal.

Service Reopening Details

In order to provide the safest environment for the affected Monappy users to withdraw their funds, only a subset of users will be able to access Monappy at first. We will be incrementing this number regularly, so we hope for your cooperation during this process.

On 7 October, 2019 at 10AM JST, an email from an @monappy.jp email address will be sent to all existing Monappy users regarding the reopening.

  • On login to Monappy, you will be strongly urged to withdraw your funds to a safer wallet (tl note: an offline wallet on your PC, for example), leaving only the bare minimum you need in your account (tl note: should you want to keep using the service).
  • Please note, if you make a mistake with the recipient address during the withdrawal process, due to the nature of blockchain we will be unable to assist you in this matter. Please double check your address before clicking withdraw.
  • Should there be a rapid increase of traffic or some other unforeseen problem, we may temporarily suspend the service without notice.
  • You may not be able to login to your account if accessing from a different IP from before. If this turns out to be the case, please email support@monappy.jp.
  • For those accounts with significantly large balances, identity verification may be required.
  • We expect all users to be able to start using Monappy in approximately 1-2 weeks.

*Caution*

  • We will never ask you for your email address or password on the basis of this incident via any communication method, including email, phone and postal mail.
  • We will never send you any email including an attachment regarding this incident. Please do not open any if you do receive something like this.
  • We will never ask you to input your Monappy account's email address or password on a domain other than monappy.jp. Please take due caution if you receive a suspicious email requesting you to do so.
  • Should we discover an issue not currently known, we may postpone reopening of the service to a later date without prior notice.

Events Leading Up to Reopening

In an effort to restore service, IndieSquare has hired a new member who has experience with cybersecurity and supporting financial systems to the team. During this process we revised the application's architecture in an endeavor to improve security, which includes changes to the monitoring system as well. We intend to introduce changes as needed along the way in an attempt to keep the service secure.

(tl note: I'm leaving this part untranslated as it's just review of what architectural changes they made, much of which should be matter-of-fact knowledge to system administrators. main thing for non-nerds is that there's more anomaly detection. also, I'm tired.)

Future Changes

In accordance with amendments to the Payment Services Act to go into effect in April 2020, we intend to remove the service's dependency on a hot wallet. We're also looking to developing integrations between Monappy and dApps, so that users can eventually have full control over their private keys.

standard apology and forward looking statement here

The translator of this article can be found on Twitter at @sleepingkyoto. Please send any corrections that way if needed. The translator is not affiliated with IndieSquare.

Notes from Zaif Attack

The following is primarily a translation of this blog post.

On September 20, 2018, Tech Bureau sent out a notice that they suspended deposits and withdrawals for three currencies (BTC, MONA, BCH) on the Zaif cryptocurrency exchange due to unauthorized access to its systems. This post is an aggregation of the details of that event.

Press Releases

Tech Bureau

Incident Timeline

TimeEvent
2018.09.14 between 17:00-19:00Approximately 6.7 billion JPY worth of assets were withdrawn without authorization.
2018.09.17Tech Bureau detected an anomaly within the environment.
- eveningTech Bureau suspended withdrawals/deposits for 3 currencies on Zaif.
2018.09.18Tech Bureau identified they had suffered a hacking incident.
- same dayTech Bureau reported the incident to the local finance bureau and started filing papers with the authorities.
- same dayThe official Zaif Twitter account tweeted that customer financial assets are safe.
- same dayIn accordance with the Payment Services Act, the FSA issued a Request for Report to Tech Bureau.
Post-identificationTech Bureau enters into a contract with Fisco for financial support.
Post-identificationTech Bureau enters into a contract with CAICA for assistance in improving security.
2018.09.20 ~2amTech Bureau issues a press release declaring that deposits/withdrawals were suspended due to a hacking operation.
- same dayThe Japan Cryptocurrency Business Association appealed for a member to perform an emergency inspection.
- same dayThe FSA sent an on-site inspection crew to Tech Bureau.
2018.09.21ETA for the FSA to issue a report on its investigation about the status of customer assets to the cryptocurrency exchange's traders.

Damage

  • Approximately 6.7 billion JPY worth of 3 different currencies were withdrawn externally without authorization.
  • Withdrawals and deposits for the 3 affected currencies have been suspended since the evening of 17 September.

Itemization of damages

Tech Bureau's own assets~2.2 billion JPY
Customer assets~4.5 billion JPY
  • Tech Bureau has shown that they can cover the 4.5b loss of customer assets through financial assistance from the FDAG subsidiary.

Information around the Zaif hack itself

  • Funds were withdrawn from the server managing the Zaif hot wallet.
  • Tech Bureau is still investigating the exact method of intrusion, but it doesn't look like they'll publicly announce it as a protective measure.

Details on the unauthorized transactions

Total (estimated) damages on the 3 currencies

CurrencyAmount transferredJPY conversionUSD conversion
Bitcoin5966 BTC4.295 billion JPY38.207 million USD
MonacoinUnder investigation, but sources estimate 6,236,810 MONA650 million JPY5.782 million USD
Bitcoin CashUnder investigation, but sources estimate 42,327 BCH2.019 billion JPY17.954 million USD

Assumed recipient addresses of the hack

CurrencyAddressTime of transaction
Bitcoin1FmwHh6pgkf4meCMoqo8fHH3GNRF571f9w2018.09.14, between 17:33:27 and 18:42:30
Bitcoin Cashqrn0jwaq3at5hhxsne8gmg5uemudl57r05pdzu2nyd2018.09.14, between 17:33:15 and 17:51:24
MonacoinMBEYH8JuAHynTA7unLjon7p7im2U9JbitV2018.09.14, between 17:39:01 and 18:54:10

work in progress



Disclaimer: I make no guarantees of the accuracy of the above article.
Please see the official press releases and/or PR department at Zaif. I am also not affiliated with Zaif or any of the companies mentioned in this article.