NEM (XEM)

đź”´ High Risk

The 2018 Coincheck hack stands as one of the largest cryptocurrency thefts in history, where over $500 million worth of NEM (XEM) tokens were stolen from a Tokyo-based exchange. The hack exposed critical vulnerabilities in Japan’s cryptocurrency security landscape, mainly due to Coincheck’s decision to store all NEM tokens in a single hot wallet without proper multi-signature protection. Following the theft, sophisticated laundering techniques ensued within Japan, involving the use of over-the-counter (OTC) swaps, mixing services, and complex transaction chains to obscure the stolen tokens’ origins. Despite efforts by the NEM Foundation to tag and track these stolen funds, laundering activities continued, implicating numerous individuals and triggering one of Japan’s most extensive crypto crime investigations. This case profoundly highlighted the weaknesses in regulatory oversight and operational security in Japanese exchanges at the time, prompting stringent enforcement actions and reforms in AML practices within the country’s crypto industry. The Coincheck hack illustrates the deep intersection of cybercrime and money laundering in Japan’s digital asset ecosystem, serving as a cautionary tale of the risks posed by inadequate security and regulatory measures.​

In January 2018, Coincheck, a major Japanese crypto exchange, suffered a historic hack leading to the theft of over $500 million worth of NEM (XEM) coins from its poorly secured hot wallet. The attackers exploited a virus infection on Coincheck employee computers to obtain private keys and transfer out the vast monolithic XEM reserve. Despite blockchain tracking and alerts from NEM developers marking suspicious addresses, the stolen coins were laundered through various techniques including OTC swaps and crypto conversions. The resulting laundering network involved numerous individuals in Japan, some of whom were arrested or charged, with cases including seizure of illicit cryptocurrency assets marking a legal first in Japan. The incident led to stringent regulatory actions by Japan’s FSA imposing security and AML improvements across the industry and set precedents in crypto crime enforcement. The hack remains a landmark case illustrating vulnerabilities in exchange security and challenges of laundering enforcement in Japan’s cryptocurrency landscape.

Countries Involved

Primarily Japan, with potential connections to foreign actors including Russia and other international crypto locations due to laundering mechanisms post-theft.

January 26, 2018

NEM (XEM)

Cyber theft/hacking, money laundering of stolen cryptocurrency

  • Coincheck Inc., a Tokyo-based cryptocurrency exchange

  • Unknown hackers (allegedly including Russian cybercriminals)

  • Approximately 30 individuals investigated/arrested in Japan for laundering activities

  • Takayoshi Doi, a Japanese doctor charged for possession of laundered XEM

  • Japanese Financial Services Agency (FSA) and local law enforcement agencies

N/A

The stolen XEM from Coincheck’s hot wallet was transferred to multiple known addresses labeled by NEM developers, complicating direct usage or resale on legitimate exchanges.
Hackers used obfuscation techniques including:

  • Movement through multiple wallet addresses and accounts

  • Conversion via over-the-counter (OTC) swaps to other cryptocurrencies to diversify and cover trails

  • Possible use of tumblers/mixers or darknet markets for disguising origins

  • Purchases by unaware parties or unknowingly complicit individuals, as evidenced by arrests for individuals purchasing discounted stolen XEM despite knowing its origins
    These layering methods were intended to break the transactional chain and enable integration of illicit gains into the system, complicating tracing efforts by Japanese authorities.

Approximately $534 million USD worth of XEM stolen; later estimates and seizures reduced apparent value due to price falls and partial recoveries to around $39 million. Investigated laundered sums linked to individuals totaled close to $193 million USD (20 billion yen) during subsequent probes.

The hack exploited Coincheck’s poor security, specifically storing XEM in an online “hot wallet” without multi-signature protection, enabling private key theft via virus infection on employee systems. Following the theft, mass transfers of XEM were made to known suspicious addresses. Blockchain analysis by NEM developers tracked these transfers and flagged affected addresses to exchanges and traders to block transactions. Despite this, hackers employed OTC swaps and exchanged the stolen XEM for other coins, and the funds circulated through multiple hands, including darknet buyers. Japanese police later arrested around 30 individuals connected to such laundering activities, with ongoing investigations into the laundering chains.

  • Coincheck was issued a business improvement order from Japan’s Financial Services Agency (FSA) immediately after the hack, demanding enhanced security and AML/CFT controls.

  • The FSA ordered Coincheck to report on and improve risk assessments and management systems.

  • Coincheck reimbursed roughly 90% of the affected customers’ losses through financial support, funded partially by its acquisition by Monex Group.

  • Japanese police conducted investigations leading to arrests and seizure orders, including the first seizure of cryptocurrency by a Japanese court (Takayoshi Doi case).

  • Authorities expanded scrutiny across multiple Japanese crypto exchanges to improve cybersecurity and AML compliance.

  1. Quadriga Initiative – Jan 2018 Coincheck NEM Token Hack

  2. Cointelegraph – Coincheck Report to Japan’s FSA and Regulatory Response

  3. The Japan Times – Hackers believed trying to move stolen cryptocurrency into exchanges

NEM (XEM)
Case Title / Operation Name:
Coincheck Hack - NEM (XEM) Theft and Laundering
Country(s) Involved:
Japan
Platform / Exchange Used:
Coincheck
Cryptocurrency Involved:

NEM (XEM)

Volume Laundered (USD est.):
Approximately $534 million USD stolen, estimated laundering value around $193 million during investigations
Wallet Addresses / TxIDs :
Multiple tagged wallet addresses by NEM developers flagged as hackers' accounts
Method of Laundering:

Movement through multiple wallet addresses, OTC swaps converting stolen XEM to other cryptocurrencies, tumblers/mixers, darknet exchanges, layering via multiple transactions to obscure the origin

Source of Funds:

Stolen XEM from Coincheck hot wallet breach due to hacking and private key theft

Associated Shell Companies:

N/A

PEPs or Individuals Involved:

N/A

Law Enforcement / Regulatory Action:
Japanese Financial Services Agency (FSA) business improvement orders, police investigations, arrests, cryptocurrency seizures, Coincheck reimbursement of 90% of lost tokens, Monex Group acquisition of Coincheck
Year of Occurrence:
2018
Ongoing Case:
Closed
AML Network Risk Rating:
đź”´ High Risk
Quick Links:
Popular Pages:
Disclaimer & Legal:
Facebook-f Twitter Youtube Pinterest-p Instagram Tiktok
© 2025 AML Network. – All Rights Reserved.