UPDATED | March 12, 2018:
Coincheck has announced that starting Monday, March 12, it would begin distributing 46 billion yen (about $431.9 billion at time of press) to customers who lost NEM tokens in the January 26 attack. Additionally, the exchange will restore the trading and withdrawal of bitcoin and some other cryptocurrencies, after having suspended such activities in the immediate aftermath of the theft.
ORIGINAL | January 29, 2018:
Coincheck, the Japanese cryptocurrency exchange that was recently robbed of some 523 million XEM (as tokens on the NEM blockchain are called) has been instructed by the country's Financial Services Agency (FSA) to prepare a report on the incident, according to a press release on the exchange's website.
The business improvement order from the FSA gives Coincheck until February 13, 2018, to determine how the funds were stolen as well as to issue an "appropriate response to customers" and to implement "risk management" measures to prevent similar events from occurring in the future. The company has pledged to comply.
The firm also said that it would use company funds to reimburse the approximately 260,000 affected customers to the tune of 88.549 yen per token stolen. It arrived at this particular figure by "using the weighted average of turnover during a set period" from the time that it suspended purchases and sales of XEM to the time that it announced its plans to issue a refund nearly a day and a half later. Coincheck is "currently deciding" on when to issue the compensation and on what the "best method" will be for doing so.
The FSA related that it had not yet confirmed whether Coincheck had the capital to cover these reimbursements.
In a January 26 video, NEM Foundation vice president Jeff McDonald said that he does not want to speculate on whether Coincheck will be able to reimburse all affected parties.
Asked about the possibility of the company hard forking the blockchain, which would allow the funds to be returned to the exchange, he replied that a "hard fork is not an option. The NEM protocol worked exactly as it was designed to work."
He did, however, offer the reassurance that his organization was tracking the funds that had been taken, tagging accounts found to be in possession of them, and asking exchanges to halt deposits of stolen tokens. "The biggest exchanges with the most liquidity that we've reached out to have been very responsive so far," he reported.
According to McDonald, the vulnerability that made the theft possible had to do with Coincheck's decision to keep the NEM tokens in a hot wallet, which is effectively a storage mechanism connected to the internet. (A cold wallet, by contrast, is offline and therefore much harder to access, while a multi-signature wallet would require approval from multiple authorities before releasing funds.) He went on to explain that the exchange's hot wallet "basically had an exposed API and probably an exposed private key. I really wish they would have been using NEM's multi-signature contract, and that probably would have saved them all these problems."
Coincheck's president, Koichiro Wada, has said that the company used the less secure wallet "due to technical reasons and understaffing."
The FSA does not currently have any official rules pertaining to the use of hot, cold, or multi-signature wallets by exchanges.
In light of the theft, the agency will conduct hearings with other exchanges and may follow up with on-site inspections of cryptocurrency marketplaces it determines to have insufficient security.
Quotes translated from Japanese using Google Translate.