An 18-year-old hacker has been accused of infiltrating the Monappy online wallet service that’s used by investors to safeguard their cryptocurrencies. This is the first time Japanese authorities are charging a hacker for stealing cryptocurrencies in Japan.
Exploited Vulnerability in the Website Codebase
Local news outlet The Japan Times reported the Metropolitan Police Department (MPD) of Japan arrested the 18-year old after they breached Monappy and stole $134,310 in MonaCoin (MONA), a Litecoin hard fork. The theft allegedly occurred between August 14 and September 1, 2018.
According to the incident report, the young offender, who cannot be named because he is considered a minor, is a resident Utsunomiya, Tochigi Prefecture. While it is still unclear how the hacker stole the funds, police believe he discovered and exploited the vulnerability in the website codebase involved with sending funds to users.
The hacker told the police he discovered a security loophole that causes the website’s transaction system to malfunction if someone tries to transfer cryptocurrency repeatedly over a short period. After being arrested, the suspect reportedly told the police:
“I felt as if I’d found a secret trick and thought I would take out all of the MonaCoin.”
Gained Access via Tor Browser
The teenager reportedly sent several cryptocurrency transfers to his account which caused a system malfunction and allowed him to transfer vast amounts of cryptocurrency to his wallet address. The hacking incident affected at least 7,700 cryptocurrency investors using the Monappy website. The management acknowledged the breach and said they would reimburse the victims accordingly.
According to the police, the boy gained access to Monappy’s system via his smartphone and the Tor Browser, which is a security tool developed by the U.S. military for secure and confidential communication. The Tor Browser encrypts content from its origin via different servers until it gets to its destination.
The software enabled the hacker to cover his tracks even after Monappy began investigating the drastic reduction of its MonaCoin reserves until the Japanese authorities managed to trace his actions through data communication records he left on the website’s servers.
Two And A Half Years Suspended Sentence
Japan has experienced some of the largest cryptocurrency heists amidst the increase in the popularity and demand for cryptocurrencies. One of the largest hacking incidents on record is the 2014 Mt. Gox where 850,000 BTC ($48 billion) was stolen.
Mark Karpèles, the founder of Mt. Gox, was last Friday found guilty of data manipulation and sentenced to a two and a half years suspended the sentence. Another $500,000 worth of NEM cryptocurrency was stolen last January when the Coincheck exchange was hacked.
Japan’s Financial Services Authority (FSA) has since ordered six cryptocurrency exchanges to improve their internal control systems or risk closure.