18-Year-Old Japanese Hacker Arrested for $135K Cryptocurrency Theft from Monappy

An 18-year-old Japanese boy, whose name is kept by the police because he is a minor, was handed to prosecutors over ¥15 million worth of cryptocurrency (around $135K) theft last year by taking advantage of vulnerabilities presented in the cryptocurrency wallet website Monappy. Local news outlet The Japan Times also reported that the case is one of its kind in Japan; this is the first time that criminal charges have been filed against a hacker who allegedly stole cryptocurrency.

The cybercriminal from the city of Utsunomiya, Tochigi Prefecture, allegedly hacked Monappy, a mobile crypto wallet and a website in which users can keep the virtual currency MonaCoin (MONA), and stole 15 million yen ($134,196) of cryptocurrency between Aug. 14 and Sept. 1 of last year. According to police investigating the case, almost 7,700 users were affected by the attack and the company has promised to compensate them.

The hacker reportedly used the Tor browser that enables users to surf on the internet anonymously and without being traced. Luckily, the police identified him by analyzing communication records left on the website’s server. Talking about the vulnerabilities of Monappy’s system, the system was vulnerable against continuous requests of fund transfer. Somehow, the hacker knew it and took advantage of the weakness of the website. Knowing that the system would crash if repeated transfer requests were being made over a short period of time.

Later, the attacker submitted the multiple transfer requests to his own account that malfunctioned the entire system and allowed him to direct more funds to his account. He reportedly sent the stolen MonaCoin to another cryptocurrency operator to receive the payout in different cryptocurrencies, and used it to buy items such as a smartphone.

The police said the boy has admitted to the allegations, quoting him as saying, “I felt like I’d found a trick no one knows and did it as if I were playing a video game.”

Speaking of the attack, the operator said that the stolen MonaCoin was stored in a storage facility which had 24/7 internet connection. The ones which were stored in cold storage or offline storage facilities remain unaffected. Monappy also confirmed that no user information such as email addresses, passwords, private keys etc. were stolen. Additionally, the operator subsequently announced compensation for the lost funds

It is important to note similar cases – such as the fall of the crypto exchange Mt. Gox from which ¥48 billion worth of Bitcoin was stolen in 2014, a loss of ¥58 billion worth of the digital currency NEM from the exchange Coincheck and a theft of nearly $60 million (or 6.7 billion yen) in cryptocurrency from the exchange Zaif – dwarf the current reported attack.