The phone started ringing at four in the morning. That’s never a good sign in this business—4am phone calls mean that there’s been a grisly murder, or a terrible accident. But this was different. This was about cryptocurrency, which occupies a niche in the space-time continuum where the clock never stops ticking and the thieves never sleep.
Article continues after advertisement
“You hearing about this CoinCheck thing?” The voice belonged to a source at the Financial Services Agency, someone who’d watched Japan’s cryptocurrency industry grow from a curiosity into a multi-trillion-yen juggernaut. “They lost everything. More than Half a billion dollars, gone. This is the biggest one yet.”
He was calling me as a courtesy. I knew him from the days covering what had once been the largest theft of crypto-currency in the world. Four years earlier, another cryptocurrency exchange had collapsed under similar circumstances: Mt. Gox, once the world’s largest Bitcoin trading platform. It had filed for bankruptcy in February 2014 after revealing that 850,000 bitcoins—worth about $470 million then—had disappeared from its systems.It was the world’s largest bitcoin exchange at the time, run not by a Japanese executive but by an odd Frenchman named Mark Karpeles.
But now it was January 26, 2018, and Japan was about to learn a hard lesson about digital money and who gets held accountable when it disappears. And this time the dollar value of the theft would break previous records.
The Heist That Shook Tokyo
Article continues after advertisement
The attack began in the early hours of the morning, when most of Tokyo was asleep and the cryptocurrency markets were humming along in their endless digital dance. At exactly 2:57 AM, hackers penetrated CoinCheck’s systems and began systematically draining the exchange’s hot wallet of NEM cryptocurrency. NEM is a type of cryptocurrency (short for New Economy Movement) that operates on its own blockchain. It was designed for fast, low-cost transactions and smart asset management — similar to Bitcoin, but with extra features for businesses and developers. The hot wallet is a term for a digital wallet connected to the internet, used by exchanges to store and send cryptocurrency quickly. It’s convenient for daily transactions, but also more vulnerable to hacking than an offline “cold wallet”. Think of the hot-wallet as a cash register in a 7/11 in a bad neighborhood. You don’t want to leave it full of money.
The breach was surgical in its precision. The attackers had gained access weeks earlier through a sophisticated “phishing” campaign that compromised employee credentials. Phishing is a type of online scam where attackers trick people into revealing sensitive information—like passwords or credit card numbers—by pretending to be a trustworthy source, such as a bank or a tech company.
The term comes from “fishing” for victims, with the “ph” borrowed from hacker slang of the 1990s (as in “phreaking,” old-school phone hacking).Once inside, they waited, studying the system’s architecture, mapping its defenses, and planning the perfect moment to strike.
When they moved, they moved fast. In a matter of hours, 523 million NEM tokens—worth approximately ¥58 billion ($534 million at the time)—vanished into the digital ether. But here’s the crucial detail that would define everything that followed: CoinCheck didn’t notice the theft until nearly nine hours later, when customers began reporting they couldn’t access their accounts.
The technical details tell the story of a company that had grown too fast with too little regard for security. CoinCheck was storing massive amounts of cryptocurrency in “hot wallets”—systems connected to the internet and vulnerable to attack. Industry best practice called for keeping most digital assets in “cold wallets,” offline storage systems that hackers couldn’t reach. But cold wallets were inconvenient for high-frequency trading, and CoinCheck prioritized speed over security.
Article continues after advertisement
The hackers exploited this weakness with military precision. They used a technique called “transaction malleability,” manipulating the NEM transaction records to make it appear as though legitimate transfers were taking place while they drained the exchange’s reserves. By the time CoinCheck’s systems registered what was happening, it was already too late.
What followed was a master class in crisis management, Japanese-style. Within hours of discovering the breach, CoinCheck executives were bowing deeply before television cameras, apologizing to their customers and the nation. The company immediately halted all trading and began the complex process of forensic investigation.
But here’s where the story gets interesting—and pay attention because it shows how Japan’s two systems of justice become visible to anyone willing to look.
The Response That Revealed Everything
CoinCheck’s response to the hack was swift, comprehensive, and expensive. The company used its own capital to reimburse all 260,000 affected customers, paying out the full ¥58 billion in damages. They cooperated fully with police investigators and financial regulators. They hired external security firms to audit their systems and implement new safeguards.
Article continues after advertisement
Most importantly, they survived. CoinCheck was eventually acquired by Monex Group, a major financial services company, and rebuilt itself into one of Japan’s leading cryptocurrency exchanges. The company’s executives faced no criminal charges. No one went to jail. The hack was treated as a business failure requiring business solutions, not a criminal matter requiring criminal punishment.
But that wasn’t the last time a Japanese cryptocurrency exchange would get whacked.
Fast forward to 2024, and the pattern continues with new players and bigger stakes. The DMM Bitcoin hack that May saw ¥48.2 billion ($482 million) in cryptocurrency stolen–probably by North Korean hackers from what is sometimes called the TraderTraitor group, part of the larger Lazarus organization.
One of the things that made DMM Bitcoin interesting was that the firm derived their capital from pornography. Its parent, DMM (founded by Keishi Kameyama), made its early fortune in adult entertainment and digital media before branching into e-commerce, web services, and later financial offerings. They still make money from such film offerings like VR: Seduced by the Mysterious Shine of Black Pantyhose Beautiful Legs—Zero Distance Sniffing…
When DMM launched its cryptocurrency exchange arm in 2018, it leveraged that corporate infrastructure and capital—but that does not automatically mean its funding was illicit or nefarious. Employing some top Japanese talents, they turned their new venture into a thriving business.
Article continues after advertisement
In May 2024, they were hit hard. The attack followed the now-familiar playbook of state-sponsored cryptocurrency theft. North Korean hackers, posing as recruiters, sent sophisticated spear-phishing emails to employees of companies managing DMM Bitcoin’s cryptocurrency wallets. One employee, thinking he was participating in a job interview process, clicked on a malicious link that installed malware on his computer.
The malware gave the hackers access to the company’s internal systems, where they patiently waited for months, studying the infrastructure and planning their attack. When they finally struck, they manipulated the user interface to hide their activities from the multiple people required to authorize large cryptocurrency transfers. What appeared to be routine maintenance became a massive theft.
The company scrambled to contain the damage, froze services, and pledged to reimburse customers using support from the broader DMM group.By late 2024, the damage was severe enough that DMM Bitcoin announced it would liquidate or wind down operations, and transfer customer assets to another platform.
But here’s what’s remarkable: DMM Bitcoin, like CoinCheck before it, was treated as a victim rather than a criminal enterprise. The company shut down operations and returned customer funds. No executives were arrested. No one spent months in detention. The focus was on catching the foreign hackers, not punishing the Japanese managers who had allowed the breach to occur.
Sure, they face stiff competition. The hackers’ methods are increasingly sophisticated. They recruit legitimate IT workers who infiltrate cryptocurrency companies using false identities, building backdoors into systems from the inside. They’ve perfected the art of “social engineering”—manipulating people rather than just attacking computer systems.
But regardless of how sophisticated the attacks become, the response in Japan remains consistent in most cases of corporate malfeasance: Japanese companies and executives are treated as victims deserving protection and support, but foreign operators face criminal liability and prosecution.
The contrast between these two cases and Japan’s most famous cryptocurrency case couldn’t be more stark.
The first big cryptocurrency heist was in 2014
Mt. Gox, located in Tokyo, was once the world’s largest Bitcoin trading platform. It suddenly filed for bankruptcy in February 2014 after revealing that 850,000 bitcoins—worth about $470 million then—had disappeared from its systems.
Like CoinCheck’s executives and DMM BItcoins’s executives, Mt. Gox’s CEO, Mark Karpeles, claimed hackers were responsible for the missing cryptocurrency. Like CoinCheck, Mt. Gox faced regulatory scrutiny and customer outrage. Like CoinCheck, the exchange filed for bankruptcy protection while attempting to sort out the mess.
But that’s where the similarities ended, because Mt. Gox was run by a gaijin—a foreigner. A Japanese prosecutor who has written a book about the excess of the prosecutor offices in Japan once wrote, , “I was taught that yakuza (Japanese mobsters) and foreigners have no human rights.” Apparently, he wasn’t the only prosecutor that felt that way.
The Mother Of All Heists
Mark Karpelès, a French man, who was fascinated by Japan since his teenage years, wasn’t what you’d call a criminal mastermind. He was more of a man who could get lost inside his own code and forget there was a world outside the screen. Chubby, pale, and soft-spoken, he had the look of someone who’d spent most of his life indoors, talking more to machines than to people. He wore geek-culture like armor—anime T-shirts, the occasional grin that said I’m smarter than I look—and in a way, he was.
When he landed in Tokyo in the summer of 2009 with a cat named Tibane and set up his company called Tibanne Ltd., he didn’t have much more than curiosity and a steady Wi-Fi connection. But curiosity, when combined with hubris and a few hundred thousand bitcoins, can be as dangerous as nitroglycerin.
He was the kind of guy who could dismantle a toaster to learn how it worked, then forget where the springs went. Mt. Gox was that toaster—except it held half a billion dollars’ worth of virtual money and more user passwords than anyone cared to count.
At first, it was beautiful. Mark turned what had been a failed trading card site for Magic: The Gathering into the world’s largest bitcoin exchange. The name Mt. Gox is short for Magic The Gathering (Cards) Exchange. Of course, making a financial platform out of a site that was originally used to buy and sell the equivalent of magic-themed Pokemon cards might not have been the greatest idea, but it worked. If you wanted to buy bitcoin, or sell it for real currency, you went to Mt. Gox. A million users trusted him. Billions of yen passed through his servers like blood through a vein. For a while, he was the high priest of crypto—an unlikely messiah running an empire out of a cramped Tokyo office with exposed wires and leftover pizza boxes.
He liked to see himself as a builder of bridges between worlds: Japan and the West, virtual and real, money and magic. He even planned to open a Bitcoin Café downstairs from the exchange. “A place for believers,” he told me once. It never opened.
The cracks started small—like most disasters. Transactions lagged. Balances didn’t match. Somewhere in the wires, millions of bitcoins had vanished. Mark blamed hackers. The police blamed Mark. Everyone else just wanted their money back.
When Mt. Gox finally collapsed in February 2014, it took the hopes of a generation of digital dreamers with it. Half a billion dollars gone. Investors pounding on locked doors. Protesters outside the office holding cardboard signs and rage in their eyes.
Mark, ever the optimist, stayed calm. He offered the press coffee and reassurances. “It’s complicated,” he said. And it was. Somewhere between negligence and naivety lay the truth, and Mark was right in the middle, blinking like a bear just woken from hibernation.
He wasn’t a villain, at least not the mustache-twirling kind. He was the kind of man who believed he could fix anything with enough code, enough caffeine, and maybe another cat. But Japan’s police didn’t share that faith.
The collapse of Mt. Gox was a case I would follow for five years. It was my entry into the world of cryptocurrency. Over time, I went back and forth wondering whether Mark was innocent or guilty. That I am calling him by his first name should tell you that I did certainly grow to like him.
Before Mark’s arrest, I warned him what was coming. Meeting him at Café Trois Chambres in Shimokitazawa in the summer of 2015, I laid it on the line: “The police will come for you. They will parade you past a crowd of reporters. You’ll be held at least twenty-four hours. Then you will be turned over to the prosecution. They’ll probably ask for ten days more of detention, claiming you’re a risk. They’ll do that again and get ten more days. All in all, round one will be twenty-three days or so. And if you don’t confess, they’ll rearrest you, and the whole process starts over again.”
Mark, eating a piece of cinnamon toast, assured me he was still talking with the police. “They are on my side. Should be fine.”
“Should be fine,” was his mantra. It often was not fine.
I offered some final counsel. ” And whatever you do–please wear a suit. That’s the last image people will have of you for a long time to come. Look snappy. The press will be there to photograph it. It’s a Kabuki drama. All the parts are already written. Try to play your part well- enough to walk away a free man.”
The advice I gave him came from over 20 years spent covering crime in Japan. I told him never to confess to anything. Never to sign anything. To make any statement in French. I explained that Japanese prosecutors hate to take on anything less than a slam-dunk case—that’s why they have a 99 percent conviction rate.
“They will bully you, chum up to you, promise you a lighter sentence if you confess, deny you access to your lawyer, promise you access to your lawyer, lie to you about testimony they don’t have and evidence they don’t have, and will do everything to break your spirit,” I warned him. “Because twenty-three days, forty-six days, or possibly sixty-nine days may feel like forever—but it’s a lot less time than three or four years in a Japanese jail.”
The cruelty of the system would prove even worse than I’d predicted. In Japan’s criminal justice apparatus, the working motto isn’t innocent until proven guilty—it’s guilty until proven guilty. Suspects are held in isolation, interrogated without lawyers present, fed terrible food, and subjected to psychological pressure designed to break their will. The police can arrest someone on minor charges and keep re-arresting them on new charges, extending detention indefinitely. It’s a system where confessions are everything, and the police will use every psychological tool to extract them—even from the innocent.
They came for him on the humid morning of August 1, 2015, after kindly calling ahead—as if to say, “Get dressed, we’re arresting you for your own good.” He greeted them wearing a blue T-shirt that read “Effortless French” and a Monokuma baseball cap, half-white, half-black. It wasn’t a good look. And he didn’t follow my advice.
He was cuffed, paraded before cameras, and hauled off to jail, where he would spend nearly a year without bail—arrested three times total, each new arrest allowing prosecutors to extend his detention as they searched for something, anything, that might stick. During that time, he was interrogated daily without a lawyer present, pressured to confess to crimes he maintained he didn’t commit, and held in conditions that would break most people.
I knew a Japanese cop who had worked on the case. Cops in Japan can’t speak on the record, or technically even off the record, or they violate the Civil Servants Law (breaking confidentiality). They can be fired and even prosecuted for doing it. It makes reporting on crime here difficult. “According to sources close to the investigation” is a phrase that appears time and time again in newspaper coverage.
The charges against Karpelès were serious: embezzlement, breach of trust, and data manipulation. But the evidence was thin. A cop who was originally on the case, from the IT crimes division, told me straight out what went wrong with the investigation. “The government of Japan, all the way up to the Prime Minister, wants Japan to be a cryptocurrency capital. And this case is an embarrassment. We don’t know who hacked the exchange or even if it was hacked. But then the Tokyo Metropolitan Investigative Division 2 (White Collar Crimes) took over the case. And they decided Karpeles must be guilty. So their strategy was to arrest him on any charge they could find, and keep arresting him until he confessed.”
That’s typical for Japanese police.
The arrest and re-arrest until the suspect breaks is classic police technique.
For example, the pattern for homicide is almost always the same. The police find a body. They arrest the suspect on charges of improper disposal of a body and/or desecrating a corpse. They hold the suspect for 23 days—he confesses or doesn’t confess and then they arrest him or her on charges of murder (sometimes manslaughter) and the process repeats.
***
Once Karples was indicted–a guilty verdict seemed to be written in stone. Japan has a 99% conviction rate after an indictment.
No one was sure what had really happened. The French press called it a miscarriage of justice. The Japanese tabloids called it closure. The mainstream media convicted Karpeles before his trial even began. But I wasn’t convinced that the charges were valid or that he had hacked the exchange.
And my first clue that maybe, just maybe, there was more to the story that met the eye.
The first clue I had came, was when I was taking care of Mark’s cat. I knew Mark’s lawyer. And he asked me to feed Mark’s cat until he could find someone to look after them. He had more than one, it turned out. But originally I had only signed up for one cat.
So I hung out at his place, feeding the cats while the rest of the Japanese media stood outside the house waiting for the police to raid his place and haul away evidence. And that was when I spotted on his desk, the business card of Tigran Gambaryan. A special agent in the Internal Revenue Service known as “The Crypto Wizard”. He was said to be the world’s expert on tracking criminals using the Blockchain, the public ledger of Bitcoin.
Why would he be coming from the US to Japan and talking to Mark Karpeles?
But to find out the rest of the story, you’ll have to read The Devil Takes Bitcoin: Cryptocurrency Crimes and The Japanese Connection.
***
AloJapan.com