After being hacked, DMM made a big move! The Japanese Financial Services Agency has requested enhanced audits and exchanges are facing strict supervision.

Regulatory Storm Strikes: FSA Launches Multiple Initiatives

The Financial Services Agency (FSA) of Japan released the 'Report on the Heightened Internal Audit of Financial Institutions (2024)' in September this year, explicitly stating that the internal audit of financial institutions must be significantly upgraded, especially naming the need for enhanced internal monitoring and security measures for cryptocurrency exchanges. According to this report, the FSA plans to update the 'Current Situation and Issues' guidelines on December 25 and will hold a discussion meeting called 'Roundtable Meeting to Strengthen Internal Audits of Financial Institutions' in late January 2025. At that time, in addition to inviting representatives from the Bank of Japan and industry associations, it also emphasizes collaboration with the Japan Virtual Currency Exchange Association (JVCEA), with the hope of jointly formulating new standards to respond to the risks and trends in the global cryptocurrency market.

The Financial Services Agency has mentioned the importance of 'international trends' multiple times before the meeting, indicating that the Japanese government hopes to align with foreign regulatory agencies while also considering domestic characteristics. Looking back at the major hacker incidents this year, especially the DMM Bitcoin theft case with a scale of about 370 million USD (including over 4,500 bitcoins), it shows that significant security vulnerabilities will cause severe impacts on exchanges and the entire financial market. This time, the FSA not only issued strict guidelines for traditional banks but also explicitly required cryptocurrency exchanges to implement internal control checks of the same level as banks. This move is seen as a major step towards 'financial integration regulation' in Japan. It is generally believed that the hacker attack cases that will follow in 2024 have become the catalyst for the government to take strong measures to regulate.

Image source: FSA FSA will hold a roundtable conference on strengthening internal audit of financial institutions in late January 2025

DMM Bitcoin hacked aftermath: North Korean hackers become the target

If we talk about where the impetus for this enhanced audit comes from, we cannot fail to mention the hacker incident that shocked the industry in May when DMM Bitcoin was hacked. The attack was assessed by the Japanese police and the FBI, and the mastermind behind it was very likely the TraderTraitor organization closely related to the North Korean government. The case led to the loss of over 4,500 bitcoins from DMM Bitcoin, worth about 307 million US dollars. Despite DMM Bitcoin's subsequent claim to have received compensation for the losses from the group, the strong negative perception led the exchange to announce the closure of some businesses shortly afterwards, and even rumors of a possible complete withdrawal from the market.

"Hackers stealthily infiltrated the internal system and obtained crucial permissions by tricking employees into clicking on malicious links, ultimately successfully withdrawing a large amount of Bitcoin," explained an anonymous cybersecurity expert, adding, "This highlights the prevalent human vulnerabilities in cryptocurrency exchanges, namely inadequate employee education and weak internal firewalls."

Nowadays, North Korean hackers have become the "number one enemy" of the Japanese financial and government sectors. The so-called TraderTraitor, also known as Jade Sleet, UNC4899, or Slow Pisces, has committed multiple crimes in Asia. These signs have made the FSA more vigilant, believing that it is necessary to improve audits, regularly inspect employee operations, and strengthen cybersecurity infrastructure in order to block such high-level attacks.

Encryption and traditional finance are both affected: the integrated regulatory pattern is taking shape

Obviously, the new FSA measures are not only aimed at a single block, but intend to create an "integrated regulation": under the financial regulatory system in Japan in the past, the payment system was under the control of the central bank, and digital assets belong to the scope of the Securities Trading Act, which led to relatively loose regulation and more vulnerable information security in the cryptocurrency market. Now, the FSA states that it wants to include traditional banks and cryptocurrency exchanges in a more rigorous internal audit specification, indicating that the government wants to examine risk management processes with the same standards. For exchanges, this means starting to conduct in-depth checks on their own systems, including employee security training, system access level division, and effective multi-signature management are all key points.

At the roundtable meeting scheduled for January next year, in addition to traditional financial leaders, JVCEA, as the representative of 'autonomous regulation' for the Japanese cryptocurrency industry, will also play a key role. In recent years, the association has been working hard to promote higher standards of capital preparation and technical audits for exchanges, but with limited success. Many international exchanges still have concerns about the Japanese market, partly due to hacker threats and partly due to regulatory uncertainty. After the FSA's adjustments, if a clear audit framework can be established, it may help improve this atmosphere.

Prospects: Can a safe ecosystem be created?

It is undeniable that the Japanese digital asset market is currently facing external threats and internal worries. In terms of external threats, the activities of North Korean hacker groups continue to intensify; in terms of internal worries, there is a division in the regulatory aspect and insufficient industry self-discipline. However, the FSA has comprehensively adjusted its internal audit regulations, which to some extent shows that the authorities are trying to reverse the image and security of Japan's encryption industry. Although the details are still to be determined at the roundtable meeting, if the relevant terms can be implemented, it will help strengthen investor confidence and may also inject a shot in the arm for the overseas funds that Japan's market lacks.

According to market observations, if the audit mechanism is indeed improved, the evaluation time for assessing risks when foreign or domestic capital repositions in Japan in the future may be greatly shortened, which will help the overall trading volume to recover. However, for exchanges, costs are bound to increase: more funds will be invested in hiring senior cybersecurity experts, deploying high-intensity audit tools, and strengthening employee education and training, which may test the survival ability of some small and medium-sized operators.

Overall, the strict audit required by the Japanese Financial Services Agency represents the government's high requirements for market order and security, and is also aimed at preventing similar incidents like the DMM Bitcoin attack from happening again. Whether or not hackers can be completely prevented, it will probably require long-term cooperation between the industry and the government. However, at least from the regulator's perspective, Japan is gradually forming a new financial paradigm of strengthening self-regulation and regulation, which is worth paying attention to for the Japanese cryptocurrency industry and even the global market.

"DMM's big moves after being hacked! Japanese FSA demands enhanced auditing and strict regulation of exchanges." This article was first published in "Crypto City".