Recent hacks show the vulnerability investors can face when buying speculative tokens on startup exchanges A hack earlier this year at Japan-based Coincheck resulted in hundreds of millions of dollars in investor losses and highlights the risks of trading in bitcoin and other cryptocurrencies, particularly on startup exchanges. PHOTO: CHESNOT/GETTY IMAGES By Paul Vigna March 3, 2018 7:00 a.m. ET 5 COMMENTS Cryptocurrency traders are learning that where they buy and sell digital tokens can be just as risky as choosing a coin or picking a price. Investors have lost more than $700 million this year in hacks of two major cryptocurrency exchanges. The thefts at Florence, Italy-based BitGrail and Japan’s Coincheck bring total investor hacking losses since 2014 to around $1.4 billion, according to a Wall Street Journal review of recent hacks. The hacks reflect an oft-overlooked risk of trading in bitcoin and related digital currencies: While scores of online exchanges have sprung up in the past two years as crypto prices surged, they typically bear little resemblance to the well-financed, better-regulated venues that enable investors to buy and sell stocks, bonds and commodities. Crypto DangerLosses due to hacks on cryptocurrencyplatformsSource: company releasesNote: 2018 figure is through March 2. .million2014’15’16’17’180100200300400500600700$800 Given the peer-to-peer nature of cryptocurrencies, investors don’t have to deal directly with exchanges when they buy these assets. But many have done so because exchanges seem safer and more convenient, a judgment some have come to regret. Jeff Furman, a 22-year old student at Northern Virginia Community College, said he lost about $60,000 worth of nano tokens on the BitGrail exchange in a hack disclosed in February. “It’s hard for me,” he said. He sold some nano at a profit but now wishes he had sold the rest. “I didn’t heed my own gut.” Unlike traditional stock and futures exchanges, whose businesses center on matching up trades for a small fee, crypto exchanges also safeguard investors’ virtual tokens. It is a task that many aren’t up to, investors and technology experts say. “As cryptocurrencies grow, hackers are going to go after digital wallets” and exchanges even more, said George Waller, an adviser at security firm BlockSafe Technologies Inc. Wallet companies act as cryptocurrency brokerage firms and often work closely with exchanges. MORE Cryptocurrency Worth $170 Million Missing From Italian Exchange (Feb. 10) Japanese Cryptocurrency Exchange Coincheck to Pay Back Customers (Jan. 27) New Cyberattack on Cryptocurrency Investors Came From North Korea, Report Says (Jan. 17) Bitcoin’s Latest Glitch: Double Charges at Fast-Growing Coinbase (Feb. 16) Hackers Steal More Than $70 Million in Bitcoin (Dec. 7) The two recent hacks show the particular vulnerability investors can face when buying unproven, speculative tokens on startup exchanges that aren’t regulated and derive a large chunk of volume from the new, untested currencies. The website coinmarketcap.com tracks data for about 190 cryptocurrency exchanges, but only a handful are regulated in the U.S. There are established digital-currency exchanges such as Coinbase’s GDAX, Gemini from Cameron and Tyler Winklevoss’ Gemini Trust Co., and Japan’s BitFlyer that are regulated and employ a variety of security measures. All are regulated by New York state’s Department of Financial Services, which requires measures designed to detect, prevent and respond to fraud and market manipulation. There is nothing to compel an exchange to submit to regulations, however, and many don’t. Moreover, it is possible to buy standardized trading-program software, meaning all the exchange operators have to do essentially is come up with a name and logo. The result is that many new exchanges are plagued by “shoddy management and shoddy systems,” said David Fragale, co-founder of security-services firm Atonomi. A mature financial-services firm, Mr. Fragale said, would implement security controls, risk-management systems, and compliance systems. They want to know who their customers are and what kinds of high-risk activity is taking place on their platforms. Hack AttackSelect losses from cyberattacks oncryptocurrency trading, investing platformsSource: the companies Coincheck(2018)Mt. Gox(2014)BitGrail(2018)Bitfinex(2017)DAO (2016)Youbit(2017)$0 million$200$400$600 On many smaller exchanges, that isn’t happening, and retail investors are exposing their money to a kind of counterparty risk from the exchanges themselves, said Jonathan Levin, chief executive of research firm Coinanlysis. “People don’t know how to protect themselves.” Many of the newer exchanges—BitGrail launched in 2017—hurried to capitalize on an exploding market for smaller, speculative cryptocurrencies that large exchanges wouldn’t handle, said Charles Hayter, CEO of research site CryptoCompare. Established exchanges that host stock, options or futures trading face a variety of federal standards for fair access, cybersecurity and other areas of regulation. They also work closely with heavily regulated banks or brokerage firms, which regularly reimburse customers when a hack or technology problem leads to losses. BitGrail, run by Italian entrepreneur Francesco Firano, was operating without any significant regulatory oversight. It focused on nano, a tiny cryptocurrency that began trading in 2015 under the name raiblocks. For most of its history, raiblocks traded for pennies. Then, in December, it surged from around 20 cents to about $36. Mr. Firano didn’t respond to requests for comment. 'Virtual Currency Girls,' a Japanese pop group, performing in Tokyo on Feb. 16 at a concert for fans and Coincheck owners. PHOTO: NORIKO HAYASHI/BLOOMBERG Coincheck had applied with Japanese regulators for a cryptocurrency-exchange license. In recent weeks, Coincheck has said it plans to compensate its customers. A spokeswoman for the exchange said this week that “we are finalizing how we can pay back money for affected customers.” Customers don’t have to put their money on an exchange when investing in a cryptocurrency, the spokeswoman added. Indeed, when organized cryptomarkets began appearing, it ostensibly added a layer of protection and an institutional element to the nascent market. One of the first such markets was Mt. Gox, which opened in 2010. Within a few years, it was handling around 70% of bitcoin transactions globally. The site had extremely weak security protocols, however. In 2014, it announced that 850,000 bitcoin had been stolen, worth $450 million at the time. The site later recovered 200,000 bitcoin, which today are worth considerably more than they were in 2014. Creditors are still battling to recover their lost funds. —Takashi Mochizuki and Alexander Osipovich contributed to this article. Write to Paul Vigna at paul.vigna@wsj.com