How Not to Run a Cryptocurrency Exchange

At Japan's Liquid exchange, recently acquired by FTX, warnings were ignored, breaches unreported and employees berated and cursed at, insiders say.

AccessTimeIconMay 17, 2022 at 1:04 a.m. UTC
Updated May 11, 2023 at 6:08 p.m. UTC
Layer 2
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

The Takeaway:

  • From the outside, Japanese exchange Liquid looks like a crypto success story. Trading powerhouse FTX recently acquired it for an undisclosed price estimated to be somewhere between $140 million and $200 million.
  • But former Liquid employees describe a chaotic workplace (even by crypto standards) with questionable security and compliance.
  • For example, sources say that executives downplayed some information security breaches, did not disclose others, failed to adequately address low-level insider theft and prematurely stopped investigations into last year’s $90 million hack.
  • Liquid bought its own QASH token to maintain the price through part of the 2018 bear market and double-counted trades when reporting its volumes, former employees said.
  • Senior management offered IOUs for Telegram’s never-issued GRAM tokens and, according to sources, ignored internal compliance team concerns. Liquid lost millions on the offering.

The December 2018 company Christmas party was awkward, to say the least, for employees of the Japanese cryptocurrency exchange known as Liquid.

Mike Kayamori, co-founder and CEO, wore a Santa Claus suit to the party, held at Liquid’s office, about five minutes from Tokyo Station. About 50 employees were at the party, some of them with their children. A Black employee dressed up as a reindeer.

Kayamori asked the employee, whose wife was in attendance, to get on his hands and knees. The CEO then mounted him like a horse.

People stood with their drinks and watched. Holiday music played in the background.

“He obviously didn’t look happy. He was trying to do his best,” an eyewitness said of the employee.

Shortly afterward, Kayamori apologized to colleagues.

“I wanted a reindeer to cheer up the crowd with me,” he wrote in a message posted on the company’s Slack on Dec. 20, 2018, reviewed by CoinDesk. “I had not even realized what a terrible thing I [had] done until this was brought up to me later.” Kayamori added that he had apologized directly to the employee (who soon left the company).

“I preach diversity and unity,” Kayamori continued. “I will always remember today as the humbling day I let everyone down and that I need to grow as a human being.”

The incident speaks to management problems that long bubbled under the surface at Liquid.

“Of all the things Mike did, I don’t think that was the worst thing,” the eyewitness said. “This was minor.”

Mike Kayamori apologizes for mounting employee
Mike Kayamori apologizes for mounting employee

A chaotic workplace

From the outside, Liquid looks like a crypto success story, albeit with some bumps along the road. It was one of the first exchanges to be licensed in Japan, which boasts some of the world’s toughest regulations for crypto.

Like many exchanges, Liquid weathered hacks, including a $90 million theft last August that forced it to get an emergency loan from crypto derivatives exchange powerhouse FTX. Led by billionaire Sam Bankman-Fried, FTX later agreed to buy Liquid, legally known as Quoine (pronounced “coin”), for an undisclosed price in a deal that closed on April 4 of this year.

Over the past five weeks, CoinDesk interviewed more than a dozen former Liquid employees and other individuals familiar with the exchange’s inner workings. Nearly all of them asked for anonymity for fear of reprisal.

Taken together, the interviews and internal documents reviewed by CoinDesk paint a picture of a chaotic workplace, even by the standards of a global crypto industry known for its hard-charging personalities and loosey-goosey corporate cultures.

Kayamori's management decisions and casual attitude toward information security may have led to security breaches, more than one of which were not adequately disclosed to customers, four former employees said. Employees were berated and cursed at, and their concerns about regulatory, cybersecurity and business risks were ignored.

While some employees tried to do right by users, management was known to dismiss their efforts.

“There are forces of order and good trying to make things happen, but the existing culture has an immune system seeking out and destroying them,” a former employee said.

CoinDesk emailed Kayamori for comment on whether Liquid complied with regulatory expectations, and whether he had anything to say to former employees who expressed their unhappiness with the company’s work culture and his leadership. He did not respond.

Auspicious beginnings

In 2017, Japan was one of the most active places in the world for crypto. It was one of the first countries to regulate cryptocurrency exchanges, requiring them to register with the Japanese Financial Services Agency (JFSA). Japan also introduced a legal definition of “virtual currency” in its Payment Services Act.

“There was huge retail interest, progressive regulators and huge potential for the country to become a real leader in the space,” said Steve Lee, an investment director and head of the Asia-Pacific region at BlockTower Capital.

Liquid was in the pole position. Founded as Quoine in 2014, the exchange pitched itself as a company that did things by the book. It was among the first batch of companies to receive a license and ran one of the country’s largest exchanges. Besides Japan, it had a presence in Singapore and teams based in the Philippines and Vietnam.

The company initially operated two exchanges: Quoinex, which facilitated trading between fiat currency and bitcoin (BTC), and Qryptos, which handled only crypto-to-crypto trades. It later merged the two, rebranding under the name Liquid.

Kayamori had a prestigious resume, having studied at Harvard Business School and the University of Tokyo and worked at SoftBank, the Japanese investment conglomerate. Co-founder Mario Gomez Lozada had worked at financial giants Merrill Lynch and Credit Suisse (CS). Kayamori dealt with the business while Lozada handled the technology and development of financial products.

An early employee remembers working out of a small office consisting of one large room that could fit 10 people comfortably and three meeting rooms, one of which became an extension of the office due to the lack of space.

“Mike was a reasonable leader when times were good,” another former employee said.

Kayamori's grand vision

Kayamori talked a lot about high-level concepts such as “financial inclusion” and “democratizing finance,” the same former employee said. “He had a vague vision, but it was largely detached from reality.”

Then, as now, crypto was an illiquid market compared with traditional stocks or bonds, meaning a large order to buy or sell a coin could be hard to fill and could mightily sway market prices. Kayamori claimed Liquid could solve this problem through a pooling system he called the “World Book.”

There are hundreds of crypto exchanges around the world, each with its own order book, or list of offers to buy or sell a given coin at a specific price. Kayamori wanted to aggregate orders from global exchanges into one order book. An offer to sell a token on the U.S. exchange Coinbase (COIN), for example, could be matched with a buy offer on Liquid if both listed the asset.

World Book roadmap
World Book roadmap

Investors believed in the vision. The company raised roughly $105 million worth of the cryptocurrency ether (ETH) by distributing its native QASH token in an initial coin offering (ICO) in November 2017.

At its peak, Liquid’s community of followers, across the main group in the Telegram messaging app, the subreddit forum on Reddit and social channels ran into the tens of thousands. Many of these were QASH holders.

As an exchange token, QASH could be used to pay trading fees on the issuer’s platform. In a video from the time, Lozada said that other crypto exchanges were willing to adopt QASH and that banks and financial institutions would benefit from doing so. But only a handful of other crypto exchanges listed it.

QASH was created as an ERC-20 standard token running on the Ethereum network, but the project’s white paper (something between a prospectus and a manifesto) called for the creation of a brand-new blockchain by the second quarter of 2019. Migrating to its own blockchain would boost QASH’s value, Lozada said in the video.

Even in Liquid’s glory days, things weren’t quite as they seemed. Kayamori claimed publicly in March 2018 that the company was connected with more than 17 other exchanges. However, in internal Slack messages reviewed by CoinDesk, an employee wrote that “none of the 17 exchanges ever agreed to be part of the external” World Book and that Liquid could access Coinbase’s liquidity only by paying the U.S. company a fee. “We have no official agreement from them,” this employee said.

That year, the U.S. Securities and Exchange Commission (SEC) went after many token issuers for selling unregistered securities to American buyers, but Liquid appears to have not been on its radar. Internal records reviewed by CoinDesk show that 217 individuals from the U.S. bought QASH tokens in the ICO. Those U.S. citizens who took part in the sale bought 10,294,721 tokens at a price of 24 cents each, for a total of $2 million.

Flush with cash

The ICO’s success meant that Liquid had a native token and a road map. The token didn’t tank right after its debut, as many others did. The company had cash to spend.

“It meant that Mike was promising all these things,” said a former employee, who called the ICO “a blessing and a curse.” QASH reached an all-time high of $2.45 on Jan. 14, 2018.

That same month, hackers made off with $520 million in funds from Japanese exchange Coincheck. The hack had reverberations for every exchange in Japan.

“It scared off institutional investors as well as retail investors, slowed down crypto development and brought tougher regulation,” Lee said. “The crypto market in Japan is still struggling to recover from that hack.”

Liquid found itself operating in one of the world’s most tightly regulated jurisdictions for crypto. The JFSA launched a round of inspections and stiffened the rules.

To secure user funds, the regulator stipulated that most customers’ assets be held in cold wallets – with the private keys, or passwords, stored in a hardware device disconnected from the internet or written on a piece of paper locked in a safe.

The last major crypto bear market began in early 2018. Liquid’s financial health was “dented by the crypto market but solvent to the point where they could run for another year and a half at that burn rate,” a former employee said. The company had “at least tens of millions of dollars,” this person said.

The exchange was growing, with staff numbers across offices ballooning from around 50 in 2017 to over 300 in 2018. Senior management decided it was time to move to an office that reflected the company’s future.

In June 2018, Japan employees moved to Kyobashi Edogrand, a glass-and-steel building in one of Tokyo’s most expensive districts. The company occupied a space of over 6,500 square feet, paying around $200,000 per month in rent, two former employees said. The rate was double the city’s average.

During this period, Liquid followed best security practices, two former employees recalled. The office featured a heavily secured “signing room” for crypto transfers. Fingerprints were needed to enter the air-gapped room (where the network was isolated from unsecured ones) and cameras watched from inside and outside. Large withdrawals required sign-off from one employee in Japan and another in the Vietnam office, and these were processed every few hours.

Executive in-fighting

On June 22, 2018, Japanese regulators handed out business improvement orders to the Liquid exchange and five other crypto companies, requiring them to improve their risk management practices. Liquid’s improvement order hindered efforts to do new business in Japan, where half of its client base resided.

Kayamori didn’t address the compliance issues, and instead blamed employees for not generating more revenue in Japan, four former employees said.

The co-founders started feuding. Liquid informally split into two teams as each founder tried to push the other out, six former employees said.

“Their flaws almost balanced each other out in the beginning,” a source close to Liquid said. “It got to the point where they couldn’t even be in the same room.”

“Mario had grown frustrated by the slow pace of development and the repeated failures,” one former employee explained. Lozada believed that Kayamori had put the wrong people in key positions, another said.

Lozada wanted to create Qryptos, a crypto-to-crypto exchange, to supplement the exchange’s primary offering of facilitating trades between crypto and fiat currencies, the former employee explained. Kayamori decided to put a young and inexperienced staff member in charge of the project, who took a week-long vacation two weeks before the launch.

It was the “right time, wrong person,” the former employee said, noting that Binance launched around the same time and became a wildly successful crypto-to-crypto exchange.

While Lozada understood technical matters better than Kayamori, he was not particularly strong at execution, another former employee said. Lozada often yelled at junior staff and ridiculed people for making mistakes, he said.

Kayamori did the same, former employees said. “He was good and humble when he talked to me,” said one source, but he also shouted at employees in team calls, rhetorically asking why everyone was stupid and didn’t do their job well.

People broke into open infighting in public Slack channels. “They would just go nuts on Slack,” a source close to Liquid recalled. Abusive language was pervasive. Team leads referred to employees as “f**king idiots,” “childish,” and to their work as “garbage.”

‘Bizarre favoritism’

Liquid was highly unmeritocratic, two former employees said. There were standards but it didn’t seem to matter if you met them. Managers awarded discretionary bonuses to those close to them.

Kayamori showed “bizarre favoritism,” another former employee said, citing as an example the appointment of fellow SoftBank alumnus Katsuya Konno to Chief Financial Officer.

This person recounted an incident in spring 2018 when Konno was working on the launch of the Japan-focused Liquid mobile app. According to this former employee, Konno spent freely on banner ads, yet there was scant monitoring of ad performance or ad targeting.

At one point, Liquid was notified that its Google advertising accounts were at risk of being shut down for failure to pay about $300,000 in bills. A wire transfer from a bank would take too long to save the account. So a marketing department employee spent most of her day at a convenience store, making one small payment after another until the total amount owed was sent to Google.

Given that the convenience store transfer limit is usually around 250,000 yen (about $2,000), the marketing employee likely spent five hours making 150 transfers, this person estimated.

That same year, Liquid sold a large proportion of ether raised in the ICO at what turned out to be the bottom of the market, two former employees said.

“They held onto it, hedged none of it,” one said, “then panic sold.”

Konno did not respond to a request for comment.

CFO Katsuya Konno responds to compliance concerns.
CFO Katsuya Konno responds to compliance concerns.

‘Hail Mary projects’

The feud between the co-founders not only divided the company, but it meant that staff worked on a huge range of initiatives and products.

“When Mike and Mario were feuding over the company, there were various, crazy ‘hail Mary’ projects that they attempted,” a former employee said.

Among Lozada’s pet projects was a 100x leveraged contract-for-difference (CFD) derivative product called Liquid Infinity, introduced in April 2019 for non-Japanese customers. Such highly leveraged contracts are generally a risky investment, and Liquid’s own limitations made it moreso.

“The exchange’s thin liquidity meant that any medium-large buy or sell could spike or crash the market,” one former employee explained. As a result of those dramatic swings, traders’ highly leveraged positions were more likely to be liquidated, two former employees said.

Also in April 2019, Liquid announced a U.S. venture called Liquid USA. A person with knowledge of the venture said that Liquid management insisted Liquid USA allow “basic” accounts, which did not require know-your-customer (KYC) screening, even though such accounts generated little revenue and were likely to be frowned upon by U.S. regulators.

The venture relied on Liquid’s technology, which this person described as a “huge albatross.” The flagship Japanese exchange sometimes crashed, the person said, and management seemed to prioritize fancy layers of tech over getting the fundamentals right. In late 2020, the U.S. venture was called off.

An employee flags bugs in Liquid's system.
An employee flags bugs in Liquid's system.

Throughout its history, Liquid hemorrhaged talented people responsible for core products, five former employees said.

“The good people left and you have people in roles that probably feel a bit too large for them,” said Norbert Gehrke, founder of Tokyo FinTech, a non-profit organization of Japan fintech enthusiasts. Gehrke invited Kayamori to speak to Tokyo FinTech members in 2017 and is familiar with other Liquid staff.

Double-counting trades

Liquid kept up appearances. QASH held its value in November and early December 2018 even as bitcoin and ether, the crypto market’s bellwethers, tumbled.

It did so thanks, at least in part, to the company buying its own token to sustain the price at 21 cents, Slack messages reviewed by CoinDesk show. It does not appear that Liquid disclosed these purchases publicly.

QASH held steady through November and early December 2018 even as crypto bellwethers BTC and ETH tanked. (TradingView)
QASH held steady through November and early December 2018 even as crypto bellwethers BTC and ETH tanked. (TradingView)

In other messages, employees discussed the company’s practice of double-counting trades. While the industry norm is to count a trade only once, Liquid’s system recorded each trade twice, once for the buy order and again for the sell order. So, for instance, a trade of 1 BTC was recorded as 2 BTC. This reporting practice inflated the exchange’s trade volume, making it look more successful than it was.

Liquid continued to brand itself “the world’s most secure exchange” through 2019, although four former employees said that by this time security had deteriorated.

Two of those employees described an incident in which a customer service employee took advantage of a loophole on the back end to create bogus accounts, using administrator privileges to withdraw small amounts of BTC and XRP from company wallets. The employee made off with around $30,000 worth of crypto.

Liquid’s now-porous security frustrated some of its employees. One of them ran a “pentest,” or penetration test, which attained exchange funds on a thumb drive, and delivered the drive to senior management to demonstrate how easy it was to breach security, two former employees said. Pentests are a form of white-hat, or benevolent, hacking, akin to testing your front door after locking it.

During this period, Kayamori’s priority was dressing up Liquid for sale. In April 2019, announcing a Series C funding round of undisclosed size, he declared Liquid a unicorn, one of only two billion-dollar companies on Japan's startup scene.

“The raise was structured solely to get that billion number out there,” a source close to Liquid said. The round was done in two parts; Liquid raised a larger amount of money at a lower valuation, and then a small amount of money at the unicorn valuation, the source said, calling this decision “a sign of the hubris of Mike Kayamori.”

IEO for an IOU

Kayamori and Konno spent roughly $5 million worth of Liquid’s ICO funds buying allocations of GRAM tokens, which were meant to be the native tokens for messaging app provider Telegram’s ambitious blockchain project, the TON network.

CEO Mike Kayamori stresses the importance of the GRAM IEO.
CEO Mike Kayamori stresses the importance of the GRAM IEO.

“Please work on this as if our survival depends on the success of the Gram IEO because it really does,” Kayamori told employees on Slack. (IEO stands for initial exchange offering, a token sale managed by an exchange, which was a fashionable way to distribute new crypto assets at the time.)

Traders in private markets were buying and selling IOUs for GRAM even though Telegram’s token agreement prohibited buyers from selling their allocations until the network went live.

Liquid purchased the allocations not from Telegram itself but from an entity known as Gram Asia, two former employees said. Gram Asia, in turn, had bought allocations from another party, and so on.

Compliance staff raised questions about delivery risk, operational risk and reputation risk, according to an internal document. On balance, senior management wanted to generate quick revenue.

Internal compliance concerns over GRAM IEO
Internal compliance concerns over GRAM IEO

In October 2019, the SEC sued Telegram, citing violation of U.S. securities law, and the tokens never got minted. Liquid didn’t sell anywhere close to the amount of GRAM tokens it bought, nor did it recoup the funds sent to Gram Asia, three former employees said.

Liquid canceled the GRAM sale in January 2020 and refunded the money to investors. The exchange lost money on the IEO, at least $5 million, three former employees said.

Downgrading offices

In 2020, Liquid cut costs by moving its Tokyo headquarters into a fourth-floor office, which is usually the cheapest, due to the number four’s inauspicious similarity to the Japanese word for death.

The new office, where the company remains, was less than a quarter of the size of the previous office. Unlike the previous headquarters, the new digs had no beds, no cafe and no private rooms; employees worked in an open-plan office.

The signing room was now a thing of the past. By this time, Liquid had started using the services of a cryptographic key management company called Unbound, which relies on a method called multi-party computation (MPC), or “warm wallet” technology.

Crypto exchanges balance business interests against security risks. Users want fast withdrawals, and also expect their funds to be secure. Cold, or offline, wallets are safe from hackers but slow down withdrawals. Hot wallets, connected to the internet, are riskier yet make withdrawals easy. In 2019, MPC technology was a popular middle option, a former Liquid employee recalled.

Spending by the C-suite continued despite the office downgrade.

“They were just blowing through all the money in the ICO on stupid things,” a former employee said, citing executives taking first-class flights between Vietnam and Japan.

There was pressure to make Liquid quickly profitable, which may have driven Kayamori to leap from shiny thing to shiny thing, four former employees said.

Listing fees

Liquid took five- and six-figure token listing fees as high as $250,000 from projects, an internal document reviewed by CoinDesk shows. Their tokens were usually listed on the global part of the exchange, unavailable to Japanese customers. (The document shows one pending deal with a U.S.-based project that would pay an extra $100,000 for a “Japan listing” on top of its $150,000 fee.)

Liquid came close to listing the SHOPIN token before the SEC charged the project’s CEO, Eran Eyal, with fraud. The company also onboarded the ARE token, only to delist it less than a year later.

Yet, at the same time, Liquid declined to list projects that management acknowledged were of high quality if they refused to pay listing fees, according to Slack messages reviewed by CoinDesk. (The absence of listing fees would not necessarily make listing a token unprofitable for the exchange, if it could make money over time on trading fees.)

Slack conversation on token listing standards
Slack conversation on token listing standards

When asked by CoinDesk whether he refused to list high-quality tokens favoring more dubious tokens instead, Seth Melamed, who headed business development at Liquid up to November 2019, before becoming chief operating officer, described listing digital assets as a “multi-faceted process.” Considerations included due diligence, timing and costs of technology implementation, among other factors, he said.

Liquid also allowed U.S. citizens to take part in dozens of ICOs and IEOs, even though these were not registered as securities and thus risked putting the company in the SEC’s crosshairs, said a former employee.

Liquid's U.S. users
Liquid's U.S. users

“There's still the question of whether the offer and sale of the tokens in question qualify as securities transactions, but it's definitely going to put the exchange on the SEC's radar if it wasn't there already,” said Grant Gulovsen, an attorney in private practice who represents clients involved in crypto.

All the while, building the company’s own QASH blockchain continued at a snail’s pace.

“It didn’t get enough attention or manpower,” a former employee said, recalling that six to seven developers spent a week each month building the QASH blockchain.

To become a successful layer 1, or base, blockchain, this person said, QASH needed at least double the number of developers as well as to put together a marketing campaign and a plan to persuade people to use the chain.

According to internal Slack messages from the second half of 2019, management realized Liquid was not going to deliver on ICO investor expectations, such as the proprietary blockchain for QASH and the World Book.

Leak-driven marketing

Also during this period, Liquid took steps to capitalize on another company’s mistake.

In November 2019, Bitmex, a high-flying crypto derivatives exchange known for its leveraged futures contracts, disclosed that it had accidentally revealed tens of thousands of customer email addresses in the “cc” field of a mass mailing.

Liquid got a hold of these addresses and cross-referenced them with those of its own users, according to a former employee and Slack messages reviewed by CoinDesk.

A Liquid marketing manager wrote a plan to court existing customers who had accounts at Bitmex, the former employee said, because these traders were likely to be users of leverage. Liquid aimed to become their preferred place for leveraged trading.

Targeting Bitmex customers who didn’t already have Liquid accounts would have been too risky, the former employee explained.

It is unclear whether Liquid ever followed through on the plan.

Personal laptops for work

In early 2020 employees began working remotely due to the coronavirus pandemic. Kayamori was known not to turn on his camera for online meetings; employees only heard his voice. He appeared to some to leave day-to-day management to Chief Operating Officer Melamed.

From April to June 2020, some employees had to use their personal laptops for work.

“It was a red flag because this is a financial company” that should have provided staff with secure devices, a former employee said. Liquid eventually solved the problem by reallocating laptops from departing employees to those who remained, this person said.

“Instead of taking calculated risks, executives cut the company to pieces at the expense of individual employees,” another former employee said. The company didn’t spend money to capitalize on bull runs or the so-called DeFi summer of 2020, when decentralized finance protocols rewarded users with generous yields for lending their tokens, this person said.

Kayamori persuaded the board to vote Lozada out in the middle of 2020.

When asked about his departure by CoinDesk, Lozada said that it was “amicable.” He did not respond to questions about his performance as co-founder, nor the products and practices he introduced.

Security holes

A higher-than-usual proportion of customer service employees had access to the user accounts at a level that meant they could change user details, view wallet addresses and view funds, a former employee said.

15 Seth Melamed says Liquid is secure.jpg

On Nov. 13, 2020, Liquid was hacked. The exchange blamed security lapses at domain registrar and web hosting company GoDaddy (GDDY).

The vendor “incorrectly transferred control of the account and domain to a malicious actor,” Kayamori wrote at the time. GoDaddy did not respond to CoinDesk’s request for comment.

Kayamori claimed that client funds were accounted for, and remained safe and secure. But two former employees said the full extent of the November 2020 hack was never disclosed. Customer assets and a trove of personal data were stolen, they said.

“Insofar as Mike ever considered security at all, he thought of it as a product that he could buy,” a former employee said sardonically. “Yep, we bought ourselves a security. Got one, don't need to waste any more cash on another ‘security.’”

A tale of two Liquids

Rival Japanese exchanges Coincheck and bitFlyer were beating Liquid domestically. JFSA lifted the business improvement order in 2021, enabling Liquid to do new business in Japan, but the company needed capital.

Two stories about Liquid’s financial health circulated. Earnings posted in public channels and announced in weekly calls made Liquid look like it was doing well, two former ground-level employees said. The company earned most of its money from listing new tokens, making $200,000 to $600,000 in good months, they said.

But two former senior staffers with knowledge of the company’s finances said that Liquid was only profitable for a few months in its lifetime, even with the bull runs of 2020 and 2021.

A source close to Liquid said that management stopped reporting metrics just months after new product launches if the numbers didn’t look good.

“This isn’t only for board decks, this is their own internal data,” the source said. “Mike could not stand failing.”

The $90M hack

On Aug. 19 2021, Liquid suspended withdrawals and deposits. It claimed that it had been hacked again. The size of the hack was later reported to be $90 million.

The hack brought down Liquid’s valuation, three former employees said. It was no longer a unicorn. A week after the hack, FTX extended a $120 million loan to the Japanese exchange.

Liquid said the money would go toward “accelerating new capital generation projects and providing critical liquidity.” (FTX has built its reputation on its derivatives offering and leverage products.)

Within two months, the JFSA awarded Liquid a Type 1 license, which allowed it to offer derivatives in the Japan market. Without a Type 1 license, exchanges can only offer spot trading. Without the loan from FTX, Liquid likely would not have obtained the Type 1 license, a former employee said.

There is still no official explanation for what happened in the hack. Liquid called in security teams, including crisis management firm Blackpanda, to investigate.

“Blackpanda has noted that to respect the confidentiality of all clients (past and prospective) in the crypto industry, it has declined to comment on the matter at hand,” CEO Gene Yu said.

Cold case

Forensic investigations into the August 2021 hack have stopped, two former employees said.

“Pausing a security review before a full report is made is effectively the same as not getting one,” said Josh Smith, founder of Blockwell, which has been a vendor and external token auditor for Liquid for five years.

Liquid held non-Japanese users’ assets in “warm” MPC wallets managed by Unbound because Singapore, which regulated that part of the business, does not require exchanges to hold assets in cold wallets.

A former employee said that before the hack, and without her knowledge, her access had been changed so that she could move funds out of wallets, a task well outside her job description. When she learned this had happened, the employee said, she worried she would be made a scapegoat for the hack.

A different employee would later claim in court papers that’s exactly what happened to her.

Wrongful-termination suit

On March 28, 2022, Liquid’s former head of product and marketing in Japan, Marisa McKnight, filed a wrongful termination suit against Quoine, the official legal entity, claiming that she was “scapegoated” for the hack.

According to documents McKnight filed in Singapore’s High Court, she initially enjoyed a positive and close working relationship with Liquid’s senior management but later became “increasingly excluded and isolated.”

The documents claim that after McKnight resigned in September 2021 (the month after the hack), senior management at Liquid told her she was a suspect in the breach and requested she fly to Japan.

McKnight claims she refused to travel there because of the serious nature of management’s allegations, the two-week quarantine for travelers during COVID-19 and the fact the company did not book her a hotel or return flight. She also said in her claim that Kayamori threatened her. Even though she had resigned, Liquid terminated her with cause in October 2021.

She is suing the company for the loss of 60 shares, worth $210,000, plus loss of reputation and loss of future employment opportunities. On April 19, Quoine issued its defense against McKnight’s claim, denying most of the allegations. She filed a reply on May 4 and the case is pending.

MPC wallets

Five other former employees said they thought it highly unlikely McKnight was involved in the hack.

According to Smith, the Liquid vendor, it was “nigh impossible” that McKnight hacked the exchange given her job title, the level of access it provides and the fact that she worked remotely at the time. Smith's first job in crypto was shutting down an ICO hack mid-sale without a dollar lost, and he has consulted on over a dozen hacks professionally.

Were Unbound’s keys circumvented? Or did Liquid undermine Unbound’s work with wallets whose entire private keys could be compromised?

“Nothing in Unbound’s MPC protection mechanism was compromised, and the theft was not due in any way, shape or form by a weakness in Unbound’s system,” Unbound CEO Yehuda Lindell told CoinDesk. Lindell added that he was “unable to disclose what the cause of the theft was.”

A veteran Liquid vendor said details of previous hacks indicate Liquid at least partly disregarded a fundamental aspect of a secure system, which is having distinct identities for different staff members so the company knows exactly who is accessing internal systems and when.

If that sounds too abstract, consider the bank card in your wallet. Even if you have a joint account with a family member, each of you has a unique card and PIN so your monthly statement shows exactly who made each ATM withdrawal or purchase. But if you shared your card and your PIN with a bunch of people, you’d have no way of knowing which one of them made which transaction.

“It doesn't matter how secure Unbound is if a single set of credentials into the Unbound account is shared around,” the Liquid vendor said.

Inside job?

A source close to Liquid at the time of the hack said that, in his opinion, it couldn't have been carried out by someone who wasn't directly involved in the implementation of the platform.

This source explained that a team called “DevOps” ran and maintained Liquid’s systems and servers. The DevOps staff had built a system only they knew how to operate. They were unafraid of managers who asked them to make changes.

Whoever did the hack “had to be someone who built it or worked with it frequently, because they had one chance to get this right ... and they got it right,” the source opined.

When asked to describe what happened in the form of a bank robbery analogy, this source said:

“Two bank security guards decide that they want to rob the place. In the middle of the night, they open up a seldom-used side door that leads to the outside. They toss many bundles of cash out that side door, then one ties up the other and beats him up. They are trying to make it look like an intruder came in that side door, caught the guard unawares, took his keys, grabbed the cash and fled to Neptune.”

Asked what Liquid should do to protect the assets of current users, this source said: “Suspend operations for 90 days, immediately fire anyone even tangentially involved with the design, construction or operation of the existing trading platform, and rebuild from scratch with untainted servers and engineers.”

FTX acquires Liquid

Five months after the hack, FTX announced it was acquiring Liquid Group. It intended to buy all shares, stock options and warrants from shareholders, according to contracts reviewed by CoinDesk. The dates on the contracts are blacked out.

A Liquid competitor, Japan crypto exchange bitFlyer, was recently valued at up to $370 million. Gehrke said that Liquid was likely sold at a discount to bitFlyer's value as a result of the hack, so possibly around $200 million. “From an FTX perspective, it's a bargain, right?” he said.

Another source close to Liquid said the company had around 40,000 shares. McKnight's lawsuit and a shareholder document reviewed by CoinDesk indicate the per-share price was $3510.41, so on the basis of that share count, the company would have sold for roughly $140 million.

FTX declined to comment on Liquid’s compliance and security issues and did not answer questions about its own due diligence on the acquisition.

By acquiring Liquid, FTX gained the ability to offer derivatives in the Japan market and picked up licenses on the cheap. Japan has been more cautious about approving new licenses for crypto exchanges over the last few years. Even Nasdaq-listed Coinbase, one of the world’s most successful exchanges, did not get a Japanese license until June 2021, three years after it announced plans to do business there.

On May 1, Kayamori emailed shareholders from FTX’s office in the Bahamas, confirming that the acquisition had closed and that Liquid would now operate under the name FTX Japan. FTX plans to migrate its Japanese customers to Liquid's platform. Investors can swap Liquid’s QASH token for FTX’s FTT.

In his email, Kayamori said his vision for Liquid had been to provide financial services for all.

“We knew it was not going to be easy but, to be honest, I never thought it would be this difficult either,” he wrote. “But as the 19th century German philosopher Friedrich Nietzsche once said, what doesn’t kill you only makes you stronger. And we were able to withstand all challenges to become part of the FTX family.”

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Lavender Au

Lavender Au is a CoinDesk reporter with a focus on regulation in Asia. She holds BTC, ETH, NEAR, KSM and SAITO.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.