Cryptocurrency custody earthquake! Japan's DMM hacked, 312 million pushed for mandatory registration in 2026

Japan’s Financial Services Agency (FSA) is considering making it mandatory for cryptocurrency custody and trading service providers to register with the authorities. A working group discussed this issue on November 7, planning to restrict exchanges to only use registered service providers. This move was prompted by the 2024 DMM Bitcoin hack, where approximately 48.2 billion yen (about 312 million USD) worth of Bitcoin was stolen. The breach was traced back to an outsourcing partner, Ginco.

DMM Hack Sparks Regulatory Revolution with $312 Million Loss

According to Nikkei News on November 7, a working group under Japan’s Financial System Council, a consultative body to the Prime Minister, discussed new regulations for cryptocurrency custody. The direct catalyst for this discussion was the shocking DMM Bitcoin hacking incident in 2024. The theft involved about 48.2 billion yen (roughly 312 million USD) worth of Bitcoin, marking one of the most severe security incidents in Japan’s crypto history.

Even more alarming was the attack vector. Investigations revealed that hackers did not directly breach DMM Bitcoin’s core systems. Instead, they infiltrated through its outsourcing partner—Tokyo-based software company Ginco. DMM outsourced its trading management to Ginco, which had security vulnerabilities in its systems, making it the weakest link in the security chain. This “supply chain attack” exposes a critical flaw in the current crypto custody system.

Under existing regulations, cryptocurrency exchanges must strictly manage deposits, including storing user assets in cold wallets. After the 2017 Coincheck hack, which resulted in a loss of $530 million, Japan established one of the world’s strictest exchange regulatory frameworks. However, Nikkei points out that there are currently no similar regulations for third-party service providers working with exchanges. This regulatory gap was a root cause of the DMM incident.

The lessons from the DMM case are painfully clear. Even if exchanges comply with all security standards—storing assets in cold wallets and implementing multi-signature controls—if their third-party service providers have vulnerabilities, all defenses can be compromised. Hackers don’t need to directly attack the exchange’s core systems; they only need to exploit the weakest link in the supply chain. This attack method, known as “supply chain attack,” has become increasingly prevalent in both traditional finance and tech sectors in recent years.

Most members of the working group supported the proposed new system after discussions and called for clearer regulation of digital assets. This broad consensus reflects how profoundly the DMM incident has shaken Japan’s regulatory authorities. When a single event results in a loss of 312 million USD, regulators have ample reason to take decisive action to close systemic loopholes.

Core Elements of the Cryptocurrency Custody Registration System

The FSA plans to require custody and trading service providers to register with the regulator and to mandate that exchanges only use systems provided by registered custodians. Reports indicate that this aims to address security vulnerabilities that could lead to theft or system failures. The core logic of this system is to bring third-party service providers under the same regulatory framework as exchanges, eliminating regulatory gaps.

The registration system is expected to include the following key requirements:

• Capital Adequacy Standards: Ensuring service providers have sufficient financial strength to cover potential losses, enabling compensation for clients in case of security incidents.

• Security Audit Obligations: Requiring regular independent security audits, including penetration testing reports and code reviews, to demonstrate compliance with minimum security standards.

• Insurance Requirements: Mandating the purchase of cybersecurity insurance and custody asset insurance to protect users against hacking or system failures.

• Technical Standards: Specifying encryption algorithms, private key generation and storage methods, multi-signature requirements, and the ratio of cold to hot wallets.

• Periodic Reporting: Obliging providers to submit quarterly or annual reports to the FSA, disclosing custody asset volumes, security incident records, system upgrades, and other relevant information.

• Penalties for Non-Compliance: Imposing fines, suspension of operations, or criminal charges on unregistered or non-compliant service providers, with similar penalties for exchanges using unregistered services.

Anticipated Registration Framework

• Capital Adequacy: Minimum registered capital and ongoing capital requirements

• Security Audits: Annual independent audits and penetration testing reports

• Insurance Coverage: Mandatory cybersecurity and custody asset insurance

• Technical Standards: Encryption strength, private key management, multi-signature protocols

• Periodic Reporting: Disclosure of custody volumes and security incidents to the FSA

• Penalties for Violations: Fines, suspension, or criminal prosecution

If implemented, this comprehensive regulatory framework would make Japan one of the world’s most stringent countries for crypto custody services. In comparison, the US and Europe are also tightening regulations but mainly focus on exchanges themselves, with relatively looser oversight of third-party custody providers.

The report indicates that the FSA plans to prepare a formal proposal based on these discussions and aims to submit amendments to the Financial Instruments and Exchange Act during the 2026 parliamentary session. This suggests that new regulations could be enacted as early as late 2026 or early 2027. The legislative process typically takes 12 to 18 months, providing existing service providers with time to prepare.

Global Ripple Effects on Cryptocurrency Custody Industry

Japan’s regulatory innovation could trigger a global chain reaction. As the third-largest crypto market after the US and China, Japan’s policies often set benchmarks for other countries. After the 2017 Coincheck hack, Japan’s strict exchange regulations were adopted by South Korea, Singapore, and others. The new rules targeting third-party custody services are expected to have a similar demonstration effect.

For global custody providers, Japan’s market entry requirements will significantly raise barriers. Small software firms like Ginco that cannot meet registration standards may be forced to exit or make substantial compliance investments. While this short-term industry consolidation may increase costs, it will likely enhance the professionalism and security standards of the custody sector in the long run.

Major international custody firms such as BitGo and Fireblocks are poised to benefit most from this regulatory shift. These companies already have robust compliance and security infrastructures in Europe and North America, making it easier and less costly for them to enter the Japanese market. Conversely, smaller providers lacking capital and technical expertise may face survival challenges.

For Japanese exchanges, the new regulations will necessitate re-evaluating existing custody arrangements. If current service providers cannot obtain registration, exchanges will need to seek alternatives, which could involve system migrations, renegotiating contracts, and managing operational risks. However, in the long term, such regulation should improve overall security and reduce losses caused by third-party vulnerabilities.

Meanwhile, the Financial Services Agency is accelerating its domestic stablecoin initiatives. Last month, it approved Japan’s first yen-pegged stablecoin, JPYC, which was launched shortly thereafter. Last week, the agency announced support for a pilot involving three major Japanese banks—Mizuho Bank, Mitsubishi UFJ Financial Group, and Sumitomo Mitsui Banking Corporation. This regulatory openness combined with tighter custody rules indicates Japan’s pursuit of a balance between innovation and security.

From an international perspective, Japan’s move could set a new global standard. Although the EU’s MiCA framework is comprehensive, it lacks detailed requirements for third-party custody services. US regulation remains fragmented across states. If Japan’s registration system proves effective, other nations are likely to follow suit, eventually establishing a global standard for crypto custody services.

For industry players, this presents an opportunity to proactively position themselves. Those able to meet Japan’s registration requirements early can gain a competitive advantage in the Japanese market and be better prepared for similar regulations elsewhere. Investing in security infrastructure, compliance systems, and insurance coverage will become strategic assets in an increasingly regulated environment.