Zaif.jp Unapproved

zaif.jp. I approached this Japanese crypto exchange with a short, fact-first review of past incidents, present licensing, ownership shifts, and any whiff of censorship. What follows are discrete findings, each anchored in verifiable records or clearly labeled when uncertain.

Major 2018 hack and service suspension. The most material red flag is historical: in September 2018, hackers accessed Zaif’s hot wallets and stole roughly ¥6.7 billion (≈$60 million) in BTC, BCH, and MONA. The operator at the time (Tech Bureau) halted deposits and withdrawals and publicly acknowledged the breach. This remains the exchange’s single biggest adverse event and frames much of the subsequent regulatory and corporate churn..

Regulatory sanctions tied to the breach—and earlier weaknesses. Japan’s regulators issued multiple “business improvement orders” to Tech Bureau in 2018—first in March and June for governance, compliance, and system-risk issues, then a third order after the hack, demanding root-cause analysis, customer remediation, and stronger controls. These are formal administrative actions recorded by the Financial Services Agency and Kinki Finance Bureau.

Pre-hack systems glitch: ‘0-yen’ Bitcoin incident. In February 2018—months before the hack—Zaif admitted a pricing bug that briefly let users “buy” Bitcoin at 0 yen via a simplified trading interface; seven accounts were involved and the trades were reversed. As a red flag, the event underscores earlier control gaps in order routing and validation.

Ownership upheavals and shifting control. After the 2018 breach, Zaif’s business was transferred from Tech Bureau to FISCO’s crypto arm, which publicly took over operational responsibility in late 2018–2019. Since then, corporate control has moved again: CAICA-related entities became deeply involved, the operating company changed name to Zaif Inc. in 2023/2024, and in 2025 there were further restructurings around ZED Holdings (which owns Zaif), including a “dation in payment” transaction and subsequent M&A disclosures referencing Kushim, CAICA Financial Holdings, and Nexx Group. The through-line: governance has been in flux, with multiple parent-level changes in a short span—something risk teams should track closely.

Litigation stemming from the hack (AML angle). In 2020, Fisco (the then-operator of Zaif) sued Binance in U.S. federal court, alleging the platform helped launder about $9 million of Zaif’s stolen crypto due to lax KYC at the time. The case was later voluntarily dismissed without prejudice, but it highlights the chain-of-custody and AML risks that followed the breach.

Current license status (positive factor). Today, Zaif operates as a licensed crypto-asset exchange in Japan. The FSA’s latest official register lists Zaif Inc. (Kinki Finance Bureau Registration No. 00001), including its Osaka address and the assets it is permitted to handle. Zaif also appears in the JVCEA’s member database of first-tier (Type I) members—meaning it’s under both statutory and self-regulatory supervision. This doesn’t erase past incidents, but it does indicate ongoing regulatory oversight.

Operational/brand-abuse risks: phishing and impersonation. Zaif warns users about persistent impersonation campaigns—fake websites/apps, spoofed “support” emails, and fraudulent social accounts—explicitly listing deceptive domains and urging two-factor authentication. From a user-risk perspective, the prevalence of look-alikes means customers should double-check the canonical zaif.jp domain and avoid links from messages.

Customer experience signals (mixed, low-evidence). Public review sites and forum posts offer a mixture of positive and negative anecdotes about withdrawals and app stability. These are unverified and easily polluted by impostor-site victims; I treat them as weak signals compared to regulatory filings and official notices.

Evidence of censorship or takedowns. I looked for credible reports of Zaif (or its owners) pressuring outlets to remove critical content or issuing legal takedowns of unfavorable reporting. I did not find substantiated cases tied to zaif.jp. Absence of evidence is not evidence of absence, but nothing surfaced in reputable records during this check.

Continuity vs. turbulence. On one hand, Zaif’s licensing and inclusion in JVCEA suggest a compliant operating posture and continued scrutiny from Japanese regulators. On the other, the exchange carries notable historical baggage: the 2018 hack, pre-hack control failures, and a complex, still-evolving ownership story. For prospective users, my pragmatic recommendations are: (1) verify you are on zaif.jp and enable mandatory 2FA; (2) keep only working balances on-exchange, preferring self-custody for long-term holdings; (3) monitor corporate and regulatory disclosures for further ownership changes; (4) review JVCEA/FSA notices periodically; and (5) start with small test deposits/withdrawals to validate operational reliability. Overall, I assess moderate risk rooted in legacy incidents and governance churn, mitigated by present-day licensing and transparent security advisories.