Cryptocurrency exchange Kraken recently revealed that it had fallen victim to a critical security flaw, resulting in the appropriation of $3 million worth of digital assets by a research team.
The incident unfolded after the exchange received a bug report through its bug bounty program on June 9 from a self-described security researcher who claimed to have discovered an “extremely critical” bug that allowed him to “artificially inflate” his balance on the platform.
However, the situation took an unexpected turn when it was discovered that the researcher and their associates had exploited the flaw to withdraw a substantial sum. Kraken has launched a criminal investigation into the matter and is coordinating with law enforcement agencies to address the incident.
Kraken Faces Extortion Attempt
In a social media post, the exchange’s chief security officer, Nick Percoco, said that after receiving the initial bug report, Kraken assembled a cross-functional team to investigate the issue.
Within minutes, they identified an isolated bug that enabled a malicious attacker to initiate a deposit, receive funds in their account without completing the deposit fully, and effectively create assets in their Kraken account for a limited time.
The vulnerability was classified as critical, and the team reportedly mitigated the issue within an hour, ensuring it could not recur. The flaw emerged from a recent user experience (UX) change that allowed clients to trade crypto markets in real time before their assets cleared, a change that had not been thoroughly tested against this specific attack vector.
Further investigation revealed that three accounts had taken advantage of the flaw within a few days of each other. It is alleged that one of these accounts was linked to an individual claiming to be a security researcher who had discovered the bug and credited their account with a “small amount of crypto” to demonstrate the flaw.
However, instead of reporting the vulnerability and earning a bug bounty reward, this individual disclosed the bug to two associates who fraudulently generated much larger sums. In total, the trio withdrew nearly $3 million from Kraken’s treasuries.
When Kraken requested the return of the funds, the researchers refused, demanding discussions with their business development team and specifying a speculated amount that the bug could have caused if undisclosed.
Legal Action Against Research Company
Percoco further disclosed in its address that Kraken firmly denounced the actions of the research team, considering their behavior as “extortion” rather than legitimate white-hat hacking.
The exchange, which has maintained a Bug Bounty program for almost a decade, emphasized that it has never encountered issues with legitimate researchers and has always followed clear rules, such as not exploiting vulnerabilities beyond what’s necessary for proof, providing a proof of concept, and returning any extracted assets immediately.
Lastly, the exchange’s chief security officer also stated that Kraken is treating the incident as a criminal matter and is actively cooperating with law enforcement. While the exchange expressed gratitude for the report, it intends to pursue legal action against the research firm involved.
Featured image from DALL-E, chart from TradingView.com