The cryptocurrency exchange Kraken disclosed that an anonymous security researcher had taken advantage of a “very critical” zero-day vulnerability in its system to pilfer $3 million worth of digital assets, and was refusing to give them back.
Chief Security Officer of Kraken, Nick Percoco, provided details of the incident on X (formerly Twitter). He said the company received a Bug Bounty programme notice regarding a bug that “allowed them to artificially inflate their balance on our platform,” but he did not provide any further information.
Minutes after getting the notice, the corporation claimed to have discovered a security flaw that effectively allowed an attacker to “initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.”
Although Kraken made clear that the problem did not affect any client assets, it might have made it possible for a threat actor to print items from their accounts. It stated that the issue was resolved in 47 minutes.
It added that a recent update to the user interface that permits users to deposit and utilise money before it is cleared was the cause of the bug.
Furthermore, additional analysis revealed that three accounts—one of which belonged to the purported security researcher—had taken use of the vulnerability within a few days of one another in order to steal $3 million.
“This individual discovered the bug in our funding system, and leveraged it to credit their account with $4 in crypto,” Percoco stated. “This would have been sufficient to prove the flaw, file a bug bounty report with our team, and collect a very sizable reward under the terms of our programme.”
Rather, the ‘security researcher’ revealed this problem to two other collaborators who used it to create fake accounts that earned far bigger amounts of money. In the end, they took out close to $3 million from their Kraken accounts. This came from Kraken’s treasury, not from the assets of other clients.”
Surprisingly, the company demanded that Kraken contact their business development team to pay a certain sum to release the assets, even though they were approached by Kraken to share their proof-of-concept (PoC) exploit that produced the on-chain activity and arrange for the return of the funds they had withdrawn.
“This is extortion, not white hat hacking,” Percoco declared, pleading with the persons involved to restore the money that had been taken.
The company’s name remained undisclosed, but Kraken stated that it is working with law authorities to address the security event and is treating it as a criminal case.
“As a security researcher, your licence to ‘hack’ a company is enabled by following the simple rules of the bug bounty programme you are participating in,” Percoco stated. “Ignoring those rules and extorting the company revokes your ‘licence to hack.’ It makes you, and your company, criminals.”