A vulnerability discovered by a “security researcher” led to nearly $3 million being stolen from Kraken’s treasuries. The cryptocurrency exchange Kraken stated that “security researchers” who identified a flaw on their platform turned to “extortion” after withdrawing approximately $3 million from the exchange’s treasury.
Nick Percoco, Kraken’s Chief Security Officer, shared on the social media platform X (formerly Twitter) that the company received an alert from a security researcher on June 9 regarding a vulnerability allowing users to artificially inflate their balances. According to Percoco, the bug “enabled a malicious attacker, under certain conditions, to initiate a deposit and receive funds in their account without fully completing the deposit.” Kraken promptly fixed the issue upon receiving the report, ensuring no user funds were impacted. However, subsequent events raised significant concerns for Kraken’s team.
The security researcher allegedly informed two other individuals about the bug, who then “fraudulently” withdrew nearly $3 million from their Kraken accounts. “This was from Kraken’s treasuries, not client assets,” Percoco clarified. The initial bug report did not mention the transactions involving the other individuals, and when Kraken requested more details, the researchers refused to comply.
“Instead, they demanded a call with their business development team (i.e., their sales reps) and have not agreed to return any funds until we provide a speculated dollar amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking; it is extortion!” Percoco stated.
Kraken did not disclose the identities of the researchers, but blockchain code editor Certik later reported in a social media post that it had found several vulnerabilities in the crypto exchange. Certik conducted “multi-day testing” and noted the bug could be exploited to create millions of dollars worth of crypto. “Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than $1M USD) can be withdrawn and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period,” Certik’s post explained. However, Certik claimed the situation deteriorated after their initial conversation with Kraken. “Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses,” the X post added.
Bug bounty programs, utilized by many firms to enhance their security systems, invite third-party hackers, known as “white hats,” to identify vulnerabilities so the company can address them before they are exploited by malicious actors. Kraken’s competitor, Coinbase, has a similar program to alert the exchange of vulnerabilities.
To be eligible for the bounty, Kraken’s program requires a third party to identify the problem, exploit the minimum amount needed to prove the bug, return the assets, and provide details of the vulnerability. Kraken stated in a blog post that since the security researchers did not follow these rules, they would not receive the bounty.
