By Key Points
- White-hat hackers steal $3M from Kraken
- Hackers use bug, keep funds
- Kraken brings in law enforcement
- Two hours to identify and contain bug
Security Researchers Use Kraken Bug
Kraken, a leading cryptocurrency exchange, is in a dispute with an unnamed group of white-hat hackers who have refused to return $3 million taken from its treasury. The hackers exploited a crucial bug that allowed users to inflate their balances artificially.
Chief Security Officer Nick Percoco made the situation public through several X posts. The hackers are asking for potential damages paid by Kraken before they give back the money.
Kraken Security Update:
On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
— Nick Percoco (@c7five) June 19, 2024
On June 9th, a security researcher reported an “extremely critical” bug to Kraken’s Bug Bounty program. Users could inflate their balances by initiating deposits without completing them and then withdrawing from the company’s treasury. Although it warned against false positives, the firm took this claim seriously and assembled an internal team promptly.
This team confirmed the bug two days later: It stemmed from a flaw in Kraken’s latest user experience (UX), which let attackers credit their accounts and make withdrawals without completing actual deposits. Customer funds were not at risk but this vulnerability could have had severe consequences for the company’s treasury operations.
Within two hours of discovering it, the team contained the issue. But three accounts had already used that exploit – one owned by the same researcher who had found it; instead of reporting it immediately, they credited themselves with $4 worth of crypto and told two friends who withdrew about $3 million between them using higher amounts.
White-Hat Hackers Refuse to Return $3M Stolen From Kraken’s Treasury pic.twitter.com/qT2HEVXm6H
— Nickle Tipper (@NotAnotherTip) June 20, 2024
Bug Bounty Turns Into Extortion
Kraken reached out to those researchers requesting stolen assets returned along with full disclosure of what they did only for them to refuse because according to them Kraken attitude was not reasonable or professional so requested that it should give them an estimated damage report on what could have been lost if they hadn’t found out about this bug.
In his response, Percoco said that Kraken has treated the affair as a criminal case by involving law enforcement agencies. “We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly. We’re thankful this issue was reported, but that’s where that thought ends,” he stated.
Kraken’s response demonstrates how complicated relationships can be between platforms being secured through white-hat hacking and those doing it for them. Ethical hacking is important because it reveals vulnerabilities; however, in cybersecurity, there must also exist clear ethical boundaries as well as professional standards which need to be upheld at all times.
