Crypto Exchange Kraken Blackmailed After Bug Bounty Report, $3M Withdrawn From Treasury Assets
In Brief
Crypto exchange Kraken received a Bug Bounty alert from a “security researcher” who later declined to return the funds after the withdrawal.
Chief Security Officer of the cryptocurrency exchange Kraken, Nick Percoco, shared a post on the social media platform X, informing that on June 9th, a Bug Bounty program alert was received from a security researcher. The alert, received via email, did not provide specific details but mentioned the discovery of an “extremely critical” vulnerability that could potentially inflate the platform’s balance artificially.
Kraken identified and addressed a vulnerability that could enable a malicious actor to potentially receive funds in their account without completing the full deposit process. The issue stemmed from a recent user experience (UX) update that allowed client accounts to be credited before their assets had completely cleared, facilitating real-time trading of cryptocurrency markets. This specific UX change had not been adequately tested against such potential attack vectors.
Additionally, it was discovered that three accounts had exploited this vulnerability within a short span of time. Upon conducting a thorough investigation, it was determined that one of these accounts belonged to the security researcher who initially identified the bug in the system and reported it.
The “security researcher” later shared details of this bug with two associates. Together, these three accounts managed to withdraw nearly $3 million from Kraken’s accounts, specifically from Kraken’s treasuries and not from client assets. After Kraken reached out to the security researchers to discuss rewarding them for discovering a security flaw through its Bug Bounty program, the researchers declined to return any funds until the exchange estimated the potential financial impact of the bug if it had not been reported.
Nick Percoco emphasized that the incident was perceived as extortion rather than a legitimate white-hat hacking activity, although he did not reveal the name of the research firm involved. He further noted that Kraken views such an incident as a criminal matter and intends to collaborate with law enforcement agencies as appropriate.
Kraken Bug Bounty Program Safeguards Cryptocurrency Users, Acknowledges 22 Reports In 2023
Kraken enables the trading of cryptocurrencies against fiat currencies. Additionally, it offers services for cryptocurrency derivatives and futures trading. Based on information from CoinMarketCap, Kraken holds the sixth position among global cryptocurrency exchanges, with an average daily trading volume of around $741 million.
The Bug Bounty program supports Kraken’s mission to safeguard users in the cryptocurrency market. Kraken commits to refraining from legal action against security researchers who comply with all Kraken Bug Bounty policies. Submissions to the initiative undergo evaluation by Kraken, with payouts determined by the severity of the bug and issued in BTC. In 2023, the program has acknowledged 22 reports out of a total of 461 submissions.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
More articles
Alisa, a dedicated journalist at the MPost, specializes in cryptocurrency, zero-knowledge proofs, investments, and the expansive realm of Web3. With a keen eye for emerging trends and technologies, she delivers comprehensive coverage to inform and engage readers in the ever-evolving landscape of digital finance.
