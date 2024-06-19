Crypto Exchange Kraken Blackmailed After Bug Bounty Report, $3M Withdrawn From Treasury Assets

In Brief Crypto exchange Kraken received a Bug Bounty alert from a “security researcher” who later declined to return the funds after the withdrawal.

Chief Security Officer of the cryptocurrency exchange Kraken, Nick Percoco, shared a post on the social media platform X, informing that on June 9th, a Bug Bounty program alert was received from a security researcher. The alert, received via email, did not provide specific details but mentioned the discovery of an “extremely critical” vulnerability that could potentially inflate the platform’s balance artificially.

Kraken identified and addressed a vulnerability that could enable a malicious actor to potentially receive funds in their account without completing the full deposit process. The issue stemmed from a recent user experience (UX) update that allowed client accounts to be credited before their assets had completely cleared, facilitating real-time trading of cryptocurrency markets. This specific UX change had not been adequately tested against such potential attack vectors.

Additionally, it was discovered that three accounts had exploited this vulnerability within a short span of time. Upon conducting a thorough investigation, it was determined that one of these accounts belonged to the security researcher who initially identified the bug in the system and reported it.

The “security researcher” later shared details of this bug with two associates. Together, these three accounts managed to withdraw nearly $3 million from Kraken’s accounts, specifically from Kraken’s treasuries and not from client assets. After Kraken reached out to the security researchers to discuss rewarding them for discovering a security flaw through its Bug Bounty program, the researchers declined to return any funds until the exchange estimated the potential financial impact of the bug if it had not been reported.

Nick Percoco emphasized that the incident was perceived as extortion rather than a legitimate white-hat hacking activity, although he did not reveal the name of the research firm involved. He further noted that Kraken views such an incident as a criminal matter and intends to collaborate with law enforcement agencies as appropriate.

To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time. — Nick Percoco (@c7five) June 19, 2024

Kraken Bug Bounty Program Safeguards Cryptocurrency Users, Acknowledges 22 Reports In 2023

Kraken enables the trading of cryptocurrencies against fiat currencies. Additionally, it offers services for cryptocurrency derivatives and futures trading. Based on information from CoinMarketCap, Kraken holds the sixth position among global cryptocurrency exchanges, with an average daily trading volume of around $741 million.

The Bug Bounty program supports Kraken’s mission to safeguard users in the cryptocurrency market. Kraken commits to refraining from legal action against security researchers who comply with all Kraken Bug Bounty policies. Submissions to the initiative undergo evaluation by Kraken, with payouts determined by the severity of the bug and issued in BTC. In 2023, the program has acknowledged 22 reports out of a total of 461 submissions.

