Kraken reveals bug allowed rogue ‘security researchers’ to exploit $3M
After withdrawing $3 million. researchers began to demand an increase in the reward for the found bug under the bug bounty program, blackmailing that only in this case the exchange would receive the funds back
US-based exchange Kraken lost almost $3 million in its treasury after an unnamed security company exploited a bug on its platform. The chief security officer, Nick Percoco, disclosed this in a post on X, stating that the security firm has refused to return the funds and is now demanding a higher payout as a bounty.
In response, Kraken has escalated the matter to law enforcement agencies and will treat it as criminal. However, users do not have to worry, as the exchange claims it has already resolved the vulnerability, and no user account has been impacted.
Kraken bug allows money printing
According to Percoco, a security researcher alerted Kraken about a critical bug via its Bug Bounty program on June 9. Upon internal investigations, the exchange security team discovered a vulnerability that could allow a bad actor to initiate a deposit into their Kraken account and receive the funds without completing the deposit. A malicious attacker could print millions out of thin air through this exploit.
He explained:
“We discovered an isolated bug. This allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.”
The internal security team mitigated the issue within 47 minutes and fixed it completely after a few hours. However, the firm discovered that the bug resulted from a recent change in its UX that allowed client accounts to be credited before their assets cleared. Although the change was integrated to enable instant trading, it was not fully tested against this type of risk.
However, Percoco added that the incident did not affect users’ assets, and the exploits of the vulnerability only affected the Kraken treasury.
The security researchers are criminals
Meanwhile, an analysis of the vulnerability found that three accounts exploited the flaw, and one of those accounts was registered under the name of the security researcher who initially contacted the exchange.
While the researcher’s account only used the flaw to credit themselves $4, enough to prove the bug was real, the two other accounts withdrew almost $3 million from their Kraken accounts using the same exploit. Interestingly, these accounts were associated with associates of the security researcher.
Kraken explained that its attempts to get the funds returned have been futile as the researchers are now asking for a higher payment that they believe is commensurate with the risk of the bug.
Percoco described this as an act of extortion, which contradicts the principle behind the Bug Bounty program. He added that violating those rules that give white hat hackers the license to hack makes the security researchers criminals, and the exchange is treating them as such.