Kraken’s $3 million bug exploit leads to criminal investigation Kraken’s $3 million bug exploit leads to criminal investigation
Kraken said the security researchers actions were criminal in nature.
1 min read
Updated: Jun. 19, 2024 at 4:39 pm UTC
Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.
Crypto exchange Kraken reported that a rogue security research company has unilaterally held on to $3 million in digital assets they exploited from a bug on its platform.
Kraken’s Chief Security Officer Nick Percoco detailed the incident on X, revealing that on June 9, the company received an anonymous tip from a “security researcher” about a critical bug affecting its funding system.
The bug
According to Percoco, the flaw, stemming from the exchange’s recent UX change, would allow a malicious actor to inflate their account balances artificially. He explained:
“Our team identified a flaw from a UX change that credited accounts prematurely, allowing users to trade in real time before asset clearance. This change was not adequately tested against this specific vulnerability… [So,] a malicious attacker could effectively print assets in their Kraken account.”
After fixing the bug, Kraken found that three accounts had exploited this flaw within a few days. Percoco disclosed that the security researcher had shared the information with two associates, who subsequently withdrew nearly $3 million from Kraken’s treasury.
Extortion?
Percoco stated that Kraken contacted these individuals for a full report and to return the withdrawn funds.
However, these requests were ignored. Instead, the researchers demanded a speculative sum for the potential damages the bug could have caused if undisclosed.
Percoco condemned these actions as unethical and criminal, stating:
“As a security researcher, your license to ‘hack’ a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your ‘license to hack.’ It makes you, and your company, criminals.”
Consequently, Kraken is now treating this incident as criminal and is working with law enforcement authorities.
Kraken has yet to respond to CryptoSlate’s request for additional commentary as of press time.
Mentioned in this article
Author 
Oluwapelumi Adejumo
Oluwapelumi values Bitcoin's potential. He imparts insights on a range of topics like DeFi, hacks, mining and culture, underlining transformative power.
Editor Editor 
Liam 'Akiba' Wright
Also known as "Akiba," Liam is a reporter, editor and podcast producer at CryptoSlate. He believes that decentralized technology has the potential to make widespread positive change.
Latest Alpha Market Report
In this article
Kraken
Kraken is a San Francisco-based digital asset exchange in euro volume and liquidity that trades various currencies, including Canadian dollars, US dollars, British pounds, and Japanese yen.
