Ad
News
Kraken’s $3 million bug exploit leads to criminal investigation Kraken’s $3 million bug exploit leads to criminal investigation

Kraken’s $3 million bug exploit leads to criminal investigation

Kraken said the security researchers actions were criminal in nature.

Kraken’s $3 million bug exploit leads to criminal investigation

Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.

Join Japan's Web3 Evolution Today

Crypto exchange Kraken reported that a rogue security research company has unilaterally held on to $3 million in digital assets they exploited from a bug on its platform.

Kraken’s Chief Security Officer Nick Percoco detailed the incident on X, revealing that on June 9, the company received an anonymous tip from a “security researcher” about a critical bug affecting its funding system.

The bug

According to Percoco, the flaw, stemming from the exchange’s recent UX change, would allow a malicious actor to inflate their account balances artificially. He explained:

“Our team identified a flaw from a UX change that credited accounts prematurely, allowing users to trade in real time before asset clearance. This change was not adequately tested against this specific vulnerability… [So,] a malicious attacker could effectively print assets in their Kraken account.”

After fixing the bug, Kraken found that three accounts had exploited this flaw within a few days. Percoco disclosed that the security researcher had shared the information with two associates, who subsequently withdrew nearly $3 million from Kraken’s treasury.

Extortion?

Percoco stated that Kraken contacted these individuals for a full report and to return the withdrawn funds.

However, these requests were ignored. Instead, the researchers demanded a speculative sum for the potential damages the bug could have caused if undisclosed.

Percoco condemned these actions as unethical and criminal, stating:

“As a security researcher, your license to ‘hack’ a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your ‘license to hack.’ It makes you, and your company, criminals.”

Consequently, Kraken is now treating this incident as criminal and is working with law enforcement authorities.

Kraken has yet to respond to CryptoSlate’s request for additional commentary as of press time.

Mentioned in this article