The incident highlights the insecurities and vulnerabilities that continue to infest the industry.
Kraken revealed a bug attack on June 9, which saw the bad actor make away with nearly $3 million. Based on the report shared by Kraken Chief Security Officer Nick Percoco, the exchange received a bug bounty program alert.
“On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform,” noted Percoco in a post on Wednesday.
The CSO noted that a further probe revealed an isolated bug that gave the bad actor unmerited privileges. Specifically, they could initiate a deposit on Kraken Exchange and receive funds in their account even though they had not fully completed the deposit.
A forensic analysis revealed a vulnerability in a recent UX change on Kraken's platform. This flaw allowed a malicious attacker to “print assets” in their account for a period of time. Importantly, no client assets were compromised, and the issue has been fixed. However, a subsequent probe discovered that three accounts had already exploited the bug within a few days of each other.
“After patching the risk, we thoroughly investigated the situation and quickly discovered that 3 accounts had leveraged this flaw within a few days of each other. As we dug deeper, we noticed that one account was KYC'd to an individual who claimed to be a security researcher,” Percoco said.
A security researcher discovered a bug in Kraken's funding system and credited their account with $4 in cryptocurrency. This amount was enough to demonstrate the flaw and file a bug bounty report, which would have earned a significant reward under Kraken's program.
Instead, the researcher shared the bug with two colleagues, who exploited it to generate much larger sums fraudulently. This collusion led to a loss of nearly $3 million, taken from Kraken's treasuries rather than client assets.
The incident culminated in a case of extortion after the crypto trading platform tried to recover the funds from the researchers. Kraken requested a full account of the researchers' activities, including the proof of concept used to create the on-chain activity and arrangements to return the withdrawn funds.
“These security researchers refused. Instead, they demanded a call with their business development team and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!” Percoco resented.
Kraken has therefore resorted to treating the incident as a criminal case, committing to coordinating with law enforcement. The research company remains undisclosed.
Disclaimer
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and Conditions, Privacy Policy, and Disclaimers have been updated.