close
close

Kraken’s $3 million bug exploit leads to criminal investigation

Crypto exchange Kraken has reported that a fraudulent security research firm has seized $3 million worth of digital assets it had stolen due to a bug on the platform.

Nick Percoco, Kraken’s chief security officer, detailed the incident on X, revealing that the company received an anonymous tip from a “security researcher” on June 9 about a critical bug in its funding system.

The error

According to Percoco, the bug, which stems from the exchange’s recent UX change, would allow a malicious actor to artificially inflate account balances. He explained:

“Our team identified a bug in a UX change that prematurely credited accounts, allowing users to trade in real-time before assets were released. This change was not adequately tested for this specific vulnerability… (So) a malicious attacker could effectively print assets on their Kraken account.”

After the bug was fixed, Kraken discovered that three accounts had exploited the flaw within a few days. Percoco revealed that the security researcher had passed the information on to two employees, who subsequently withdrew nearly $3 million from Kraken’s coffers.

Blackmail?

Percoco stated that Kraken contacted these individuals to obtain a full report and reclaim the withdrawn funds.

However, this request was ignored. Instead, the researchers demanded a speculative sum for the possible damage that the error could have caused if it had not been disclosed.

Percoco condemned these actions as unethical and criminal, stating:

“As a security researcher, you are given a license to ‘hack’ a company by following the simple rules of the bug bounty program you are participating in. If you ignore these rules and blackmail the company, you lose your ‘license to hack.’ That makes you and your company criminals.”

For this reason, Kraken now considers this incident to be criminal and is cooperating with law enforcement.

Kraken has not yet responded to CryptoSlates Please provide further comments by editorial deadline.

Mentioned in this article