Crypto exchange Kraken reports that three million dollars have been stolen by 'security researchers'. The researchers in question exploited a security hole that has now been closed by the platform.
Chief Security Officer Nick Percoco of Kraken shares the incident on a vulnerability in the platform, which allowed Kraken users to increase their balance.
After the report, Kraken immediately started an investigation into the vulnerability and, according to Percoco, found the problem within a few minutes. A flaw in the platform allowed an attacker to initiate a deposit, but the funds were credited before the deposit was completed. As a result, the deposit did not have to be completed in order to receive money.
The issue was quickly resolved, but afterwards the team discovered that three accounts had exploited the vulnerability. One of those accounts belonged to someone who claims to be a security researcher. “This individual discovered the flaw in our funding system and exploited it to credit his own account with $4 worth of crypto,” said Percoco.
“This would have been enough to prove the flaw, file a bug bounty report join our team and receive substantial compensation under the terms of our program.” But the researcher allegedly shared the leak instead with two others the person worked with. In total, they withdrew almost $3 million in cryptocurrency, the crypto exchange now states. The money comes from Kraken itself and does not come from user funds.
Kraken asked the researcher to return the money, but he refused, Percoco said. That person would also have refused to provide an account of his activities and a proof of concept. Instead, the investigator wants a conversation to determine how extensive the financial damage would be if they had not reported the problem. “This is not white hat hacking, this is extortion,” said Percoco.
The CSO says he is disclosing the incident and information about the vulnerability for the purpose of transparency. He also says that Kraken is cooperating with the judiciary to further handle the case. It has not been revealed which company the security researcher works for or who this person is.
Kraken Security Update:
On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
— Nick Percoco (@c7five) June 19, 2024
< p>Update, 5:35 PM: Percoco now reports that the stolen money has been repaid to Kraken.
Update, 6:05 PM: The security company CertiK claims were behind the 'white hat operation' and also says that all stolen currency has been returned. According to the organization, the attack on the crypto exchange was not done to earn a bug bounty.
Leave a Reply
You must be logged in to post a comment.