Crypto exchange Kraken reported that a rogue security research company has unilaterally held on to $3 million in digital assets they exploited from a bug on its platform.
Kraken’s Chief Security Officer Nick Percoco detailed the incident on X, revealing that on June 9, the company received an anonymous tip from a “security researcher” about a critical bug affecting its funding system.
The bug
According to Percoco, the flaw, stemming from the exchange’s recent UX change, would allow a malicious actor to inflate their account balances artificially. He explained:
“Our team identified a flaw from a UX change that credited accounts prematurely, allowing users to trade in real time before asset clearance. This change was not adequately tested against this specific vulnerability… [So,] a malicious attacker could effectively print assets in their Kraken account.”
After fixing the bug, Kraken found that three accounts had exploited this flaw within a few days. Percoco disclosed that the security researcher had shared the information with two associates, who subsequently withdrew nearly $3 million from Kraken’s treasury.
Extortion?
Percoco stated that Kraken contacted these individuals for a full report and to return the withdrawn funds.
However, these requests were ignored. Instead, the researchers demanded a speculative sum for the potential damages the bug could have caused if undisclosed.
Percoco condemned these actions as unethical and criminal, stating:
“As a security researcher, your license to ‘hack’ a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your ‘license to hack.’ It makes you, and your company, criminals.”
Consequently, Kraken is now treating this incident as criminal and is working with law enforcement authorities.
Kraken has yet to respond to CryptoSlate’s request for additional commentary as of press time.