Cryptocurrency exchange Kraken claimed that security researchers who discovered a vulnerability on the platform took $3 million dollars out of the exchange’s coffers and then engaged in extortion.
Nick Percoco, Kraken’s chief security officer, said in a post on social media platform X (formerly Twitter) that the firm received a bug bounty program alert from a security researcher on June 9 about a vulnerability that allows users to artificially inflate their balance. The bug “allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit,” Percoco added.
Kraken Security Update:
On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
— Nick Percoco (@c7five) June 19, 2024
Upon receiving the report, Kraken quickly fixed the problem and no user funds were affected, Percoco noted.
Blackmail and extortion
The user who discovered the bug allegedly disclosed the information to two other individuals, who then “fraudulently” withdrew nearly $3 million from their Kraken accounts. “The money was from Kraken Treasury bonds, not other customer assets,” Percoco said.
The initial error report did not mention the transactions of two other individuals, and when Kraken asked for more information about the reviewer’s activities, he refused to provide it.
“Instead, they demanded a call and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!” Percoco wrote.
Kraken did not disclose who the person who discovered the bug was, but blockchain code editor Certik subsequently revealed in a social media post that it had discovered several vulnerabilities in the cryptocurrency exchange.
Certik, which is an auditor of Web3 smart contracts and provides a suite of security tools, said it conducted “multi-day testing” and noted that the bug could be exploited to create millions of dollars worth of crypto. “Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period,” the post said.
However, Certik said things went sour after the initial conversation with Kraken. “Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses,” the X post added.
What is a bug bounty program
Bug bounty programs, used by many firms to bolster their security systems, invite third-party hackers known as “white hats” to find vulnerabilities so the company can fix them before they are exploited by an attacker. Kraken’s competitor, Coinbase, has a similar program to help alert the exchange to vulnerabilities.
To pay a reward, Kraken’s program requires a third party to discover the problem, use the minimum amount needed to prove the bug, return assets and provide details about the vulnerability, Kraken said in a blog post, adding that because the security researchers didn’t follow those rules, they won’t receive a reward.
“We engaged these researchers in good faith and, in-line with a decade of running a bug bounty program, had offered a sizable bounty for their efforts. We’re disappointed by this experience and are now working with law enforcement agencies to retrieve the assets from these security researchers,” a Kraken spokesperson told CoinDesk.