Just In: Kraken Responds to Extortion Attempt Following Security Breach

by

As a researcher with a background in cybersecurity and experience working with cryptocurrency exchanges, I cannot help but be alarmed by the recent Kraken security breach and extortion attempt. While I commend Kraken’s swift response to the initial bug bounty report and their ability to rectify the vulnerability within hours, the escalation of events into an extortion attempt is a concerning development.

Recently, Kraken, a prominent cryptocurrency exchange, experienced a security breach and potential extortion attempt following a supposed bug bounty report. According to Nick Percoco, the Chief Security Officer, an unidentified individual exploited a vulnerability to inflate account balances artificially. This incident has triggered an investigation in collaboration with law enforcement agencies and underscores the significance of ethical conduct during security research.

Kraken Responds to $3 Million Security Breach

On June 9, 2024, Kraken’s security team, headed by Percoco, was notified of a potential security issue through a bug bounty report. To their dismay, they found out that the vulnerability had been exploited prior to the report, resulting in approximately $3 million being illegally withdrawn from the exchange’s reserves. Initially believed to be the work of a single security researcher seeking a reward of just $4, the situation took a turn when it was uncovered that this individual had collaborated with accomplices to extract larger sums.

Kraken Security Update:

On the 9th of June, 2024, we were notified about a Bug Bounty report via email from a security expert. The details of the issue were initially withheld, but they asserted that they had discovered a “highly critical” flaw enabling them to manipulate their account balance on our system unjustifiably.

— Nick Percoco (@c7five) June 19, 2024

Kraken’s team quickly fixed the security issue that was discovered within two hours of identification. The problem stemmed from a recent modification aimed at improving user experience by enabling instant trading before thoroughly checking deposited funds. Unfortunately, this adjustment inadvertently introduced a weakness. Percoco reassured that no client assets were ever jeopardized as the vulnerability solely permitted inflating balances within the offending parties’ accounts.

Binance Rolls Out HODLer Airdrops For BNB Holders

Kraken Reinforces Policies After Security Breach

After the finding of the security flaw, the culprits rejected Kraken’s probe, insisting on speaking with the business development team instead. Percoco denounced this act as extortion. This occurrence underscores the importance of adhering to moral principles when engaging in bug bounty initiatives. Kraken has consistently held that researchers should not misuse vulnerabilities beyond demonstrating their existence and must immediately return any unauthorized funds obtained.

For over 9 years, Kraken’s bug bounty program has fostered collaboration between Kraken and ethical hackers to uncover and rectify vulnerabilities in a responsible manner. This initiative has been successful due to the community’s support. However, this is the first significant violation of trust and established procedures that we have encountered.

In spite of recent troubling incidents, Kraken continues to prioritize its bug bounty initiative, recognizing its role in fortifying the security of the cryptocurrency marketplace. The platform has taken measures to bolster its systems against comparable weaknesses by introducing more rigorous testing methods, especially post-updates affecting account transactions.

XRP Lawsuit: SEC’s Ethereum Investigation Conclusion Bolsters Ripple’s Position

Read More

2024-06-19 17:47