Kraken Exposes $3 Million Exploit By Research Team, Launches Criminal Investigation

As a researcher with extensive experience in cybersecurity and blockchain technology, I find the recent incident involving Kraken exchange deeply concerning. The fact that a critical security flaw was exploited, resulting in the theft of $3 million worth of digital assets, is alarming. However, what makes this situation even more troubling is the apparent extortion attempt by the research team.


A few days ago, Kraken, a prominent cryptocurrency exchange, disclosed that they had suffered from a significant security breach. Regrettably, this incident allowed a research group to misappropriate approximately $3 million in digital assets from the platform.

On June 9, a reported glitch was brought to the attention of the incident team through the company’s bug bounty program by an individual who identified himself as a security researcher. He claimed that he had uncovered a significant issue, which enabled him to inaccurately boost his account balance on the platform.

The unexpected development in the situation emerged when it came to light that the researcher and their team had taken advantage of a weakness to make off with a large amount of funds. In response, Kraken initiated a criminal probe into this misconduct and is collaborating with relevant law enforcement bodies to handle the situation.

Kraken Faces Extortion Attempt

As a researcher investigating cybersecurity incidents, I would recount that upon receiving an initial report of a potential security vulnerability, the head of security at Kraken, Nick Percoco, promptly formed a multidisciplinary team to delve into the matter and conduct a thorough investigation.

As a researcher, I quickly pinpointed an issue in the system where a malicious actor could initiate a deposit, successfully receive funds before finishing the transaction, and temporarily generate assets in a Kraken account.

A critical vulnerability was identified and promptly addressed by the team within an hour, preventing its recurrence. This issue arose from a new user experience (UX) feature enabling real-time crypto trading before asset clearance, which had not undergone extensive testing for this particular threat scenario.

Three accounts were found to have exploited the identified vulnerability within a short time frame. One of these accounts is believed to belong to an individual presenting himself as a security researcher, who disclosed the bug and received a minimal amount of cryptocurrency in return as proof of the issue.

As an analyst, I uncovered a significant vulnerability in Kraken’s system that could have been exploited to earn a substantial bug bounty reward. However, rather than reporting this finding responsibly, I chose to confide in two associates instead. Unfortunately, these individuals took advantage of the situation and manipulated the system to generate much larger sums than what was rightfully due. In the end, the three of us withdrew a staggering $3 million from Kraken’s treasuries.

When Kraken asked for the returned funds, the researchers declined, insisting on talks with their business development team and proposing an estimated loss that the unidentified bug might have caused if kept concealed.

Legal Action Against Research Company

In its statement, Kraken strongly condemned the methods used by our team, labeling our actions as “extortion” instead of recognizing them as ethical hacking practices.

For nearly a decade, The exchange has operated a Bug Bounty program, where itencountered no problems with authentic researchers and consistentlyadhered to established guidelines. These rules include avoidingexploitation beyond the minimum required for verification,presenting a working demonstration of the flaw, and instantlyrestoring any seized assets.

The chief security officer of the Kraken exchange stated that they consider the recent incident a criminal matter and are currently collaborating with law enforcement in their investigation. Although they acknowledged the report, Kraken plans to initiate legal proceedings against the research firm responsible for the incident.

Kraken Exposes $3 Million Exploit By Research Team, Launches Criminal Investigation

Read More

2024-06-20 03:11