Bitrabo Editorial
Kraken, a popular cryptocurrency exchange, recently disclosed a significant security vulnerability that led to the unauthorized access of $3 million in digital assets by a research team.
The breach came to light when the exchange received a bug report on June 9, indicating a critical bug that allowed the researcher to manipulate their account balance on Kraken. However, the situation escalated when it was revealed that the researcher and accomplices exploited the bug to withdraw a substantial amount of funds. Kraken has initiated a criminal investigation into the matter in collaboration with law enforcement.
Kraken Encounters Extortion Attempt
After receiving the initial bug report, Nick Percoco, Kraken’s chief security officer, mentioned assembling a team to investigate the issue. They identified a bug that enabled an attacker to receive funds in their account without completing the deposit, leading to unauthorized asset creation in their Kraken account.
The team promptly addressed the critical vulnerability within an hour, preventing its recurrence. The flaw stemmed from a recent user experience change that allowed real-time trading before assets were cleared, a change that had not been thoroughly tested against this specific attack method.
Investigations revealed three accounts exploited the bug nearly simultaneously, with one allegedly belonging to a self-proclaimed security researcher who showcased the vulnerability by depositing a small amount of crypto and later engaged associates to fraudulently withdraw a significant sum totaling nearly $3 million.
Legal Action Against Research Firm
Percoco condemned the actions of the research team as extortion rather than ethical hacking, emphasizing Kraken’s commitment to addressing security issues through legitimate means, such as bug bounty programs. Kraken expressed appreciation for the report but is pursuing legal action against the firm for their unlawful conduct.
The exchange has a long-standing Bug Bounty program and has always adhered to established guidelines, ensuring that vulnerabilities are responsibly disclosed without exploitation. Kraken is treating the incident as a criminal matter and is actively collaborating with law enforcement authorities.
Featured image from DALL-E, chart from TradingView.com