Security researchers attempt to extort Kraken crypto exchange

On June 9, 2024, Kraken, a well-known cryptocurrency exchange, was alerted to a Bug Bounty report that raised concerns. The report, submitted by a security researcher, claimed to have discovered a critical bug that allowed balance inflation on the platform. However, what initially appeared to be a routine vulnerability report turned into an extortion attempt.

During the investigation of the bug report, a team led by Nick Percoco, Kraken’s Chief Security Officer, uncovered a $3 million exploit. Percoco addressed the situation in a thread on X (formerly Twitter) on June 19.

The investigation revealed that three accounts had exploited the reported flaw within days of each other. One account belonged to an individual who claimed to be a security researcher and used the bug to credit their account with $4 in crypto. This person then disclosed the bug to two other individuals, who fraudulently generated much larger sums and ultimately withdrew nearly $3 million from their Kraken accounts.

When Kraken requested a full account of their activities and the return of the withdrawn funds, the security researchers refused and demanded a call with their business development team, engaging in extortion.

Percoco explained that Kraken’s Bug Bounty program, in place for nearly a decade, has clear rules, including not exploiting more than necessary to prove the vulnerability, providing a proof of concept, and immediately returning any extracted funds.

In the interest of transparency, the company disclosed the bug to the industry and is treating the incident as a criminal case, coordinating with law enforcement agencies.

Furthermore, Percoco revealed that the exchange regularly receives fake bug bounty reports, but treated this report seriously and promptly assembled a team to investigate. They discovered an isolated bug that, under specific circumstances, allowed a malicious attacker to initiate a deposit and receive funds without fully completing the transaction.

Kraken’s team mitigated the issue within an hour and 47 minutes and completely fixed the vulnerability within a few hours. Despite the isolated experience, Kraken remains committed to its Bug Bounty program and looks forward to working with good-faith actors in the future while taking a stand against unethical behavior.

Leave a Reply

Your email address will not be published. Required fields are marked *