Kraken Confirms $3M Exploit Due to Bug, Now Fixed

Crypto exchange Kraken has confirmed the theft of about $3 million from its wallets following a bug-related exploit that has now been fixed. 

Details of the Bug Exploit

🚨🚨🚨 JUST IN : There has been a $3 million theft from #Kraken‘s 💰 treasury reportedly caused by an “extremely critical” bug.

The exchange claims that no user funds were endangered.

…………………..

Qasnada Exchange Kraken ayaa 3 Milion laga xaday

Exchange wu sheegay in…

— Shakur Abdala (@DhoodiShakur) June 19, 2024

In a detailed thread on X, Kraken’s chief security officer Nick Percoco revealed that the exchange experienced the exploit on June 9 after a rogue “security researcher” exploited a bug in the firm’s funding system. 

According to Percoco, Kraken received a bug bounty program alert on that day, warning that a extremely critical bug that allows an attacker to artificially inflate their balance on its platform was detected. 

In response, the exchange immediately investigated the issue even though the initial report lacked detailed information. They discovered that the flaw stemmed from the exchange’s recent UX change, would allow a malicious actor to inflate their account balances artificially. 

“Our team identified a flaw from a UX change that credited accounts prematurely, allowing users to trade in real time before asset clearance. This change was not adequately tested against this specific vulnerability… [So,] a malicious attacker could effectively print assets in their Kraken account”, Percoco said. 

After fixing the bug, the team found out that three accounts had exploited this flaw shortly before the issue was officially reported. Percoco disclosed that within a few days, a security researcher and his two associates managed to siphon off nearly 3 million from Kraken’s treasury in a series of transactions. He also emphasized that the funds stolen were not from client accounts. 

Kraken Faces Extortion

Percoco stated that Kraken contacted these individuals for a full account of their activities and the return of the stolen funds. However, these requests were ignored. Instead, the researchers allegedly demanded the speculative sum for the potential damages the bug could have caused if they had not undisclosed the bug. 

Percoco condemned these actions calling it an extortion not a white-hat hack. The exchange is currently working with law enforcement to address the issue as a criminal case, rejecting any recognition of the firm involved due to their actions.

“As a security researcher, your license to hack a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your ‘license to hack.’ It makes you, and your company, criminals,” Percoco said.