Kraken, a cryptocurrency exchange, disclosed to its clients that a major flaw led to the theft of approximately $3 million from its wallets. On June 9, Kraken disclosed this information after receiving a bug bounty notification. Nick Percoco, the Chief Security Officer of Kraken, deemed the bug dangerous because it allowed a hacker to modify their balance on the exchange.
The security breach was detected as the result of a recent interface modification. This unintended update allowed users to have their funds credited to their accounts without conducting appropriate checks on their deposits. As a result, hackers could deposit funds into their Kraken accounts, receive the money, and withdraw them without going through the pertinent procedures. While this vulnerability existed only in specific conditions, its presence meant that an attacker could create new assets in their account for a limited time.
While it was fixed within a few hours after its existence was reported, an audit revealed that three users had already exploited the vulnerability prior to its discovery. Surprisingly, one of these accounts belonged to the person who first reported the bug through Kraken’s bounty program. This individual, who called himself a security researcher, used the hole to add $4 to their balance in order to prove it was possible and qualify for a bounty.
As Percoco stated, the researcher informed two other individuals about the bug, who then used it to steal approximately $3 million from the Kraken. However, it is important to note that Kraken’s funds, not those of its clients, were the source of the money. According to the report, the involved parties refused to provide a comprehensive explanation about these actions and the return of the funds until Kraken fully explained the potential risks of the exploit.
Percoco expressed his dissatisfaction with the situation, referring to the researcher and their colleagues’ actions as blackmail rather than ethical hacking. He criticized them for not giving their support and for questioning Kraken’s capability to address the issue.
Percoco has stated that he does not wish to disclose the name of the research company in the issue in order to avoid drawing attention to it. However, he has disclosed that Kraken is treating the matter as a criminal matter. In an effort to contain and manage the situation, the organization is also in communication with law enforcement agencies.
This event shows that cryptocurrency platforms still face challenges and risks in managing and remedying their shortcomings while simultaneously trying to enhance the user experience and organizational efficiency.