Kraken’s Chief Security Officer, Nick Percoco, recently disclosed that a group of white-hat hackers has refused to return approximately $3 million in digital assets stolen from the exchange’s treasury. The hackers exploited a bug in Kraken’s system that allowed them to artificially inflate their balances on the platform. On June 9, a security researcher alerted Kraken to the bug through its Bug Bounty program, labeling it as “extremely critical.”
Despite initially receiving multiple bug bounty reports daily, Kraken took this claim seriously and initiated an investigation. A team was assembled to look into the issue and swiftly identified a bug that permitted cybercriminals to manipulate deposits on Kraken, crediting their accounts without completing the transactions. While no customer funds were directly compromised, attackers could withdraw assets from Kraken’s treasury using this method.
The bug was traced back to a flaw in Kraken’s latest user experience design. Further inspection revealed that three accounts had already taken advantage of this vulnerability. One account belonged to a user claiming to be a security researcher who initially discovered the bug. Instead of reporting it through the appropriate channel, the researcher informed two colleagues who used the bug to withdraw a total of $3 million in crypto.
When Kraken contacted the security researchers requesting the return of the assets, they declined, deeming Kraken’s demands unreasonable and unprofessional. They insisted that Kraken provide an estimate of the potential damage caused by the bug before returning the stolen funds. Percoco stated that Kraken is treating this case as extortion and has involved law enforcement agencies to address the situation accordingly.
The refusal of the white-hat hackers to return the stolen assets poses a significant challenge to Kraken, highlighting the complexities of managing security breaches in the cryptocurrency world. Despite the bug being contained within a short timeframe, the aftermath of the exploit underscores the importance of robust security measures and ethical behavior within the industry. Kraken’s response to the incident exemplifies the necessary steps to combat extortion and uphold the integrity of digital asset exchanges.