Kraken Chief Security Officer Nick Percoco disclosed that someone claiming to be a security researcher exploited a zero-day vulnerability to steal $3 million worth of cryptocurrency. The individual involved is refusing to return the stolen assets.
“On June 9 2024, we received a Bug Bounty program alert from a security researcher,” reads Percoco’s post on X. “No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.”
Kraken received a report concerning an “extremely critical” bug from a researcher on June 9. While the researcher provided no technical details about the alleged findings, they did mention that it could allow anyone to artificially increase their wallet’s balances.
According to Percoco, after the bug bounty report, the crypto exchange quickly started investigating the issue, assembling a cross-functional team to analyze it. The investigation revealed an “isolated bug” that an attacker could’ve used, under certain circumstances, to initiate a deposit and receive funds without fully completing it.
The vulnerability reportedly stemmed from a recent update affecting the user interface. The update credited client accounts immediately before their assets were cleared, enabling clients to trade on crypto markets in real time.
Although the vulnerability didn’t jeopardize client assets, it could let perpetrators artificially pump their Kraken accounts. Even though the company quickly addressed the shortcoming, the vulnerability had already been exploited within a few days, resulting in the theft of $3 million worth of crypto from the exchange platform’s treasury.
The security researcher who discovered the flaw is suspected of sharing the details with two others. Together, they exploited the flaw to extract $3 million from Kraken’s treasury. The company demanded a detailed account of their actions, a proof-of-concept for the on-chain activity, and the return of the withdrawn funds, as is customary in bug bounty practices.
However, the individuals involved refused to return the funds, leading the company to label their actions as outright extortion, rather than white-hat hacking.
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsNovember 14, 2024
September 06, 2024