Kraken Says Hackers Turned to ‘Extortion’ After Exploiting Bug for $3M

As an analyst with extensive experience in the cryptocurrency industry and cybersecurity, I find Kraken’s recent encounter with so-called “security researchers” deeply concerning. While it is commendable that Kraken swiftly addressed a reported vulnerability on its platform, the subsequent events raise serious questions about the intentions of these individuals.

As a researcher uncovering a security vulnerability on Kraken’s platform, I discovered that some individuals claiming to be security experts had exploited this weakness and withdrew approximately $3 million from the exchange’s reserves. To my dismay, instead of responsibly reporting this issue to Kraken or cooperating with them to rectify it, these individuals chose an extortionate approach, threatening to reveal more vulnerabilities if their demands were not met.

Nick Percoco, Kraken’s head of security, announced on social media platform X (previously Twitter) that a security alert was triggered in Kraken’s “bug bounty program” on June 9. This alert pointed to a vulnerability enabling users to falsely increase their account balances. Under certain conditions, an unscrupulous hacker could make deposits onto the platform and receive funds without completing the deposit process fully.

After getting the report, Kraken promptly resolved the problem without any impact on user funds, according to Percoco.

What came after raised red flags for Kraken’s team.

As a security analyst, I came across a vulnerability in the system and chose to share it with two individuals. Unfortunately, they exploited this information for their gain, withdrawing approximately $3 million from Kraken’s reserves rather than their own funds. It’s important to clarify that these funds belonged to Kraken’s treasury and not other clients’ assets.

In the original report, the involvement of the two other people and their transaction details was omitted. Upon request from Kraken for further information regarding their actions, they declined to provide it.

In place of a refund, they insisted on having a conversation with their business development team, and they’ve refused to return the funds until an estimated cost for the bug’s impact is presented. This behavior is not ethical hacking; it qualifies as extortion. (Percoco’s statement)

As a crypto investor, I’m always on the lookout for ways my favorite exchanges can enhance their security systems. One effective method some platforms use is inviting third-party hackers, often referred to as “white hats,” through bug bounty programs. By doing so, companies like Kraken and its competitor Coinbase can proactively identify vulnerabilities in their systems. This allows them to address these issues before malicious actors exploit them, ensuring a more secure environment for all users, including me as an investor.

In order to receive the reward, Kraken’s program stipulates that an outside party must identify a problem, use the smallest amount necessary to validate the bug, return the seized assets, and disclose the vulnerability details. However, since the security researchers failed to adhere to these guidelines, they will forfeit the reward.

A Kraken representative shared with CoinDesk that we had trustfully collaborated with these researchers and, adhering to our ten-year tradition of rewarding bug finders, presented them with a substantial compensation. We’re displeased by this incident and are currently cooperating with law enforcement to recover the stolen assets from the security researchers.