Skip to content

Kraken crypto exchange faces extortion attempt from security researchers

Kraken crypto exchange faces extortion attempt from security researchers

On June 9, 2024, Kraken, a prominent cryptocurrency exchange, received an alarming Bug Bounty report. The report, submitted by a security researcher, claimed to have discovered an “extremely critical” bug that allowed balance inflation. However, what initially seemed like a routine vulnerability report quickly turned into an extortion attempt.

While investigating the bug report, a team led by Nick Percoco, Kraken’s Chief Security Officer, identified a $3 million exploit. Specifically, the executive addressed the whole situation in a thread on X (formerly Twitter), posted on June 19.

Notably, the investigation revealed that three accounts had exploited the reported flaw within days of each other. One account belonged to an individual who claimed to be a security researcher. Essentially, this person discovered and leveraged the bug to credit their account with $4 in crypto.

Perococo described it as sufficient to prove the flaw and collect a substantial reward through Kraken’s Bug Bounty program. However, things escalated quickly after noticing the other two accounts, which allegedly benefited from the first person’s disclosure.

“Instead, the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets.”

– Nick Percoco

From a bug report to an extortion attempt

When Kraken requested a full account of their activities and the return of the withdrawn funds, the security researchers refused and demanded a call with their business development team, engaging in what Percoco described as extortion.

Moreover, the Chief Security Office explained that Kraken’s Bug Bounty program, in place for nearly a decade, has clear rules. In particular:

“Do not exploit more than necessary to prove the vulnerability, provide a proof of concept, and immediately return any extracted funds.”

According to the exchange’s executive, legitimate researchers have never faced issues with Kraken, which has always been responsive.

In the interest of transparency, the company disclosed the bug to the industry and is treating the incident as a criminal case, coordinating with law enforcement agencies. The exchange emphasized that ignoring bug bounty program rules and attempting to extort the company revokes a researcher’s “license to hack” and makes them criminals.

Kraken’s bug investigation

Furthermore, Nick Percoco revealed that the exchange regularly receives fake bug bounty reports. Nevertheless, Kraken treated this report seriously and promptly assembled a team to investigate. Within minutes, they discovered an isolated bug that, under specific circumstances, allowed a malicious attacker to initiate a deposit and receive funds without fully completing the transaction.

“To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time.”

– Nick Percoco

Kraken’s team mitigated the issue within an hour and 47 minutes, as reported by Percoco. The vulnerability was completely fixed within a few hours, ensuring it could not reoccur. The flaw stemmed from a recent user experience (UX) change that credited client accounts before their assets cleared, enabling real-time trading.

“This change was not thoroughly tested against the specific attack vector”

– Nick Percoco

Despite this isolated experience, Kraken remains committed to its Bug Bounty program, recognizing its importance in enhancing the overall security of the crypto ecosystem. The exchange looks forward to working with good-faith actors in the future while taking a stand against unethical behavior.

Best Crypto Exchange for Intermediate Traders and Investors

  • Invest in cryptocurrencies and 3,000+ other assets including stocks and precious metals.

  • 0% commission on stocks - buy in bulk or just a fraction from as little as $10. Other fees apply. For more information, visit etoro.com/trading/fees.

  • Copy top-performing traders in real time, automatically.

  • eToro USA is registered with FINRA for securities trading.

30+ million Users
Securities trading offered by eToro USA Securities, Inc. (“the BD”), member of FINRA and SIPC. Cryptocurrency offered by eToro USA LLC (“the MSB”) (NMLS: 1769299) and is not FDIC or SIPC insured. Investing involves risk, and content is provided for educational purposes only, does not imply a recommendation, and is not a guarantee of future performance. Finbold.com is not an affiliate and may be compensated if you access certain products or services offered by the MSB and/or the BD

Read Next:

Finance Digest

By subscribing you agree with Finbold T&C’s & Privacy Policy

Related posts

Sign Up

or

By submitting my information, I agree to the Privacy Policy and Terms of Service.

Already have an account? Sign In

Services

Disclaimer: The information on this website is for general informational and educational purposes only and does not constitute financial, legal, tax, or investment advice. This site does not make any financial promotions, and all content is strictly informational. By using this site, you agree to our full disclaimer and terms of use. For more information, please read our complete Global Disclaimer.