Kraken, a major cryptocurrency exchange, recently managed a security breach and potential extortion attempt after a supposed bug bounty report turned into a demand for money. Chief Security Officer Nick Percoco summarized the events, stating that a flaw was exploited to artificially inflate account balances. This incident led to an investigation involving law enforcement. He also emphasized the importance of adhering to ethical practices in security research.
Statement from the cryptocurrency exchange
As you have been following on Kriptokoin.com, hacking and fraud incidents are quite frequent in the crypto world. One of them was encountered by the cryptocurrency exchange Kraken. According to the exchange’s Chief Security Officer Nick Percoco, the exchange received a bug bounty program alert on June 9. The alert included a “highly critical” bug that would allow an attacker to artificially inflate the balance on its platform. Percoco said the application was reviewed, although it lacked details. In the process, he said, they discovered an isolated bug that allowed a malicious attacker to initiate a deposit to the platform and receive funds into their account without fully completing the deposit. Percoco noted that this was only the case in a specific set of circumstances.
The Chief Security Officer emphasized that no client assets were at risk. However, despite this, he claimed that the bug was caused by a flaw in a recent UX change that credited clients’ accounts before asset deposits were fully cleared, effectively allowing a malicious attacker to “mint assets” in Kraken accounts “for a while”.
The exploit took place before the bounty presentation
According to Nick Percoco, the bug was fully fixed within a few hours. However, he said that a later investigation revealed that the bug had been exploited by three accounts within a few days. Percoco claimed that one of the accounts was KYC’d to the person who discovered the bug and claimed to be a “security researcher”. He said that this person took advantage of the bug and deposited $4 into his account, which was enough to prove the bug, file a bug bounty report and claim a large reward.
However, Kraken’s CSO claimed that the researcher instead disclosed the bug to two other people they were working with. He also said that these individuals then withdrew much larger sums from Kraken accounts, totaling nearly $3 million. “This was from Kraken’s treasury, not from other customer assets,” Percoco explained.
“This is not white hat hacking, this is extortion!”
Nick Percoco said Kraken is demanding a full accounting of its activities and the return of funds. But the researchers allegedly refused to return any funds until Kraken disclosed the potential extent of the exploit if they had not disclosed the bug. “This is not white hat hacking, this is outright extortion!” Percoco said.
Percoco said the cryptocurrency exchange was accused by investigators of being “unreasonable” and “unprofessional” in its demands. He also noted that Kraken would not disclose the research firm involved. However, he added that he will treat this as a criminal case due to the violation of the error reward conditions. In this context, Percoco made the following statement:
We will not disclose this research firm because they do not deserve to be recognized for their actions. We are treating this as a criminal case and we are coordinating with law enforcement accordingly.
Follow us on Twitter, Facebook and Instagram, and join our Telegram and YouTube channelto stay up to date with breaking news !
