The white-hat hackers found a bug that allowed users to artificially inflate their balance on Kraken.
Leading cryptocurrency exchange Kraken’s chief security officer Nick Percoco has revealed that an undisclosed white-hat hacker group has refused to return digital assets worth roughly $3 million, which they stole from the platform’s treasury by exploiting a bug in its system.
In a series of X posts, Percoco said the security researchers are demanding that the crypto exchange provide a speculated amount of money it could have lost if they had not disclosed the bug before they could return the stolen funds.
Security Researchers Disclose Kraken Bug
According to Percoco, a security researcher sent a Bug Bounty program alert to Kraken on June 9, claiming that they had found an “extremely critical” bug that allowed users to inflate their balance on the platform artificially. While the exchange was wary of receiving multiple fake bug bounty reports daily, it took the claim seriously and assembled a team to investigate the issue.
The team found a bug that allowed cybercriminals to initiate deposits on Kraken and receive funds in their accounts without completing the deposits. Although the bug did not put customer funds at risk, an attacker could print assets in their accounts and place withdrawals that could be extracted from Kraken’s treasury.
The issue was contained in less than two hours of identifying it. The team discovered that the bug stemmed from a flaw in Kraken’s latest user experience (UX). Upon further investigation, Kraken found that three accounts had already exploited the flaw. One account was linked to a user who claimed to be a security researcher.
It turns out the researcher found the bug first, leveraged it to credit their Kraken account with $4 in crypto, and rather than file a bug bounty report with the appropriate team, informed his two colleagues, who exploited the flaw for larger sums. Collectively, they withdrew roughly $3 million in crypto from their accounts.
Bug Bounty Turned Extortion
When Kraken contacted the security researchers and requested an account of their activities and the return of the assets they withdrew, they refused. They called Kraken unreasonable and unprofessional and demanded that the platform provide estimated damage the bug could have caused.
Percoco said Kraken has taken the case up with law enforcement agencies as the case is one of extortion.
“We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly. We’re thankful this issue was reported, but that’s where that thought ends,” Percoco stated.