TL;DR
- Kraken suffered an extortion attempt by security researchers.
- An error in a UX change allowed the system to be exploited to withdraw almost $3 million.
- Kraken responded with transparency and collaborated with authorities to treat the case as a crime.
On June 9, 2024, Kraken, a prominent cryptocurrency exchange platform, received an alarming report through its Bug Bounty program.
A security researcher claimed to have discovered an “extremely critical” vulnerability that allowed balance inflation.
What initially appeared to be a routine bug report quickly turned into an extortion attempt.
Kraken‘s security team, led by Nick Percoco, discovered that the bug in question stemmed from a recent user experience (UX) change.
Kraken Security Update:
On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
— Nick Percoco (@c7five) June 19, 2024
This change credited clients accounts before their assets were fully liquidated, allowing users to trade in real-time with unsecured funds.
Within days, three accounts exploited this vulnerability.
One of these accounts belonged to an individual who identified himself as a security researcher and who used the bug to credit himself with $4 in cryptocurrency, enough to prove the bug and claim a considerable reward through the Bug Bounty program.
However, this researcher did not act alone.
He shared the vulnerability with two collaborators, who exploited the flaw to withdraw almost $3 million from the exchange’s coffers.
This did not affect clients assets, but represented a significant drain on the company’s own funds.
When Kraken requested a full report of the activities and the return of withdrawn funds, security researchers refused and demanded a call with Kraken’s business development team.
This behavior, described by Percoco as extortion, violated the rules of the company’s Bug Bounty program.
Kraken, which has operated its bug bounty program for nearly a decade, has clear rules: Researchers must exploit the minimum necessary to test the vulnerability, provide a proof of concept, and immediately return any funds mined.
The investigators refusal to comply with these rules and their demand for a speculative amount regarding possible damages led the company to treat the incident as a criminal case, collaborating with law enforcement agencies.
Kraken’s Commitment to Security
Despite this negative experience, Kraken remains committed to its bug bounty program, considering its role in improving the security of the cryptocurrency ecosystem crucial.
The company has emphasized the importance of acting in good faith and following established rules to maintain the integrity of the program.
Nick Percoco expressed that over the years, Kraken has worked with numerous legitimate researchers without problems, always responding effectively and fairly.
This incident, although unfortunate, is considered isolated.
Kraken will continue to collaborate with ethical researchers and take strong action against those who attempt to exploit vulnerabilities for fraudulent purposes.
In an effort to maintain transparency, Kraken has decided to publicly disclose the bug and its details.
The company emphasizes that ignoring the rules of the bounty program and trying to extort money from the company revokes the “hacking permission” that security researchers have, turning them into criminals.
