Kraken, a major cryptocurrency exchange, recently orchestrated a security breach and potential extortion attempt after a supposed bug bounty report turned into a request for money. Chief Security Officer Nick Percoco summarized the events, stating that a flaw was exploited to artificially inflate account balances. This incident led to an investigation involving law enforcement. He also emphasized the importance of adhering to ethical practices in security research.
Statement from the cryptocurrency exchange
cryptokoin.comAs you can follow from , hacking and fraud incidents occur quite frequently in the crypto world. One of these was encountered by the cryptocurrency exchange Kraken. The exchange received a bug bounty program alert on June 9, according to Nick Percoco, the exchange’s Chief Security Officer. The warning included a “highly critical” bug that could allow an attacker to artificially inflate their balance on the platform. Percoco said the application was being reviewed, although it lacked details. He stated that in the process, they discovered an isolated bug that allowed a malicious attacker to initiate deposits to the platform and receive funds into their accounts without fully completing the deposit. Percoco noted that this is only the case in a select set of situations.
The Security Officer underlined that no customer assets were at risk. However, despite this, it claimed that the bug was caused by a flaw in a recent UX change that credited customers’ accounts before asset deposits were fully cleared, allowing a malicious attacker to effectively “mint assets” in Kraken accounts for “a period of time.”
Abuse occurred before award presentation
According to Nick Percoco, this bug was completely fixed within a few hours. However, he said a subsequent investigation revealed that the bug had been exploited by three accounts within a few days. Percoco claimed that one of the accounts was KYCed to the person who discovered the bug and claimed to be a “security researcher.” The person in question took advantage of the bug and deposited $4 into his account, which was enough to prove the bug, file a bug bounty report, and claim a large reward, the person responsible said.
However, Kraken’s CSO claimed that the researcher instead disclosed the bug to two other people they worked with. He also said these people then withdrew much larger sums from their Kraken accounts, totaling about $3 million. “This was from Kraken’s treasuries, not from other client assets,” Percoco explained.
“This is not white hat hacking, this is extortion!”
Nick Percoco said he is demanding a full accounting of Kraken’s activities and the return of the funds. But the researchers allegedly refused to return any funds until Kraken explained the potential extent of the exploit had they not disclosed the bug. Percoco: “This is not white hat hacking, this is outright extortion!” said.
Percoco stated that the cryptocurrency exchange was accused by investigators of being “unreasonable” and “unprofessional” in its demands. He also stated that Kraken would not disclose the relevant research firm. However, he added that he would treat this as a criminal case due to violation of bug bounty conditions. In this context, Percoco made the following statement:
We will not disclose this research company because they do not deserve to be recognized for their actions. We are treating this as a criminal case and are coordinating with law enforcement accordingly.
To be informed about the latest developments, follow us twitter‘in, Facebookin and InstagramFollow on and Telegram And YouTube Join our channel!