The Exchange identified flaw exploited in Kraken disclosed that an unidentified security researcher exploited a zero-day vulnerability in its system described as “extremely critical” resulting in the theft of $3 million worth digital assets.
The culprit has rejected returning the stolen amount despite numerous attempts to recover it.
Kraken’s Chief Security Officer, Nick Percoco discussed an incident on X. As per his post, a researcher had alerted them about a bug through their Bug Bounty program. The flaw enabled someone to increase their balance artificially without providing any further information.
The company swiftly responded to the alert and detected a security problem that enabled an assailant to initiate a deposit, receive funds in their account without finishing it.
Kraken clarified that the issue did not put any client assets in jeopardy, although it could have allowed a malicious party to generate false assets within their accounts. The matter was resolved promptly and mitigated 47 minutes after detection.
The flaw was attributed to a recent alteration in the user interface that enabled customers to deposit funds and utilize them prior to clearing, according to the report.
Moreover, upon deeper examination it was discovered that three accounts – one of which belonged to the purported security researcher – had taken advantage of the vulnerability in close proximity and subtracted $3 million.
Percoco
Percoco stated that the person who found a bug in our funding system used it to add $4 worth of crypto to their account. The individual could have easily demonstrated the flaw, submitted an official report for our team’s bug bounty program and received a substantial reward as per its rules with this amount of evidence.
Instead of reporting the bug, the so-called “security researcher” shared it with their two accomplices who deceitfully exploited it to steal an extensive amount. The culprits were able to withdraw almost $3 million from Kraken’s reserves, which did not involve any client funds.
In a bizarre twist, when contacted by Kraken to disclose their proof-of-concept (PoC) exploit which generated the on-chain activity and facilitate reimbursement of withdrawn funds, they made an unexpected demand. Instead of honoring the request, they insisted that Kraken contact their business development team with payment in exchange for releasing the assets.
Percoco denounced the act as extortion rather than white hat hacking, and urged those involved to return any embezzled funds.
Although Kraken didn’t reveal the company’s name, they confirmed that a security incident has occurred and it is being handled as a criminal case in close collaboration with law enforcement agencies.
Percoco pointed out that as a security researcher, you can lawfully ‘hack’ into enterprises only if you adhere to the regulations of the bug bounty initiative in which you are involved. Normally, disregarding these provisions and blackmailing businesses would cancel your permission to hack and categorize both yourself and your organization as delinquent actors.
CertiK Responds
CertiK, a security company specializing in blockchain technology, has revealed that it was responsible for the breach on Kraken. The firm discovered multiple significant vulnerabilities within the system which enabled unauthorized individuals to create fake cryptocurrency and withdraw them as legitimate digital assets from any account.
Kraken defended its actions by stating on X that their research activities did not directly involve the assets of any genuine Kraken user, and that they had created millions of dollars worth of crypto out of nowhere.
Despite generating and withdrawing numerous fake tokens to valid cryptocurrencies over a period of several days, no risk control or prevention measures were activated until CertiK brought it to Kraken’s attention. The failure lies with Kraken’s sophisticated defense system – why was it unable to spot multiple test transactions? Large withdrawals from various testing accounts formed an integral part of our experimentation process.
CertiK reiterated that Kraken’s security team has coerced its employees into returning an incorrect sum of cryptocurrency within an impractical timeframe, despite not furnishing them with any repayment locations. Furthermore, these threats were made on a personal level against individual CertiK staff members.
However, there is evidence indicating that a CertiK researcher may have started conducting probing and testing as early as May 27th, 2024 which contradicts the timeline of events presented by the company.
Kraken accused a “third-party security research company” of exploiting the flaw for financial gain before reporting it in their recent blog post. The vulnerability has since been resolved, but certain users were able to increase the value of their Kraken account balance without fully completing a deposit during that time period.
Kraken received a refund of funds
Nick Percoco, the CSO of Kraken, announced on June 20th that all funds were restored to the company; however, a small amount was lost due to fees. Afterward, Kraken distributed $2.9 million in recovered funds through a USDT airdrop among its users.
