Crypto Exchange Kraken reveals $3 million in extortion following Bug Bounty Report
Kraken, one of the oldest cryptocurrency exchanges, revealed that, as a result of a bug-related exploit that has since been fixed, almost $3 million was stolen from its wallets.
According to Nick Percoco, Kraken's chief security officer, the cryptocurrency exchange received a bug bounty program alert on June 9, alerting it to a "very serious" flaw that allowed an attacker to artificially increase their balance on the platform.
Percoco, explaining how the bug was discovered, stated that “we receive fake bug bounty reports from people posing as "security researchers" on a daily basis. Anyone who manages a bug bounty program is familiar with this. But we took this seriously, and we put together a cross-functional team to investigate this right away. This is what we discovered.”
“We found a single, isolated bug in a matter of minutes. This allowed a malicious attacker to start depositing money on our platform and receiving funds from their account before the deposit was completed.”
"Our team of experts mitigated this vulnerability in exactly one hour and forty-seven minutes after we classified it as critical. The problem was entirely resolved in a matter of hours and could not reoccur again. To be clear, there was never any risk to any client's assets. For a while, though, a malicious attacker could successfully print assets from their Kraken account.”
“Our team discovered a bug resulting from a recent UX modification that would instantly credit client accounts prior to the clearing of their assets, enabling clients to transact in real-time cryptocurrency markets. The UX change was not extensively tested against this particular attack vector. Upon addressing the vulnerability, we promptly looked into the matter and found that three different accounts had used this vulnerability within a few days of one another. Upon further investigation, we discovered that one account had been KYC'd to a person claiming to be a security researcher.”
“This person found a bug in our funding system and used it to get $4 in cryptocurrency credited to their account. This would have been adequate to demonstrate the vulnerability, submit a bug bounty report to our group, and, in accordance with the guidelines of our program, obtain a substantial payout. Rather, the "security researcher" revealed this bug to two other individuals who used it to create much larger amounts of money through fraud. In the end, they took out close to $3 million from their Kraken accounts. This came from Kraken's treasuries, not from the assets of other clients, he added.”
“We then asked for a complete report on their actions, a proof of concept that was utilized to initiate the on-chain activity, and to set up the reimbursement of the money they had taken out. This is standard procedure for all Bug Bounty initiatives. These researchers on security declined. Rather than offering to reimburse any money until we provide an estimated dollar amount that this bug might have caused if they hadn't disclosed it, they have instead demanded a call with their business development team, which consists of their sales representatives.”
Percoco added, This is extortion, not white-hat hacking! Today, we are revealing this bug to the industry in the spirit of transparency. We're facing accusations of being impractical and impolite for asking "white-hat hackers" to give back the items they pilfered from us. Incredible. This research company doesn't deserve to be known because of what they've done, so we won't reveal it. We are working with law enforcement agencies in accordance with our treatment of this as a criminal case.
We are still committed to protecting Kraken's mission with our Bug Bounty program, and it is an important component of our efforts to improve the general security of the cryptocurrency ecosystem, he concluded.
Disclaimer: This information should not be considered financial advice by any means. Please do your own research before making any investment decisions. The views in the articles are personal opinions only. Whale Insider is not responsible for any financial losses incurred.