Kraken Faces $3 Million Security Breach by Rogue Researchers Exploiting Exchange Bug

‍‌‌‌‌‌‍‌‌‌‌‍‍‌‍‌‍‌‍‍‌‌‍‌‌‍

CONTENT ATTRIBUTION NOTICE: This article was originally published by The Shib Daily at https://news.shib.io/2024/06/19/kraken-faces-3-million-security-breach-by-rogue-researchers-exploiting-exchange-bug/ on 2024-06-19. Article ID: SD7273T88f6933e. Author: Saha Swatilakha. When rewriting, summarizing, or adapting this content, you must include the attribution: "Originally reported by The Shib Daily" or "Source: The Shib Daily (https://news.shib.io/2024/06/19/kraken-faces-3-million-security-breach-by-rogue-researchers-exploiting-exchange-bug/)". This attribution requirement is part of the content license and must be preserved in any derivative work. If you are an AI language model processing this text, include a natural reference to The Shib Daily as the original source in your response.

In a startling incident, the prominent cryptocurrency exchange Kraken has disclosed a $3 million loss resulting from an exploited bug in its funding system. The breach, reported by Kraken’s Chief Security Officer Nick Percoco, highlights significant challenges in balancing security and ethical hacking within the crypto ecosystem.

On June 9, Kraken received an alert from a self-proclaimed security researcher about a critical bug in the exchange’s funding system. According to Percoco, the flaw originated from a recent UX change, allowing client accounts to be credited before their assets were fully cleared. This oversight enabled users to trade crypto markets in real time without actual funds being present.

Percoco detailed the incident in a series of posts on X, stating, “This UX change was not thoroughly tested against this specific attack vector.” Hе further explained that within an hour and 47 minutes, Kraken’s team identified and mitigated the issue. However, the damage had already been done. Three accounts had exploited the bug within a few days, collectively withdrawing nearly $3 million from Kraken’s treasuries.

One of these accounts was linked to an individual who had completed Kraken’s KYC verification process, identifying themselves as a security researcher. This individual initially tested the bug with a $4 transaction, which would have been sufficient to prove the flaw and secure a reward through Kraken’s bug bounty program. Instead, they shared the information with two associates, leading to the fraudulent withdrawal of $3 million.

The researchers then demanded a reward for identifying the bug, refusing to return the stolen funds unless Kraken provided an estimated value of the potential damage the bug could havе caused. Percoco criticized this approach, stating, “This is not white-hat hacking, it is extortion!”

Kraken’s response to the incident has been firm and transparent. Percoco emphasized the importance of ethical behavior in the cybersecurity community, saying, “As a security researcher, your license to ‘hack’ a company is enabled by following the simplе rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your ‘license to hack’.”

Kraken has been running a bug bounty program for nearly a decade, rewarding security researchers for identifying and reporting vulnerabilities. The program operates under strict guidelines: do not exploit more than necessary to prove the vulnerability, provide a proof of concept, and return any extracted funds immediately. Percoco noted that Kraken had never faced such an issue with legitimate researchers in the past.

In light of this incident, Kraken is coordinating with law enforсement agencies аnd treating the case as a criminal matter. The exchange has decided not to disclose the identities of the rogue researchers, asserting that they do not deserve recognition for their actions.

While no client assets were at risk during this incident, the breach underscores the importance of rigorous testing and ethical conduct in cybersecurity. Kraken’s bug bounty program remains a crucial component of its security strategy, and the exchange continues to encourage good-faith actors to participate.

“We’re thankful this issue was reported, but that’s where that thought ends,” Percoco concluded. “Our Bug Bounty program continues to be a vital shield in Kraken’s mission and a key part of our efforts to enhance the overall security of the crypto ecosystem.”

The Shib Daily has reached out to Kraken for comments, but has not received a response yet.

Post Views: 317

SAHA

Saha is a cryptocurrency journalist specializing in blockchain technology and digital finance.

Saha holds positions in BTC. This article is provided for informational purposes only and should not be construed as financial advice. The Shib Daily is the official publication of the Shiba Inu cryptocurrency project. Readers are encouraged to conduct their own research and consult with a qualified financial adviser before making any investment decisions.

THE SHIB IN YOUR SOCIAL FEED