In a startling incident, the prominent cryptocurrency exchange Kraken has disclosed a $3 million loss resulting from an exploited bug in its funding system. The breach, reported by Kraken’s Chief Security Officer Nick Percoco, highlights significant challenges in balancing security and ethical hacking within the crypto ecosystem.
On June 9, Kraken received an alert from a self-proclaimed security researcher about a critical bug in the exchange’s funding system. According to Percoco, the flaw originated from a recent UX change, allowing client accounts to be credited before their assets were fully cleared. This oversight enabled users to trade crypto markets in real time without actual funds being present.
Percoco detailed the incident in a series of posts on X, stating, “This UX change was not thoroughly tested against this specific attack vector.” He further explained that within an hour and 47 minutes, Kraken’s team identified and mitigated the issue. However, the damage had already been done. Three accounts had exploited the bug within a few days, collectively withdrawing nearly $3 million from Kraken’s treasuries.
One of these accounts was linked to an individual who had completed Kraken’s KYC verification process, identifying themselves as a security researcher. This individual initially tested the bug with a $4 transaction, which would have been sufficient to prove the flaw and secure a reward through Kraken’s bug bounty program. Instead, they shared the information with two associates, leading to the fraudulent withdrawal of $3 million.
The researchers then demanded a reward for identifying the bug, refusing to return the stolen funds unless Kraken provided an estimated value of the potential damage the bug could have caused. Percoco criticized this approach, stating, “This is not white-hat hacking, it is extortion!”
Kraken’s response to the incident has been firm and transparent. Percoco emphasized the importance of ethical behavior in the cybersecurity community, saying, “As a security researcher, your license to ‘hack’ a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your ‘license to hack’.”
Kraken has been running a bug bounty program for nearly a decade, rewarding security researchers for identifying and reporting vulnerabilities. The program operates under strict guidelines: do not exploit more than necessary to prove the vulnerability, provide a proof of concept, and return any extracted funds immediately. Percoco noted that Kraken had never faced such an issue with legitimate researchers in the past.
In light of this incident, Kraken is coordinating with law enforcement agencies and treating the case as a criminal matter. The exchange has decided not to disclose the identities of the rogue researchers, asserting that they do not deserve recognition for their actions.
While no client assets were at risk during this incident, the breach underscores the importance of rigorous testing and ethical conduct in cybersecurity. Kraken’s bug bounty program remains a crucial component of its security strategy, and the exchange continues to encourage good-faith actors to participate.
“We’re thankful this issue was reported, but that’s where that thought ends,” Percoco concluded. “Our Bug Bounty program continues to be a vital shield in Kraken’s mission and a key part of our efforts to enhance the overall security of the crypto ecosystem.”
The Shib Daily has reached out to Kraken for comments, but has not received a response yet.