Kraken Crypto Exchange Hit by $3 Million Theft Exploiting Zero-Day Flaw
Cybercrime / Crypto Security
Crypto exchange Kraken revealed that an unnamed security researcher exploited an "extremely critical" zero-day flaw in its platform to steal $3 million in digital assets and refused to return them.
Details of the Incident
Kraken's Chief Security Officer, Nick Percoco, shared that the platform received a Bug Bounty program alert about a bug that "allowed them to artificially inflate their balance on our platform" without sharing any other details.
The company identified a security issue within minutes of receiving the alert that essentially permitted an attacker to "initiate a deposit onto our platform and receive funds in their account without fully completing the deposit."
While Kraken emphasized that no client assets were at risk, the issue could have enabled a threat actor to generate assets in their accounts. Kraken addressed the problem within 47 minutes.
The flaw stemmed from a recent user interface change that allows customers to deposit funds and use them before they were cleared.
Exploitation and Theft
Further investigation unearthed that three accounts, including one belonging to the supposed security researcher, had exploited the flaw within a few days of each other and siphoned $3 million.
"This individual discovered the bug in our funding system, and leveraged it to credit their account with $4 in crypto," Percoco said. "This would have been sufficient to prove the flaw, file a bug bounty report with our team, and collect a very sizable reward under the terms of our program."
"Instead, the 'security researcher' disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken's treasuries, not other client assets."
Extortion and Response
In a strange turn of events, when approached by Kraken to share their proof-of-concept (PoC) exploit and to arrange the return of the funds, the involved parties instead demanded that the company get in touch with their business development team to pay a set amount to release the assets.
"This is not white hat hacking, it is extortion," Percoco said, urging the concerned parties to return the stolen funds.
The name of the company was not disclosed, but Kraken said it's treating the security event as a criminal case and that it's coordinating with law enforcement agencies about the matter.
Ethical Hacking Gone Wrong
"As a security researcher, your license to 'hack' a company is enabled by following the simple rules of the bug bounty program you are participating in," Percoco noted. "Ignoring those rules and extorting the company revokes your 'license to hack.' It makes you, and your company, criminals."
