Crypto exchange Kraken reported that a rogue security research firm unilaterally held $3 million worth of digital assets that they misused via a bug on its platform.
Kraken’s Chief Security Officer Nick Percoco explained the details incident on
The animal
According to Percoco, the flaw, which stems from the exchange’s recent UX change, could allow a malicious actor to artificially inflate their account balance. He explained:
“Our team discovered an error in a UX change that caused accounts to be credited prematurely, allowing users to trade in real-time before assets were released. This change has not been adequately tested based on this specific vulnerability… [So,] a malicious attacker could effectively imprint assets in their Kraken account.”
After fixing the bug, Kraken discovered that three accounts had exploited this flaw within a few days. Percoco revealed that the security researcher shared the information with two associates, who then withdrew nearly $3 million from Kraken’s coffers.
Extortion?
Percoco stated that Kraken contacted these individuals for a full report and to return the withdrawn funds.
However, these requests were ignored. Instead, the researchers demanded a speculative amount for the potential damage the bug could have caused if not made public.
Percoco condemned these actions as unethical and criminal, stating:
“As a security researcher, your license to ‘hack’ a company is made possible by following the simple rules of the bug bounty program you participate in. If you ignore these rules and extort the company, your “license to hack” will be revoked. It makes you and your company criminals.”
Therefore, Kraken is now treating this incident as criminal and is cooperating with law enforcement authorities.
Kraken has not yet responded Crypto Slates requesting additional comment as of press time.