Kraken‘s chief security officer recently revealed that a bug in the exchange’s funding system resulted in a $3 million loss due to exploitation by rogue security researchers.
In early June, the American crypto exchange Kraken faced a significant setback when a “security researcher” exploited a bug, leading to a loss of around $3 million worth of cryptocurrency. Chief Security Officer Nick Percoco highlighted this incident, emphasizing the unethical behavior of those involved.
“Every day we receive fake bug bounty reports from people claiming to be ‘security researchers.’ This is not new to anyone who runs a bug bounty program. However, we treated this seriously and quickly assembled a cross-functional team to dig into this issue. Here is what we found,” stated Percoco.
According to Percoco, the team was first alerted by a “security researcher” about a potential bug on June 9. The team later identified a “flaw deriving from a recent UX change” that allowed client accounts to be credited before their assets were cleared. This flaw enabled clients to trade cryptocurrencies in real time. Percoco admitted that the exchange had not tested the UX change against this specific attack vector before the incident.
“This UX change was not thoroughly tested against this specific attack vector,” Percoco wrote.
After addressing the vulnerability, Kraken discovered that three accounts had exploited the same flaw within a few days of each other. Instead of reporting the bug directly, the security researcher allegedly shared the information with two associates. These individuals eventually withdrew nearly $3 million from Kraken’s funds.
Percoco noted that the initial report from the “security researcher” did not fully disclose the bug. Consequently, the team had to re-confirm some details before proceeding with rewarding them for identifying a security flaw. Kraken requested a full account of their activities, a proof of concept, and the return of the withdrawn funds. The individuals refused to comply, which Percoco described as “not white-hat hacking” but rather “extortion.” It remains unclear whether Kraken identified all the attackers or recovered the stolen funds.
Stay updated with more cryptocurrency news and insights at Global Crypto News.