Cryptocurrency exchange Kraken recently disclosed a bug exploit resulting in nearly $3 million in losses.
On June 9, Kraken detected an exploit that allowed a bad actor to steal nearly $3 million. Kraken’s Chief Security Officer, Nick Percoco, shared details about the incident.
“A security researcher alerted us to a critical bug on June 9, 2024,” Percoco explained. The bug enabled the attacker to artificially inflate their balance on the platform.
Vulnerability Discovered in Kraken’s System
Kraken bug exploit allowed unauthorized deposit completion, giving the attacker unearned funds. The flaw originated from a recent UX update on Kraken’s platform.
Kraken confirmed no client assets were compromised. However, the investigation revealed that three accounts exploited the bug.
Collusion Among Security Researchers
A security researcher identified the bug and credited their account with $4 to demonstrate the flaw. Instead of reporting it, they shared the bug with two colleagues, who then exploited it to generate larger sums.
Kraken’s losses amounted to nearly $3 million, taken from the exchange’s treasuries.
Extortion Attempts Follow the Bug Exploit
Kraken attempted to recover the funds but faced resistance. The researchers demanded a speculative amount before returning any funds, leading to an extortion attempt.
“This is not white-hat hacking; it is extortion!” Percoco stated.
Legal Action Underway
Kraken has decided to treat the incident as a criminal case and is coordinating with law enforcement. The research company involved remains undisclosedKraken bug exploit