Biggest Theft of $3 Million Hits Kraken Digital Currency Trading Due to Uncovered Security Vulnerability
The undisclosed individual who conducts security assessments took advantage of a critical flaw that recently surfaced in the Kraken digital currency exchange to illegally acquire $3 million in digital possessions and has refused to return them.
Details surrounding the incident were revealed by Nick Percoco, the Chief Security Officer at Kraken, on X (previously known as Twitter). They reported that a notification from their Bug Reward plan highlighted a glitch that “allowed them to inflate their balance on our system” without divulging any additional specifics.
The organization promptly addressed a security vulnerability mere minutes after receiving the notification, which would have enabled an attacker to “initiate a deposit onto our platform and gain funds in their account without completing the deposit fully.”
Kraken stressed that customer assets were not in jeopardy, despite the flaw potentially empowering a malicious actor to generate assets within their accounts. The issue was rectified within 47 minutes.
Additionally, the flaw was linked to a recent adjustment in the user interface, enabling clients to deposit and use funds prior to them being cleared.
Further inquiry demonstrated that three different accounts, one of which belonged to the alleged security assessor, had capitalized on the flaw within a close timeframe and illegally obtained $3 million in funds.
Percoco disclosed, “This individual identified a weakness in our funding mechanism and exploited it to add $4 in cryptocurrency to their account. This operation would have sufficed to demonstrate the flaw, report a bug to our team, and receive a significant reward according to our set guidelines.”
He continued, “Instead, the so-called security assessor disclosed this loophole to two accomplices who illicitly withdrew significantly larger sums. They collectively extracted almost $3 million from their Kraken accounts, sourced from Kraken’s reserves rather than other customer assets.”
Following the reveal of the on-chain activity that was used to generate the funds and offering to return them, Kraken contacted the individuals involved. Astonishingly, they demanded that the company contact their business development unit to settle a fixed amount in order to release the assets.
Percoco condemned the actions, labeling them as extortion instead of ethical hacking, and urged the involved parties to return the misappropriated funds.
The company’s name was not disclosed, but Kraken has deemed the security breach as a criminal offense and is collaborating with law enforcement authorities on the matter.
Percoco advised, “As a security analyst, your entitlement to ‘hack’ a corporation is granted by adhering to the rules outlined in the bug reward program in which you partake. Disregarding these regulations and extorting the company revokes your ‘hacking license,’ categorizing you and your organization as criminals.”
About Author
