Kraken, a prominent international cryptocurrency exchange, recently faced a significant security threat. The company was notified by a security researcher about a critical vulnerability that could have allowed unauthorized creation of digital assets. This incident highlights the ongoing difficulties that digital asset platforms encounter in maintaining strong security measures.
Upon receiving the warning, Kraken’s security team promptly looked into the issue, distinguishing it from the usual false alarms. The bug that was found was particularly serious—it allowed users to register deposits and receive corresponding credits to their accounts without actually transferring any funds.
This flaw stemmed from a recent user experience update that credited user accounts before confirming the deposit, creating a hypothetical risk of generating digital assets out of nothing.
Implications and Steps Taken
The investigation discovered that only three accounts exploited the bug, including the one belonging to the whistleblower. While the researcher demonstrated the exploit by creating a small amount of cryptocurrency, they failed to officially report it through Kraken’s Bug Bounty program.
Instead, they shared the method with two others who then used the vulnerability to siphon off millions in cryptocurrency, resulting in unauthorized withdrawals totaling approximately $3 million.
Nick Percoco, Kraken’s chief security officer, acknowledged the challenge in handling the situation due to the incomplete initial report that lacked crucial transaction details.
Kraken Security Update:
On June 9, 2024, we received an alert from a security researcher through our Bug Bounty program. They did not initially provide specifics, but their email claimed to have found an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
— Nick Percoco (@c7five)
June 19, 2024
The discussion with the researchers came to a standstill as they demanded a ransom instead of returning the funds, suggesting a payout based on the potential financial damage the bug could have caused.
Kraken, labeling these demands as extortion, has chosen not to publicly disclose the name of the security firm involved and is taking legal action, treating the issue as a criminal case. The company assured users that no client assets were compromised at any point.
