The U.S. crypto exchange Kraken is embroiled in a controversy after alleging that “security researchers” exploited a platform vulnerability to withdraw nearly $3 million from its treasury and subsequently turned to extortion. Nick Percoco, Kraken’s Chief Security Officer, disclosed via social media platform X that a bug enabled a malicious attacker to initiate a deposit and receive funds without completing the deposit process.
A security researcher raised the alert and identified a vulnerability allowing users to inflate their account balances artificially. This bug enabled a malicious attacker to initiate a deposit and receive funds without completing the deposit process.
The situation took a concerning turn when the security researcher allegedly shared the bug with two other individuals. These individuals then “fraudulently” withdrew almost $3 million from Kraken‘s treasury, not from client assets, Percoco clarified. The initial bug report did not mention these transactions, and when Kraken requested more details, the researchers demanded to know the potential financial impact of the bug before considering returning the funds.
“This is not white-hat hacking, it is extortion!” Percoco wrote, emphasizing Kraken’s stance that the researchers’ actions deviated from ethical hacking practices.
While Kraken did not disclose the identities of the researchers, blockchain code editor Certik later claimed involvement. Certik stated that it discovered several vulnerabilities on Kraken‘s platform during multi-day testing, indicating that millions of dollars worth of crypto could be fraudulently deposited and withdrawn without triggering any alerts.
Certik‘s post on social media detailed that the situation deteriorated after initial discussions with Kraken, alleging that Kraken‘s security team threatened Certik employees to recover the funds.
Bug bounty programs, commonly used by firms to identify and fix security vulnerabilities, rely on ethical hackers, or “white hats,” to disclose issues so companies can address them before malicious actors exploit them. Like many of its competitors, Kraken runs such a program with specific rules: the problem must be identified, the minimum amount needed to prove the bug must be exploited, assets must be returned, and full details of the vulnerability must be provided.
Kraken stated that the security researchers failed to follow these protocols, thus disqualifying them from receiving the bounty. “We engaged these researchers in good faith and had offered a sizable bounty for their efforts. We’re disappointed by this experience and are now working with law enforcement agencies to retrieve the assets,” a Kraken spokesperson told CoinDesk.
The unfolding situation between Kraken and the security researchers highlights the delicate balance in the realm of cybersecurity, where the line between ethical hacking and criminal activity can sometimes blur.
