Kraken faced a $3 million security breach and extortion attempt after individuals exploited a vulnerability and demanded a bounty before returning the stolen funds.
Cryptocurrency exchange Kraken has reportedly been the victim of a security breach that led to the theft of nearly $3 million from the company's treasuries. According to a CoinDesk article, the bug was discovered by individuals who described themselves as "security researchers." After finding the vulnerability, rather than returning the funds as typically expected in bug bounty programs, they allegedly demanded to know the bounty amount before agreeing to give back the stolen funds, leading Kraken to accuse them of extortion.
Nick Percoco, Kraken's chief security officer, detailed the incident on social media, stating that the vulnerability was reported to the exchange on June 9. The flaw allowed an attacker to artificially inflate their account balance on the Kraken platform under certain conditions. Following the alert, Kraken swiftly resolved the issue, ensuring no user funds were compromised.
However, the situation escalated when the researchers, instead of adhering to Kraken's protocol for bug bounty rewards, secretly withdrew substantial sums. The two individuals involved in the extraction of funds are said to have been disclosed the bug by the initial finder and collectively withdrew nearly $3 million. Percoco emphasized that these funds were taken from Kraken's own treasuries and not from other client assets.
Kraken's stated the individuals involved did not follow the proper bug bounty program procedures, which require the finder to exploit the minimum amount needed to prove the bug's existence, return the assets, and provide vulnerability details. Therefore, they would not be eligible for the bounty.
Blockchain security firm Certik later claimed in a separate social media post to have found the vulnerability, asserting that it had been threatened by Kraken during the process. Certik described conducting "multi-day testing" and noted the potential for significant financial exploitation of the bug.
The Block also covered the incident, highlighting that the bug was exploited before the bounty submission and that Kraken's internal investigation found that three accounts had misused the flaw. Percoco noted that one of the accounts was linked to the individual who reported the bug.
Kraken's chief security officer has expressed that the exchange views the actions of the researchers as criminal due to the breach of its bug bounty terms and is coordinating with law enforcement accordingly.