Kraken Faces Extortion Claims Following Bug Bounty Report, $3 Million Withdrawn From Treasury Assets
In Brief
The cryptocurrency platform Kraken received a Bug Bounty notification from a so-called 'security researcher' who later chose not to return the withdrawn funds.
The Chief Security Officer of the cryptocurrency exchange Kraken , Nick Percoco, took to social media platform X to announce that on June 9th, a Bug Bounty alert was flagged by a security researcher. The email alert mentioned the identification of a highly critical vulnerability without much detail, posing a risk of artificially inflating the platform’s balance.
Kraken uncovered and addressed a vulnerability that could allow a malicious entity to receive funds into their account without completing the full deposit process. This issue was linked to a recent user experience (UX) update that permitted client accounts to be credited prior to the complete clearance of their assets, thereby enabling instantaneous trading on cryptocurrency markets. Unfortunately, this specific UX modification was not extensively tested against potential attack vectors.
Moreover, it was revealed that three accounts had taken advantage of this vulnerability within a brief time frame. Upon thorough investigation, it was found that one of these accounts was linked to the 'security researcher' who initially identified and reported the bug in the system.
The so-called 'security researcher' subsequently shared insights about this bug with two associates. Collectively, these three accounts were able to withdraw nearly $3 million from Kraken’s funds, specifically from the company's treasury rather than client assets. When Kraken attempted to engage with the researchers to discuss a reward for reporting the security issue through its Bug Bounty program, the researchers refused to return any funds until the exchange could assess the possible financial implications of the bug had it gone unreported.
Nick Percoco pointed out that this incident felt more like extortion rather than genuine white-hat hacking, although he refrained from disclosing the name of the research firm involved. He emphasized that Kraken considers this matter a criminal issue and plans to work with law enforcement as necessary.
Kraken Bug Bounty Program Aims to Protect Cryptocurrency Users, Acknowledges 22 Reports in 2023
Kraken allows trading between cryptocurrencies and fiat currencies. Additionally, it provides options for cryptocurrency derivatives and futures trading. According to CoinMarketCap, Kraken ranks sixth among global cryptocurrency exchanges, boasting an average daily trading volume of approximately $741 million.
The Bug Bounty initiative underpins Kraken’s commitment to protecting users in the cryptocurrency space. Kraken pledges to refrain from taking legal action against security researchers who adhere to all Bug Bounty policies. Each submission to the program is assessed, and payouts correspond to the severity of the identified bug. BTC In 2023, the initiative has recognized 22 reports out of a total of 461 submissions.
Disclaimer
In line with the Trust Project guidelines Please be aware that the information on this page is not intended as legal, tax, investment, financial, or any other form of advice. It’s vital to invest only what you can afford to lose and to obtain independent financial consultation if you have any uncertainties. For more information, we recommend reviewing the issuer's or advertiser's terms and conditions, as well as their help and support resources. MetaversePost is dedicated to providing accurate and unbiased reporting; however, market conditions can change unexpectedly.
