Kraken’s chief security officer disclosed that a bug in the exchange’s funding system led to a $3 million loss after being exploited by rogue security researchers.

American crypto exchange Kraken lost around $3 million worth of crypto in early June after a rogue “security researcher” exploited a bug in the exchange’s funding system. Kraken’s chief security officer Nick Percoco disclosed the incident in an X thread, emphasizing the breach of ethical standards by the individuals involved.

Everyday we receive fake bug bounty reports from people claiming to be “security researchers”. This is not new to anyone who runs a bug bounty program. However, we treated this seriously and quickly assembled a cross functional team to dig into this issue. Here is what we found.

— Nick Percoco (@c7five) June 19, 2024

As per Percoco, the team first received a notification from a “security researcher” about a potential bug on Jun. 9. Later on, the team found a “flaw deriving from a recent UX change” that would allow credit client accounts before their assets cleared, enabling clients to effectively trade crypto markets in real-time. The Kraken CSO admitted the exchange didn’t test the UX change against that specific attack vector prior to the attack.

“This UX change was not thoroughly tested against this specific attack vector,” Percoco wrote.

You might also like: Kraken again asks to dismiss SEC lawsuit, citing incorrect wording

After patching the vulnerability, Kraken discovered that three accounts had earlier exploited the same flaw within a few days of each other. Instead of reporting the bug directly, the security researcher allegedly shared the information with two associates, Percoco said, adding that the unknown individuals ultimately withdrew nearly $3 million from Kraken’s treasuries.

Percoco pointed out that the initial report from the “security researcher” didn’t fully disclose the bug, so the team had to re-confirm some details to progress with rewarding them for successfully identifying a security flaw.

Kraken requested a full account of their activities, a proof of concept, and the return of the withdrawn funds. However, the individuals refused to comply, which Percoco described as “not white-hat hacking” but rather “extortion.” It remains unclear whether Kraken identified all the attackers or managed to recover the stolen funds.

Read more: Crypto exchange Kraken eyes $100m pre-IPO raise