Kraken said third-party security researchers found a vulnerability, which was fixed by the crypto exchange.
The researchers secretly withdrew nearly $3 million and refused to give it back without seeing the bounty amount first, Kraken said.
Kraken noted that it would not pay the bounty to the researchers because they did not follow the program's rules.
Crypto exchange Kraken said "security researchers" who found a vulnerability on the platform turned to "extortion" after withdrawing about $3 million from the exchange's treasury.
Nick Percoco, Kraken's chief security officer, said in a post on social media platform X (formerly Twitter) that the firm received a "bug bounty program" alert from a security researcher on June 9 about a vulnerability that allows users to artificially inflate their balance. The bug "allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit," Percoco added.
Kraken Security Update:On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
— Nick Percoco (@c7five) June 19, 2024
Upon receiving the report, Kraken fixed the issue swiftly and no user funds were affected, Percoco noted.
What came after raised red flags for Kraken's team.
The security researcher, upon finding the bug, allegedly disclosed it to two other individuals, who then "fraudulently" withdrew nearly $3 million from their Kraken accounts. "This was from Kraken’s treasuries, not other client assets," Percoco said.
The initial bug report didn't mention the two other individuals' transactions, and when Kraken asked for more details of their activities, they refused.
"Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!" Percoco wrote.
Bug bounty programs – used by many firms to strengthen their security systems – invite third-party hackers, known as "white hats," to find vulnerabilities so the company can fix them before a malicious actor exploits them. Kraken's competitor, Coinbase, has a similar program to help alert the exchange of vulnerabilities.
To be paid the bounty, Kraken's program requires a third party to find the problem, exploit the minimum amount needed to prove the bug, return the assets and provide details of the vulnerability, Kraken said in a blog post, adding that since the security researchers didn't follow these rules, they won't get the bounty.
"We engaged these researchers in good faith and, in-line with a decade of running a bug bounty program, had offered a sizable bounty for their efforts. We’re disappointed by this experience and are now working with law enforcement agencies to retrieve the assets from these security researchers," a Kraken spokesperson told CoinDesk.
Read more: Your Crypto Project Needs a Sheriff, Not a Bounty Hunter