The U.S. cryptocurrency exchange Kraken recently disclosed that a hacker claiming to be a security researcher exploited a serious vulnerability on its platform to steal $3 million worth of digital assets and is "extorting" them. The researcher reported the vulnerability on June 9, but he exploited it to withdraw funds from Kraken’s treasury rather than secure those funds.
Kraken Security Update:On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
— Nick Percoco (@c7five) June 19, 2024
Kraken chief security officer Nick Percoco revealed that the researcher and two of his associated accounts exploited the flaw to withdraw more than $3 million. Following the exploit, the researchers demanded a reward for the stolen funds before agreeing to return them. Percoco said in a June 19 X post that the behavior was not white hat hacking but extortion.
In response to these incidents, Kraken emphasized that the stolen cryptocurrency came from its exchange treasury and that no user funds were affected.
In this regard, the security audit company CertiK directly admitted on the X platform that the security vulnerability researchers mentioned by Kraken were CertiK's white hat hackers. CertiK argued that after initial success in identifying and remediating the vulnerability, Kraken's security operations team threatened individual CertiK employees to repay mismatched cryptocurrency amounts within an unreasonable amount of time, even without providing a repayment address.
CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD
— CertiK (@CertiK) June 19, 2024
However, when the community began to follow this incident in depth, it was discovered that after the attacker stole funds from Kraken, he actually deposited some of the funds into a mixer. This did not seem to be a normal behavior for a clean white hat hacker.
just testing some tornado cash deposits after testing the kraken withdrawal featureneeded to make sure it still works pic.twitter.com/PL4zi7GzSW
— Spreek (@spreekaway) June 19, 2024
In addition, on-chain detective 0xBoboShanti also pointed out that the address previously publicly released by a Certik security researcher was detected and tested as early as May 27, which is inconsistent with the Certik wholesale event timeline.
This incident has not been concluded yet, but judging from all the information, the overall wind direction is quite unfavorable for CertiK.
This article audit firm insists on self-stealing? CertiK Accused of Exploiting Kraken Exchange Vulnerability and Malicious Blackmail appeared first on Zombit.
