Kraken, a well-known American cryptocurrency exchange, recently suffered a major security breach, resulting in the theft of at least $3 million worth of digital assets. However, Kraken stressed that user funds were not at risk.

In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that “white-hat hackers” return what they stole from us. Unbelievable.

— Nick Percoco (@c7five) June 19, 2024

A research team holds $3 million in Kraken assets

Kraken announced that a research team discovered a major security flaw in the exchange, resulting in the holding of $3 million worth of digital assets. The vulnerability was first discovered and notified to Kraken on June 9 by an anonymous self-proclaimed “security researcher.”

Vulnerability exploited, $3 million stolen

However, Kraken chief security officer Nick Percoco said two accounts linked to the researcher exploited the flaw to withdraw more than $3 million in digital assets. Percoco said:

"They asked to speak to the business team and refused to return any funds until we provided an estimate of the amount of damage the vulnerability could cause. This is not white hat hacking, this is extortion!"

User funds are not at risk

Kraken emphasized that the stolen cryptocurrencies were stolen from Kraken’s own treasury and that user funds were not at risk.

Kraken’s response: This is not white hat hacking

In this incident, one of the three Kraken accounts linked to the breach had passed KYC verification. The owner of the account claimed to be a security researcher, but his identity has not been made public. The researcher initially demonstrated the vulnerability via a cryptocurrency transfer worth $4, which was enough to earn him a "significant reward" from Kraken's bug bounty program.

However, the researcher informed two other accounts of the breach, from which nearly $3 million in funds was improperly withdrawn. Nick Percoco, Kraken’s chief security officer, said:

"In the interest of transparency, we disclosed this vulnerability to the industry today. We asked these 'white hat hackers' to return what they stole from us, only to be accused of being unreasonable and unprofessional. Unbelievable."

This article Kraken faces blackmail: $3 million was taken away through a vulnerability, should the vulnerability bounty be paid? first appeared on Chain News ABMedia.