The chief security officer for cryptocurrency exchange Kraken, Nick Percoco, said he had received an alert that there was a "highly critical" vulnerability in the system that could artificially increase the platform's balance. 🚨
The vulnerability, which was discovered and patched in Kraken, allowed attackers to receive funds into their account without the full deposit process. The problem arose after a user interface update that allowed funds to be credited to customers' accounts before their assets were fully cleared.
Three accounts were found to have exploited this vulnerability in a short period of time. One of these accounts belonged to the security researcher who initially discovered and reported the bug in the system. These three accounts were able to withdraw almost $3 million from Kraken accounts.
After Kraken approached security researchers with an offer to reward them for discovering the vulnerability, the researchers refused to return funds until the exchange assessed the potential financial impact of the bug.
According to Percoco, the incident is perceived as extortion rather than legitimate white-hat hacking activity. He emphasized that Kraken is considering such an incident as a criminal matter and intends to cooperate with law enforcement agencies.
The Bug Bounty program supports Kraken's mission to keep users safe in the cryptocurrency market. In 2023, the program recognized 22 reports out of a total of 461 applications. 💼