Bug Bounty Gone Wrong: Crypto Exchange Kraken Accuses Researcher of Extortion
In a surprising turn of events, cryptocurrency exchange Kraken finds itself embroiled in a situation where a security researcher’s bug report has taken a dark turn.
On June 9th, an anonymous individual claiming to be a security researcher alerted Kraken to a critical security flaw. However, things took a sharp turn for the worse when, according to Kraken’s Chief Security Officer, Nicholas Percoco, two accounts linked to the researcher exploited the bug to steal over $3 million worth of digital assets.
Instead of simply reporting the vulnerability and collecting a reward through Kraken’s established bug bounty program, the researcher demanded a meeting with the exchange’s sales team and refused to return the stolen funds. Percoco, in a June 19th post, strongly condemned these actions, stating, “This is not white-hat hacking, it is extortion!”
Kraken emphasizes that no user funds were compromised in this incident. The stolen cryptocurrency originated directly from the exchange’s treasury. Determined to recover the stolen funds and hold the perpetrators accountable, Kraken is working diligently with law enforcement agencies.
While one of the three Kraken accounts used in the exploit completed Know Your Customer (KYC) verification, the individual’s true identity remains unknown. The initial contact demonstrated the flaw with a small transfer of $4, a sufficient proof to qualify for a significant reward under Kraken’s bug bounty program. However, the subsequent involvement of two other accounts and the theft of a much larger sum raise serious questions about the researcher’s true intentions.
Despite this negative experience, Kraken remains committed to its bug bounty program, a cornerstone of their security strategy. As Percoco emphasizes, “In the essence of transparency, we are disclosing this bug to the industry today.” He further expresses disbelief at being accused of unprofessionalism for seeking the return of stolen funds.
Crypto Security Concerns: Shifting Landscape
This incident highlights the evolving landscape of crypto security threats. While smart contract vulnerabilities were a major concern in 2022, Merkle Science’s “2024 Crypto HackHub Report” indicates a worrying trend. Crypto hackers and exploiters seem to be finding success in 2024, with stolen digital assets in the first quarter already exceeding those of the same period in 2023 by a significant 42%. Notably, private key leaks have emerged as the leading cause of these exploits, surpassing smart contract vulnerabilities.