The vulnerability was reported to the exchange through its bug bounty program. According to Kraken's page, prizes vary between 500 and 1.5 million dollars, depending on the severity of the failure.
Binance and Kraken apps on smartphones.
Kraken, one of the largest cryptocurrency brokers in the world, revealed that it had found a critical bug on its platform. In short, the vulnerability allowed hackers to print money to their accounts.
The information was presented by Nick Percoco, director of security at Kraken, this Wednesday (19).
“We discovered an isolated bug,” Percoco wrote. “This allowed a malicious attacker, under the right circumstances, to initiate a deposit on our platform and receive funds into their account without fully completing it.”
“To be clear, no client’s assets were at risk. However, a malicious attacker could effectively “print” assets in your Kraken account for a period of time.”
To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time.
— Nick Percoco (@c7five) June 19, 2024
🔔 Join our Telegram group and stay updated.
Next, the Kraken executive highlights that the flaw was fixed in 47 minutes and therefore no longer poses any threat.
Kraken provides more details about the vulnerability
Explaining the situation, Kraken revealed that the bug was related to a recent change to its website that allowed its users to trade cryptocurrencies before deposits were confirmed.
In total, three accounts would have abused the flaw, one of them was in the name of the hacker who sent the report to the broker.
“This individual discovered the bug in our funding system and used it to credit his account with $4 worth of cryptocurrency,” Kraken wrote. “However, this “security researcher” disclosed this bug to two other people he works with, who fraudulently generated much larger sums.”
“They ended up withdrawing almost $3 million from their Kraken accounts.”
Instead, the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets.
— Nick Percoco (@c7five) June 19, 2024
This is where the story gets even more interesting. This is because the broker and the hackers got into a dispute.
Kraken accuses hackers of extortion
The vulnerability was reported to the exchange through its bug bounty program. According to Kraken's page, prizes vary between 500 and 1.5 million dollars, depending on the severity of the failure.
Kraken Bug Bounty program values. Source: Kraken/Reproduction.
However, Nick Percoco claims that the hackers did not disclose data about the other two accounts that raised $3 million. Afterwards, Kraken's security director notes that the hackers did not accept the program's terms, but rather imposed new ones.
“They demanded a call with their business development team,” Percoco wrote. “They have not agreed to return any funds until we provide a speculated dollar amount that this bug could have caused if they had not disclosed it.”
“This isn’t white-hat hacking, it’s extortion!”
Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!
— Nick Percoco (@c7five) June 19, 2024
In closing, Percoco states that Kraken is “being accused of being irrational and unprofessional for requesting the return of funds.” Therefore, this was the reason for the release of information about this story.
“This makes you and your company criminals,” said the executive about the hackers’ behavior, noting that they have already contacted authorities. The name of the company that discovered the bug was not revealed.
🔔 If you liked our content and news, send a tip to support our channel and follow us for more information! @Alex Guimarães - Crypto Use
$
