Crypto exchange Kraken on Wednesday disclosed that nearly $3 million in cryptocurrency was stolen from its wallets due to the exploitation of a zero-day bug-related vulnerability, which has now been fixed.
Nick Percoco, Kraken’s Chief Security Officer, took to social media platform X (formerly Twitter) to disclose that they received a “Bug Bounty Program” alert from a security researcher on June 9, 2024, notifying them about an “extremely critical” vulnerability that allowed anyone to artificially increase the value of their Kraken account balance.
On investigating the report, Kraken found an isolated bug that allowed threat actors, under the right circumstances, to initiate a deposit on their platform and receive funds in their account, even if the deposit failed.
“To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time,” explained Percoco.
Percoco says that the Kraken security team marked this vulnerability as Critical and resolved the issue within an hour and prevented further losses. The team also thoroughly tested the solution to guard against similar issues in the future.
“Our team found a flaw deriving from a recent UX change that would promptly credit client accounts before their assets cleared – allowing clients to effectively trade crypto markets in real time. This UX change was not thoroughly tested against this specific attack vector,” Percoco added.
After fixing the bug, Kraken’s team discovered that three accounts had already exploited the zero-day bug within a few days, collectively withdrawing nearly $3 million from the exchange’s treasury.
Kraken Security Update:
On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
— Nick Percoco (@c7five) June 19, 2024
On further investigation, they found that one account was linked to an individual who had completed Kraken’s KYC verification process, claiming to be a security researcher. This person initially tested the bug and credited their account with $4 in crypto, which would have been sufficient to prove the flaw and be rewarded through Kraken’s Bug Bounty program.
However, Percoco says that the ‘security researcher’ instead disclosed the zero-day bug to two other individuals associated with the researcher, who fraudulently withdrew an additional $3 million from their Kraken accounts. He emphasized that these stolen funds were from Kraken’s treasuries, and no other client accounts.
As the two other individuals’ transactions were not completely disclosed in the initial Bug Bounty report, Kraken’s team contacted the researcher for more details of their activities. However, Percoco says the researchers refused to return the crypto or share any information regarding the flaw, which is a common practice for any Bug Bounty program.
“Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!” Percoco claimed.
Kraken’s response to the incident has been transparent. Percoco highlighted the importance of ethical behavior in the cybersecurity community, saying, “As a security researcher, your license to ‘hack’ a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your ‘license to hack’.”
Percoco says Kraken is not revealing the researchers’ identities as “they don’t deserve recognition for their actions.” Additionally, Kraken is now treating this case as a criminal matter and coordinating with law enforcement agencies to recover the stolen funds.
“We engaged these researchers in good faith and, in-line with a decade of running a bug bounty program, had offered a sizable bounty for their efforts. We’re disappointed by this experience and are now working with law enforcement agencies to retrieve the assets from these security researchers,” a Kraken spokesperson said in a statement.
