Yesterday, Kraken said the exchange had been exploited for nearly $3 million and claimed that a research team was still holding these digital assets.
A self-proclaimed anonymous “security researcher” found a serious security bug and alerted the cryptocurrency exchange on June 9.
However, two accounts linked to the security researcher exploited the bug to withdraw more than $3 million in digital assets, according to Nicholas Percoco, Kraken’s chief security officer.
After withdrawing millions of dollars, this security researcher is demanding a reward for the stolen funds. They requested a call with Kraken’s business development team and refused to return the assets until Kraken provided an estimate of the potential financial impact of the vulnerability if it was not disclosed.
Percoco suppose, I think this is blackmail and not white hat hacking, emphasizing that ethical hackers often work collaboratively with companies to improve security without exploiting vulnerabilities for personal gain.
The cryptocurrency was stolen directly from Kraken’s treasury. The exchange claims that no user funds are at stake.
Kraken will continue its bug bounty programs to enhance the security of the exchange and is cooperating with law enforcement to recover the stolen funds.
CertiK claims to have discovered the vulnerability and is paying
Following this development, blockchain security firm CertiK said it was the one who found the vulnerability in Kraken’s deposit system and is transferring funds back to the exchange.
CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.
Starting from a finding in @krakenfx‘s deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD
— CertiK (@CertiK) June 19, 2024
CertiK says this vulnerability could allow hackers to deposit millions of dollars into any Kraken account and withdraw a significant amount of cryptocurrency (worth more than $1 million). During the multi-day testing phase, Kraken’s security system did not trigger any alerts related to the vulnerability. According to CertiK, Kraken only reacted and locked their test accounts a few days after CertiK disclosed the issue.
After initial discussions to fix the vulnerability, CertiK accused Kraken’s security team of threatening its employees. Specifically, Kraken allegedly asked CertiK employees to refund an “unmatched” amount of cryptocurrency within an “unreasonable” time frame of 6 hours, without providing an address for the refund.
CertiK already provide their own timeline of events, detailing test deposits made using Polygon’s MATIC token.
“Since Kraken has not provided a return address and the requested amount does not match, we are transferring funds based on our records to an account accessible to Kraken.”
Annie
Bitcoin Magazine