The clandestine “security researcher” who discovered and exploited a vulnerability on the Kraken cryptocurrency exchange has been revealed as CertiK.
CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.
Starting from a finding in @krakenfx‘s deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD
— CertiK (@CertiK) June 19, 2024
“CertiK recently identified a series of critical vulnerabilities at Kraken, which could potentially lead to losses of hundreds of millions of dollars,” the publication states.
Earlier, the platform’s Chief Security Officer, Nick Percoco, reported that on June 9, the exchange received a vulnerability report through its Bug Bounty program. However, the researchers did not share details and instead exploited the bug to withdraw about $3 million from Kraken.
According to Percoco, the then publicly unknown white hat hackers demanded more money for disclosing the information than the bounty program offered, citing the high level of threat. A Kraken representative accused them of “extortion.”
According to CertiK’s post, the exploit allowed for the fabrication of a deposit transaction to the exchange account, followed by the withdrawal of the obtained funds.
“Worse still, during several days of testing [the bug], no security alerts were triggered on the exchange. Kraken responded and blocked the test accounts only several days after we officially reported the incident,” the company stated.
Analysts also attached a screenshot of all the fake deposits and withdrawals.
Transparency is important to the community. We are disclosing all testing deposit transactions here: pic.twitter.com/8RpzRX42E9
— CertiK (@CertiK) June 19, 2024
The trading platform’s security service classified the exploit as “critical” (the highest level) and began working on its resolution.
However, according to CertiK, Kraken’s security team “began threatening individual employees, stating they would pay an inappropriate amount of cryptocurrency within baseless deadlines even without providing addresses for fund returns.”
The firm published a timeline of events starting from the discovery of the exploit on June 5 and ending with “threats” from Kraken on June 18. During this time, the parties held several video conferences.
CertiK promised to return all assets withdrawn during the vulnerability testing:
“Since Kraken did not provide addresses for redemption and incorrectly calculated the amount, we are transferring the funds based on our notes to an account that the exchange will be able to access.”
Analysts confirmed that user funds were not affected. However, they expressed concern over the exchange’s weak security system, which did not respond to either the fake deposit or the large withdrawal of funds.
Previously, the exchange OKX disclosed details of a series of account hacks. According to the platform, the hacker forged documents and bypassed additional security mechanisms such as two-factor authentication (2FA).
Back in June 3, it was revealed that a perpetrator gained control over a Chinese trader’s account on Binance without having the password or access to 2FA. After a series of trades, they withdrew assets worth $1 million.