Kraken Bug Hunters Extract $3 Million via ‘Extremely Critical’ Vulnerability

The cryptocurrency exchange Kraken has resolved a dangerous exploit that allowed users to artificially inflate and then deplete their account balances.

Kraken Security Update:

On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.

— Nick Percoco (@c7five) June 19, 2024

According to Nick Percoco, the Chief Security Officer of the trading platform, the company received a vulnerability report on June 9 as part of its Bug Bounty program.

The researcher identified an “extremely critical” bug but did not provide any details, the executive noted.

“Within minutes, we identified an isolated bug. It allowed attackers, under certain circumstances, to initiate a deposit on our platform and receive funds into their account without fully completing the transaction,” Percoco explained.

The Kraken team resolved the vulnerability in about an hour, conducting an impact analysis. The head of security assured that user funds were not affected.

However, the exchange discovered three accounts that had exploited the vulnerability. One account with KYC belonged to the user who reported the bug through the Bug Bounty program.

“This individual found a flaw in our deposit system and used it to credit their account with $4 in cryptocurrency. This would have been sufficient to demonstrate the flaw, submit a report to our team, and receive a substantial reward under our program’s terms,” Percoco noted.

However, the user disclosed the exploit to two other accomplices, a Kraken representative stated. Ultimately, they used the vulnerability to withdraw approximately $3 million belonging to the exchange’s treasury.

Subsequently, the trading platform requested a full report on the bug from the researchers, who turned out to be an unnamed security analytics firm. However, they refused to share the data and demanded more money as a reward.

“They demanded a call with their business development team (i.e., their sales representatives) and refused to return any funds until we sent them a specific dollar amount that would reflect the potential damage from disclosing the exploit. This is not hacking; this is extortion,” wrote Kraken’s head of cybersecurity.

Earlier, the exchange OKX revealed details of a series of account hacks. According to the platform, a hacker forged documents and bypassed additional security mechanisms such as two-factor authentication (2FA).

Back in June, it was reported that an attacker gained control over a Chinese trader’s account on Binance without having the password or access to 2FA. After a series of trades, they withdrew assets worth $1 million.