Crypto exchange Kraken revealed that an unnamed security researcher exploited an "extremely critical" zero-day flaw in its platform to steal $3 million in digital assets and refused to return them.
Details of the incident were shared by Kraken's Chief Security Officer, Nick Percoco, on X (formerly Twitter), stating it received a Bug Bounty program alert from the researcher about a bug that "allowed them to artificially inflate their balance on our platform" without sharing any other details
Within minutes of receiving the alert, the company said it identified a security issue that essentially permitted an attacker to "initiate a deposit onto our platform and receive funds in their account without fully completing the deposit."
While Kraken emphasized that no client assets were at risk due to the issue, it could have enabled a threat actor to print assets in their accounts. The problem was addressed within 47 minutes, it said.
It also said the flaw stemmed from a recent user interface change that allows customers to deposit funds and use them before they were cleared.
On top of that, further investigation unearthed the fact that three accounts, including one belonging to the supposed security researcher, had exploited the flaw within a few days of each other and siphon $3 million.
"This individual discovered the bug in our funding system, and leveraged it to credit their account with $4 in crypto," Percoco said. "This would have been sufficient to prove the flaw, file a bug bounty report with our team, and collect a very sizable reward under the terms of our program."
"Instead, the 'security researcher' disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken's treasuries, not other client assets."
In a strange turn of events, on being approached by Kraken to share their proof-of-concept (PoC) exploit used to create the on-chain activity and to arrange the return of the funds that they had withdrawn, they instead demanded that the company get in touch with their business development team to pay a set amount in order to release the assets.
"This is not white hat hacking, it is extortion," Percoco said, urging the concerned parties to return the stolen funds.
The name of the company was not disclosed, but Kraken said it's treating the security event as a criminal case and that it's coordinating with law enforcement agencies about the matter.
"As a security researcher, your license to 'hack' a company is enabled by following the simple rules of the bug bounty program you are participating in," Percoco noted. "Ignoring those rules and extorting the company revokes your 'license to hack.' It makes you, and your company, criminals."
CertiK Responds
Blockchain security firm CertiK has stepped forward as the entity behind the breach on Kraken, claiming that it detected several critical flaws that made it possible to mint (i.e., fabricate) crypto on any account, which could then be withdrawn and converted into valid crypto assets.
"Millions [of] dollars of crypto were minted out of [thin] air, and no real Kraken user's assets were directly involved in our research activities," the company wrote on X, defending its actions.
"For several days, with many fabricated tokens generated and withdrawn to valid cryptos, no risk control or prevention mechanisms were triggered until reported by CertiK. The real question should be why Kraken's in-depth defense system failed to detect so many test transactions. Continuous large withdrawals from different testing accounts was a part of our testing."
CertiK further asserted that "Kraken's security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses."
That said, evidence has also emerged that a CertiK researcher may have been conducting probing and testing as early as May 27, 2024, contradicting the company's timeline of events.
The development comes as Kraken, in a blog post, accused the "third-party security research company" of exploiting the flaw for financial gain prior to reporting it. The now-resolved security vulnerability "allowed certain users, for a short period of time, to artificially increase the value of their Kraken account balance without fully completing a deposit."
Funds Returned to Kraken
Kraken CSO Nick Percoco, on June 20, posted an update stating all funds were returned to the company, with a small amount lost to fees. The company subsequently distributed the recovered $2.9 million to its users' via a USDT airdrop.