Crypto exchange Kraken disclosed that an unidentified security researcher exploited a severe zero-day vulnerability in its system to steal $3 million in digital assets and refused to return them.
Details of the incident were shared by Kraken’s Chief Security Officer, Nick Percoco, on X (formerly Twitter), mentioning that they received an alert from the Bug Bounty program about a bug that allowed unauthorized access to inflate their balance on the platform without providing more specifics.
The company promptly identified and fixed the security issue that allowed an attacker to receive funds in their account without completing the deposit process, within minutes of being alerted.
Kraken clarified that no client assets were at risk, but the vulnerability could have enabled a threat actor to manipulate their account balance. The issue was resolved within 47 minutes.
The vulnerability was attributed to a recent user interface change that allowed customers to utilize deposited funds before they were fully verified.
Further investigation uncovered that three accounts, including one linked to the security researcher, exploited the flaw and siphoned $3 million within a few days.
Percoco stated, “Instead of reporting the bug and claiming a reward under our program, the ‘security researcher’ shared the vulnerability with others, who fraudulently withdrew nearly $3 million from their accounts. This was from Kraken’s own funds, not client assets.”
When approached by Kraken to disclose the exploit used and return the funds, the individuals demanded payment from the company to release the assets, leading Percoco to denounce their actions as extortion.
Kraken is treating the incident as a criminal case and cooperating with law enforcement, emphasizing that violating bug bounty program rules and extorting the company makes individuals criminals.
“As a security researcher, you are authorized to identify vulnerabilities within the boundaries of bug bounty programs. Extorting the company revokes that privilege and makes you a criminal,” noted Percoco.
