Popular cryptocurrency exchange Kraken has accused “security researchers” of finding a vulnerability on their platform to then turn to “extortion” after withdrawing $3 million from the company’s treasury.
Kraken's Chief Security Officer, Nick Percoco, detailed the events on social media, revealing a bug bounty report alerted the firm to a vulnerability allowing users to inflate their account balances by initiating deposits and receiving funds without completing those deposits.
Kraken swiftly patched the vulnerability and says no user funds were compromised, but according to Percoco, the security researcher who first found the bug allegedly shared the exploit with two others, who then "fraudulently" withdrew millions from Kraken's wallets.
The initial bug bounty report made no mention of these additional transactions. When Kraken sought more details, the researchers reportedly refused, demanding a meeting with their business development team and a hypothetical estimate of potential losses prevented by their report. Percoco condemned these actions, stating, "This is not white-hat hacking, it is extortion!"
Kraken withheld the researchers' identities, but blockchain code editor CertiK later claimed to have discovered vulnerabilities on the platform and, on social media, elaborated on their findings in a social media post, highlighting the potential for exploiting the bug to create millions in cryptocurrency.
However, CertiK also accused Kraken's security team of threatening their employees with “unreasonable” repayment demands without providing addresses for these repayments.
Bug bounty programs, commonly employed to fortify security systems, incentivize third-party hackers, known as "white hats," to uncover vulnerabilities. To qualify for a bounty under Kraken’s program, researchers must identify the bug and exploit the minimum amount needed to prove it, before returning the assets and providing details.
As these steps weren't followed, Kraken asserts the researchers are ineligible for a reward. Percoco said the firm is treating the exploit as a “criminal case” and is “coordinating with law enforcement agencies accordingly.”