Get the scoop on finance - sign up for mobile alerts
Scams, Hacks & Breaches
| On
June 19, 2024

Kraken Security Officer Says Black Hat Entity Exploited Exchange for $3,000,000 Upon Finding ‘Isolated Bug’ in Code

By Mehron Rokhy

A Kraken executive says that a black hat entity stole $3 million from the firm after finding a bug in the exchange’s systems.

In a lengthy thread on the social media platform X, Nick Percoco, Kraken’s chief security officer, says that earlier this month, Kraken received an update from their Bug Bounty program claiming there was an “extremely critical” bug that would allow hackers to artificially inflate their funds.

ADVERTISEMENT

Says Percoco,

“Within minutes we discovered an isolated bug. This allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.

To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time.”

According to Percoco, after patching the bug, Kraken discovered that three accounts had used this flaw to their advantage. Eventually, through know-your-customer (KYC) forms, Kraken was able to link one of the accounts to a person who claimed to be a security expert.

ADVERTISEMENT

However, instead of reporting this exploit to Kraken, the individual allegedly told two other people, who went on to curate and withdraw nearly $3 million from their accounts.

Percoco goes on to allege the person and his unnamed accomplices are refusing to give the money back, instead demanding the crypto exchange hand over a speculated amount of money that the bug would have caused had they not found it.

Bug bounty programs allow companies to offer compensation to individuals if they find and report bugs. Known as “white-hat hackers,” these bug hunters allow companies to protect themselves from hacks and exploits.

Percoco says that taking advantage of Bug bounty programs to exploit firms makes one a criminal.

“As a security researcher, your license to ‘hack’ a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your ‘license to hack.’ It makes you, and your company, criminals.”

ADVERTISEMENT
Don't Miss a Beat – Subscribe to get email alerts delivered directly to your inbox
Check Price Action
Follow us on X, Facebook and Telegram
Surf The Daily Hodl Mix
&nbsp
Disclaimer: Opinions expressed at The Daily Hodl are not investment advice. Investors should do their due diligence before making any high-risk investments in Bitcoin, cryptocurrency or digital assets. Please be advised that your transfers and trades are at your own risk, and any losses you may incur are your responsibility. The Daily Hodl does not recommend the buying or selling of any cryptocurrencies or digital assets, nor is The Daily Hodl an investment advisor. Please note that The Daily Hodl participates in affiliate marketing.

Generate Image: Midjourney