A Kraken executive says that a black hat entity stole $3 million from the firm after finding a bug in the exchange’s systems.
In a lengthy thread on the social media platform X, Nick Percoco, Kraken’s chief security officer, says that earlier this month, Kraken received an update from their Bug Bounty program claiming there was an “extremely critical” bug that would allow hackers to artificially inflate their funds.
Says Percoco,
“Within minutes we discovered an isolated bug. This allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.
To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time.”
According to Percoco, after patching the bug, Kraken discovered that three accounts had used this flaw to their advantage. Eventually, through know-your-customer (KYC) forms, Kraken was able to link one of the accounts to a person who claimed to be a security expert.
However, instead of reporting this exploit to Kraken, the individual allegedly told two other people, who went on to curate and withdraw nearly $3 million from their accounts.
Percoco goes on to allege the person and his unnamed accomplices are refusing to give the money back, instead demanding the crypto exchange hand over a speculated amount of money that the bug would have caused had they not found it.
Bug bounty programs allow companies to offer compensation to individuals if they find and report bugs. Known as “white-hat hackers,” these bug hunters allow companies to protect themselves from hacks and exploits.
Percoco says that taking advantage of Bug bounty programs to exploit firms makes one a criminal.
“As a security researcher, your license to ‘hack’ a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your ‘license to hack.’ It makes you, and your company, criminals.”
Don't Miss a Beat – Subscribe to get email alerts delivered directly to your inboxGenerate Image: Midjourney