Meet the Top 101 in Crypto
Home / News / Crypto / News / Kraken Secures Systems After Bug Exploited by Rogue Researchers – “No User Funds Were Endangered
News
6 min read

Kraken Secures Systems After Bug Exploited by Rogue Researchers – “No User Funds Were Endangered

Published 20 June 2024
Teuta Franjkovic
Authors
By Teuta Franjkovic
Kraken has officially launched PayPal as a funding option for its U.S. customers, enabling crypto purchases without traditional banks.
Kraken has officially launched PayPal as a funding option for its U.S. customers, enabling crypto purchases without traditional banks.| Credit: Pixabay

Key Takeaways

  • Kraken experienced a $3 million exploit due to a critical zero-day vulnerability and a recent UI change.
  • Security researcher exploited Kraken flaw, colluded to maximize theft, and refused to return funds, facing extortion accusations.
  • CertiK claims ethical responsibility for Kraken breach, citing inadequate security measures.

Crypto exchange Kraken disclosed that an anonymous security researcher exploited an “extremely critical” zero-day vulnerability in its platform, resulting in the theft of $3 million in digital assets, which the researcher refused to return.

Minutes after receiving the alert, Kraken reported that it identified a security issue allowing an attacker to “initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.”

Kraken Details $3 Million Exploit Due to Critical Flaw and UI Change

Kraken’s Chief Security Officer, Nick Percoco, shared details of the incident on X. He mentioned that the exchange received an alert from its Bug Bounty program about a bug that enabled the researcher to artificially inflate their balance on the platform without providing further specifics.

Kraken emphasized that no client assets were at risk, but it could have enabled a threat actor to generate assets in their accounts. The company stated that the problem was addressed within 47 minutes.

Kraken also revealed that the flaw originated from a recent user interface change that allowed customers to deposit funds and use them before they were cleared.

Further investigation uncovered that three accounts, including one belonging to the supposed security researcher, had exploited the flaw within a few days of each other, resulting in the theft of $3 million.

Percoco explained:

“This individual discovered the bug in our funding system, and leveraged it to credit their account with $4 in crypto. This would have been sufficient to prove the flaw, file a bug bounty report with our team, and collect a very sizable reward under the terms of our program.

Instead, the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets.” the researcher added.

Kraken Accuses Security Firm of Extortion in Bug Bounty Dispute

In a strange turn of events, when Kraken approached the researcher to share their proof-of-concept (PoC) exploit used to create the on-chain activity and to arrange the return of the withdrawn funds, they instead demanded that Kraken contact their business development team and pay a set amount to release the assets.

Percoco described this behavior as extortion and urged the parties involved to return the stolen funds.

Although the name of the company was not disclosed, Kraken stated it is treating the security event as a criminal case and is coordinating with law enforcement agencies.

Percoco emphasized that a security researcher’s permission to “hack” a company is contingent on following the rules of the bug bounty program. Ignoring those rules and extorting the company revokes this permission and classifies the individuals and their company as criminals.

CertiK Takes Responsibility for Kraken Breach, Disputes Extortion Claims

Blockchain security firm CertiK has identified itself as the entity responsible for the breach on Kraken. CertiK reported that it discovered multiple critical vulnerabilities within Kraken’s platform, enabling the creation of counterfeit crypto assets in any account. These fabricated assets could then be withdrawn and converted into legitimate crypto.

CertiK defended its actions on X, stating that millions of dollars worth of crypto were created without involving any real Kraken user assets.

The firm explained that over several days, many fabricated tokens were generated and converted into legitimate cryptos, yet Kraken’s risk control mechanisms failed to detect these test transactions until CertiK reported them. CertiK emphasized that the real issue was why Kraken’s defense system did not identify the continuous large withdrawals from different testing accounts.

Additionally, CertiK claimed that Kraken’s security team threatened individual CertiK employees to repay a mismatched amount of crypto within an unreasonable timeframe without providing repayment addresses.

Evidence has surfaced indicating that a CertiK researcher may have been conducting probing and testing as early as May 27, 2024, which contradicts CertiK’s reported timeline of events.

This development follows Kraken’s blog post accusing the “third-party security research company” of exploiting the flaw for financial gain before reporting it. The now-resolved vulnerability allowed certain users, for a short time, to artificially inflate their Kraken account balances without fully completing a deposit.

Kraken-CertiK Saga Intensifies Over $3 Million Exploit Discrepancy

The ongoing dispute between Kraken and CertiK has taken another turn as both parties continue to clash over the nearly $3 million exploit. Kraken claimed that the total exploited amount was not returned, while CertiK asserted they had returned all funds according to their records.

On June 20, CertiK provided an update on X, stating they had returned 734.19215 Ether (ETH), 29,001 Tether (USDT), and 1021.1 Monero (XMR). However, Kraken had requested 155,818.4468 Polygon (MATIC), 907,400.1803 USDT, 475.5557871 ETH, and 1089.794737 XMR. The discrepancy between the returned and requested amounts remains a point of contention.

Bug bounty programs, widely adopted by firms to enhance their security systems, invite third-party hackers, known as “white hats,” to identify vulnerabilities so the company can address them before malicious actors exploit them. Kraken, like its competitor Coinbase, employs such a program to proactively discover and fix potential security issues.

CertiK reportedly sent the stolen funds to the crypto mixing service Tornado Cash to prevent them from being frozen by crypto exchanges. This move sparked significant criticism from the crypto community, raising questions about CertiK’s motives behind what was claimed to be a “white hat” operation.

Crypto Community Questions CertiK’s Actions in Kraken Exploit

The crypto community questioned CertiK’s decision to move millions of dollars worth of funds when a single transaction could have proven the vulnerability.

Critics also reminded that Tornado Cash is an Office of Foreign Assets Control (OFAC)-sanctioned tool, and using it could lead to legal trouble for CertiK. Many also wondered whether CertiK intended to return the funds and why it chose to send them to Tornado Cash.

The majority of the crypto community sided with Kraken, condemning CertiK for its ruthless behavior. Many accused CertiK of “stealing” and blackmailing Kraken for the bounty, calling the firm’s ethical standards into question.

Teuta Franjkovic

Teuta is a seasoned writer and editor with more than 15 years of experience. She has expertise in covering macroeconomics and technology as well as the cryptocurrency and blockchain industries. She has worked for several publications as a journalist and editor, including Forbes, Bloomberg, CoinTelegraph, Coin Rivet, CoinSpeaker, VRWorld and Arcane Bear.

Teuta began her professional career in 2005, working as a lifestyle writer at Cosmopolitan in Croatia. From there, she branched out to several other publications, covering mainly business and the economy. She then turned her attention to the world of cryptocurrency and blockchain, believing that crypto is among the most important inventions in the history of humanity. Her involvement in fintech began in 2014 and she has since lent her expertise in writing, editing and gathering information about the world of crypto, blockchain, NFTs and Web3.

An all-round news hound, mentor, editor, and writer, Teuta enjoys teamwork and good communication. She holds a WSET2 diploma and has a thing for chablis, punkrock music and shoes. She also holds a double MA in Political science and Entrepreneurship.

Email [email protected] LinkedIn LinkedIn X.com X.com

Related

Kraken Exploring $100 Million Pre-IPO Funding as Robinhood Buys Bitstamp for $200 Million: US Crypto Exchanges Back in The Limelight?
Crypto
Kraken Exploring $100 Million Pre-IPO Funding as Robinhood Buys Bitstamp for $200 Million: US Crypto Exchanges Back in The Limelight?
James Morales
Coinbase and Kraken Team Up to Fight Fraud but are They Trying to Distract from SEC Claims?
Crypto
Coinbase and Kraken Team Up to Fight Fraud but are They Trying to Distract from SEC Claims?
Teuta Franjkovic
Pawswap on Shibarium Labeled a Scam by Shiba Inu Admin While Certik Gives it Silver KYC Badge
Altcoins
Pawswap on Shibarium Labeled a Scam by Shiba Inu Admin While Certik Gives it Silver KYC Badge
Teuta Franjkovic
Close
By using CCN.com you consent to our privacy & cookie policy Continue
Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
By using CCN.com you consent to our privacy & cookie policy
Continue
DMCA.com Protection Status