Home / News / Crypto / News / Kraken Secures Systems After Bug Exploited by Rogue Researchers – “No User Funds Were Endangered
News
8 min read

Kraken Secures Systems After Bug Exploited by Rogue Researchers – “No User Funds Were Endangered

Last Updated June 20, 2024 12:57 PM
Teuta Franjkovic
Last Updated June 20, 2024 12:57 PM

Key Takeaways

  • Kraken experienced a $3 million exploit due to a critical zero-day vulnerability and a recent UI change.
  • Security researcher exploited Kraken flaw, colluded to maximize theft, and refused to return funds, facing extortion accusations.
  • CertiK claims ethical responsibility for Kraken breach, citing inadequate security measures.

Crypto exchange Kraken disclosed  that an anonymous security researcher exploited an “extremely critical” zero-day vulnerability in its platform, resulting in the theft of $3 million in digital assets, which the researcher refused to return.

Minutes after receiving the alert, Kraken reported that it identified a security issue allowing an attacker to “initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.”

Kraken Details $3 Million Exploit Due to Critical Flaw and UI Change

Kraken’s Chief Security Officer, Nick Percoco, shared details  of the incident on X. He mentioned that the exchange received an alert from its Bug Bounty program about a bug that enabled the researcher to artificially inflate their balance on the platform without providing further specifics.

Kraken emphasized  that no client assets were at risk, but it could have enabled a threat actor to generate assets in their accounts. The company stated that the problem was addressed within 47 minutes.

Kraken also revealed that the flaw originated from a recent user interface change that allowed customers to deposit funds and use them before they were cleared.

Further investigation uncovered that three accounts, including one belonging to the supposed security researcher, had exploited the flaw within a few days of each other, resulting in the theft of $3 million.

Percoco explained:

“This individual discovered the bug in our funding system, and leveraged it to credit their account with $4 in crypto. This would have been sufficient to prove the flaw, file a bug bounty report with our team, and collect a very sizable reward under the terms of our program.

Instead, the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets.” the researcher added.

Kraken Accuses Security Firm of Extortion in Bug Bounty Dispute

In a strange turn of events, when Kraken approached the researcher to share their proof-of-concept (PoC) exploit used to create the on-chain activity and to arrange the return of the withdrawn funds, they instead demanded that Kraken contact their business development team and pay a set amount to release the assets.

Percoco described this behavior as extortion and urged the parties involved to return the stolen funds.

Although the name of the company was not disclosed, Kraken stated it is treating the security event as a criminal case and is coordinating with law enforcement agencies.

Percoco emphasized that a security researcher’s permission to “hack” a company is contingent on following the rules of the bug bounty program. Ignoring those rules and extorting the company revokes this permission and classifies the individuals and their company as criminals.

CertiK Takes Responsibility for Kraken Breach, Disputes Extortion Claims

Blockchain security firm CertiK has identified itself as the entity responsible for the breach on Kraken. CertiK reported that it discovered multiple critical vulnerabilities within Kraken’s platform, enabling the creation of counterfeit crypto assets in any account. These fabricated assets could then be withdrawn and converted into legitimate crypto.

CertiK defended its actions  on X, stating that millions of dollars worth of crypto were created without involving any real Kraken user assets.

The firm explained that over several days, many fabricated tokens were generated and converted into legitimate cryptos, yet Kraken’s risk control mechanisms failed to detect these test transactions until CertiK reported them. CertiK emphasized that the real issue was why Kraken’s defense system did not identify the continuous large withdrawals from different testing accounts.

Additionally, CertiK claimed that Kraken’s security team threatened individual CertiK employees to repay a mismatched amount of crypto within an unreasonable timeframe without providing repayment addresses.

Evidence has surfaced  indicating that a CertiK researcher may have been conducting probing and testing as early as May 27, 2024, which contradicts CertiK’s reported timeline of events.

This development follows Kraken’s blog post  accusing the “third-party security research company” of exploiting the flaw for financial gain before reporting it. The now-resolved vulnerability allowed certain users, for a short time, to artificially inflate their Kraken account balances without fully completing a deposit.

Kraken-CertiK Saga Intensifies Over $3 Million Exploit Discrepancy

The ongoing dispute between Kraken and CertiK has taken another turn as both parties continue to clash over the nearly $3 million exploit. Kraken claimed that the total exploited amount was not returned, while CertiK asserted they had returned all funds according to their records.

On June 20, CertiK provided an update on X , stating they had returned 734.19215 Ether (ETH), 29,001 Tether (USDT), and 1021.1 Monero (XMR). However, Kraken had requested 155,818.4468 Polygon (MATIC), 907,400.1803 USDT, 475.5557871 ETH, and 1089.794737 XMR. The discrepancy between the returned and requested amounts remains a point of contention.

Bug bounty programs, widely adopted by firms to enhance their security systems, invite third-party hackers, known as “white hats,” to identify vulnerabilities so the company can address them before malicious actors exploit them. Kraken, like its competitor Coinbase , employs such a program to proactively discover and fix potential security issues.

CertiK reportedly sent  the stolen funds to the crypto mixing service Tornado Cash to prevent them from being frozen by crypto exchanges. This move sparked significant criticism from the crypto community, raising questions about CertiK’s motives behind what was claimed to be a “white hat” operation.

Crypto Community Questions CertiK’s Actions in Kraken Exploit

The crypto community questioned CertiK’s decision to move millions of dollars worth of funds when a single transaction could have proven the vulnerability.

Critics also reminded that Tornado Cash is an Office of Foreign Assets Control (OFAC)-sanctioned tool, and using it could lead to legal trouble for CertiK. Many also wondered whether CertiK intended to return the funds and why it chose to send them to Tornado Cash.

The majority of the crypto community sided with Kraken, condemning CertiK  for its ruthless behavior. Many accused CertiK of “stealing” and blackmailing Kraken for the bounty, calling the firm’s ethical standards into question.

Was this Article helpful? Yes No