Just In: Kraken Responds to Extortion Attempt Following Security Breach

Kraken, a major cryptocurrency exchange, recently managed a security breach and potential extortion attempt after a supposed bug bounty report became a demand for money. Chief Security Officer Nick Percoco outlined the events, noting a flaw was exploited to inflate account balances artificially. This incident has prompted an investigation involving law enforcement and emphasized the importance of adhering to ethical practices in security research.

Kraken Responds to $3 Million Security Breach

Upon receiving a bug bounty report on June 9, 2024, Kraken‘s security team, led by Percoco, sprung into action. They quickly discovered that the vulnerability had already been exploited, leading to the unlawful withdrawal of nearly $3 million from the exchange’s reserves. Although initially an act attributed to a security researcher—who claimed a mere $4 to demonstrate the flaw—the situation escalated when it was revealed that this individual had shared the bug with accomplices who extracted much more significant amounts.

Kraken Security Update:

On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.

— Nick Percoco (@c7five) June 19, 2024

Kraken’s team rectified the security loophole within two hours of detection. The bug originated from a recent update intended to enhance the user experience by allowing immediate trading before thoroughly verifying deposited funds. However, this change inadvertently created a vulnerability. Percoco stressed that no client assets were at risk at any time, as the flaw only allowed the inflating of balances within the perpetrators’ accounts.

Also Read: Binance Rolls Out HODLer Airdrops For BNB Holders

Kraken Reinforces Policies After Security Breach

Following the discovery, the perpetrators refused to cooperate with Kraken’s investigation, demanding to speak with the business development team, a move Percoco labeled as extortion. This incident has highlighted the critical nature of following ethical guidelines in bug bounty programs. Kraken’s longstanding policy is clear: researchers must not exploit vulnerabilities beyond what is necessary to prove their existence and should promptly return any unauthorized funds.

Kraken has a nearly decade-long history of operating its bug bounty program, designed to encourage white-hat hackers to help identify and fix security gaps responsibly. This program has functioned smoothly with cooperation from the security research community, and this is the first instance of such a severe breach of trust and protocol. 

Despite the unsettling events, Kraken remains dedicated to its bug bounty program, recognizing its value in enhancing the security of the cryptocurrency ecosystem. The exchange has taken steps to reinforce its systems against similar vulnerabilities by implementing stricter testing protocols, particularly following feature updates affecting account transactions.

Also Read: XRP Lawsuit: SEC’s Ethereum Investigation Conclusion Bolsters Ripple’s Position