Imposter security researcher blamed for stealing $3M from Kraken

Kraken, the US-based cryptocurrency exchange, disclosed a mysterious theft of $3 million in cryptocurrency, blaming attackers who were acting as “security researchers” in a bug bounty program. Imposters alerted about an actual critical vulnerability, but only after profiting from it.

Kraken officials assured that no client’s assets were ever at risk. However, “a malicious attacker could effectively print assets in their Kraken account for a period of time.”

On June 9, 2024, Kraken received an alert via its Bug Bounty program from a security researcher claiming they found an “extremely critical” bug that allowed attackers to artificially inflate the balance on their platform.

According to Nick Percoco, Kraken's Chief Security Officer, they treated the report seriously despite many similar fake bug bounty reports.

“Within minutes, we discovered an isolated bug. This allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit,” Percoco posted on X.

The flaw derived from a recent user experience change that allowed to promptly credit client accounts before their assets cleared. This was necessary to allow clients to trade crypto in real-time, but the feature was not thoroughly tested, Percoco admitted.

Within a few hours, the issue was “completely fixed” however, the investigation revealed that some assets were missing.

Three accounts had leveraged this flaw within a few days of each other. One account belonged to the same individual who claimed to be a security researcher. That account was used to credit $4 in crypto, which is “sufficient to prove the flaw.

However, Percoco believes that the same “researcher” disclosed the bug to two other individuals, and they fraudulently generated nearly $3 million from Kraken’s treasuries.

The Kraken’s team asked the alleged security researcher to disclose some details, including a full account of their activities and a proof of concept used to create the on-chain activity

“Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!” Percoco said.

Kraken does not disclose the “research company” in question because “they don’t deserve recognition for their action.” Kraken officials also said they treat the case as criminal and are coordinating with law enforcement.

“We have had a Bug Bounty program in place at Kraken for nearly ten years. This program is run internally and is fully staffed by some of the brightest minds in the community,” Percoco wondered. “We have never had issues with legitimate researchers in this way and are always responsive.”