June 19, 2024 at 10:54AM
Kraken crypto exchange experienced a breach when alleged security researchers exploited a zero-day bug, stealing $3 million in cryptocurrency. The bug allowed unauthorized deposits and fund withdrawals. After fixing the bug, three individuals, one claiming to be a researcher, refused to return the stolen funds, demanding a business call instead. Kraken is treating the incident as a criminal case.
The Kraken crypto exchange recently experienced a security breach, during which alleged researchers exploited a zero-day bug in the website, resulting in the theft of $3 million in cryptocurrency. The exchange’s Chief Security Officer, Nick Percoco, disclosed the incident and highlighted that the bug allowed unauthorized individuals to artificially increase balances in Kraken wallets.
The security team promptly addressed the bug within an hour of its discovery, which was traced back to a recent user interface change. However, it was then revealed that three users had already exploited the bug to steal the funds from the exchange’s treasury. When contacted, the researchers associated with the initial bug report declined to return the stolen funds and demanded a meeting with Kraken’s business development team, prompting Percoco to label their actions as extortion rather than white-hat hacking.
Kraken has chosen not to disclose the identity of the researchers, as recognition for their actions is deemed undeserving. They have also taken the matter as a criminal case and have informed law enforcement.
Further updates on this incident may be available pending a response from Kraken to inquiries made by Bleeping Computer.