Security researchers attempt to extort Kraken crypto exchange

Kraken, a well-known cryptocurrency exchange, was faced with an alarming Bug Bounty report on June 9, 2024. The report, submitted by a security researcher, claimed to have found an “extremely critical” bug that allowed balance inflation. However, what initially appeared to be a routine vulnerability report quickly turned into an extortion attempt.

After investigating the bug report, a team led by Nick Percoco, Kraken’s Chief Security Officer, identified a $3 million exploit. Percoco addressed the entire situation in a thread on X (formerly Twitter), posted on June 19th.

The investigation revealed that three accounts had exploited the reported flaw within days of each other. One account belonged to an individual who claimed to be a security researcher. This person discovered and used the bug to credit their account with $4 in crypto.

Percoco described it as sufficient to prove the flaw and collect a substantial reward through Kraken’s Bug Bounty program. However, things escalated quickly after noticing the other two accounts, which allegedly benefited from the first person’s disclosure.

When Kraken requested a full account of their activities and the return of the withdrawn funds, the security researchers refused and demanded a call with their business development team, engaging in what Percoco described as extortion.

Moreover, the Chief Security Office explained that Kraken’s Bug Bounty program, in place for nearly a decade, has clear rules, such as not exploiting more than necessary to prove the vulnerability, provide a proof of concept, and immediately return any extracted funds.

In the interest of transparency, the company disclosed the bug to the industry and is treating the incident as a criminal case, coordinating with law enforcement agencies. The exchange emphasized that ignoring bug bounty program rules and attempting to extort the company revokes a researcher’s “license to hack” and makes them criminals.

Furthermore, Nick Percoco revealed that the exchange regularly receives fake bug bounty reports. Nevertheless, Kraken treated this report seriously and promptly assembled a team to investigate. Within minutes, they discovered an isolated bug that, under specific circumstances, allowed a malicious attacker to initiate a deposit and receive funds without fully completing the transaction.

Kraken’s team mitigated the issue within an hour and 47 minutes, as reported by Percoco. The vulnerability was completely fixed within a few hours, ensuring it could not reoccur. The flaw stemmed from a recent user experience (UX) change that credited client accounts before their assets cleared, enabling real-time trading.

Despite this isolated experience, Kraken remains committed to its Bug Bounty program, recognizing its importance in enhancing the overall security of the crypto ecosystem. The exchange looks forward to working with good-faith actors in the future while taking a stand against unethical behavior.