The well-known US cryptocurrency exchange Kraken recently experienced a major security vulnerability, resulting in the theft of at least $3 million worth of digital assets. However, Kraken emphasizes that user funds were not compromised.
Contents:
Toggle
A research team holds $3 million in Kraken assets
Exploited vulnerability leads to $3 million in funds being stolen
User funds remain unaffected
Kraken’s response: This is not white-hat hacking behavior
Security team Certik counterattacks: Facing threats from Kraken
Kraken’s major security vulnerability
Forgery of transactions and unauthorized withdrawals
Kraken’s response and subsequent actions
Kraken announced that a research team discovered a major security vulnerability in the exchange, resulting in the team holding $3 million worth of digital assets. This vulnerability was initially discovered on June 9th by an anonymous self-proclaimed “security researcher” who then notified Kraken.
However, Kraken’s Chief Security Officer, Nick Percoco, stated that the two accounts associated with the researcher exploited this vulnerability and withdrew over $3 million in digital assets. Percoco said, “They requested a call with our business team and refused to return any funds until we provided an estimate of the potential loss caused by the vulnerability. This is not white-hat hacking behavior; it’s extortion!”
Kraken emphasizes that the stolen cryptocurrencies were taken from Kraken’s own treasury and that user funds were not compromised.
In this incident, one of the three Kraken accounts related to the vulnerability had undergone Know Your Customer (KYC) verification. The owner of this account claimed to be a security researcher, but their identity has not been disclosed. The researcher initially demonstrated the vulnerability by making a $4 cryptocurrency transfer, which was sufficient to qualify for a “substantial reward” from Kraken’s bug bounty program.
However, this researcher disclosed the vulnerability to the other two accounts, which wrongfully withdrew nearly $3 million. Nick Percoco, Kraken’s Chief Security Officer, stated, “To be transparent, we’re disclosing this vulnerability to the industry today. We asked these ‘white-hat hackers’ to return what they stole from us and were accused of being unreasonable and unprofessional. Unbelievable.”
The security team CertiK appears to be at the center of this dispute and has also accused Kraken of threatening them.
According to CertiK, the investigation began with a significant discovery regarding Kraken’s deposit system. CertiK’s team found that the system could not differentiate between different internal transfer statuses. This prompted a comprehensive examination of three key questions: Can malicious actors forge a deposit transaction to a Kraken account? Can malicious actors withdraw forged funds? What risk controls and asset protection measures could be triggered by large withdrawal requests?
The investigation revealed shocking results. Several million dollars could be fraudulently deposited into any Kraken account. More concerning is that over $1 million worth of forged cryptocurrencies could be withdrawn from the account and converted into legitimate digital assets. No alarms were triggered during multiple days of testing. Kraken only took action and locked the testing accounts several days after CertiK formally reported the incident.
Upon receiving CertiK’s report, Kraken’s security team classified the issue as “critical,” the highest severity level. While the initial discussions regarding identifying and fixing the vulnerability appeared successful, the situation quickly deteriorated. Kraken’s Security Operations team threatened individual CertiK employees, demanding the return of an incorrect amount of cryptocurrency within an unreasonable timeframe and without providing any repayment address.
CertiK urges Kraken to cease its intimidation of white-hat hackers and emphasizes the importance of collaboration in addressing security risks and protecting the future of decentralized finance.
(
Cybersecurity company Certik blackmails and steals coins? Kraken is furious, online comments: Already notorious
)
Kraken