Thomas Daniels

Published On: 20/06/2024
Share it!
Kraken
By Published On: 20/06/2024
Kraken

American cryptocurrency exchange Kraken sustained a $3 million loss in early June following an exploit in its funding system. The breach, attributed to rogue security researchers, was publicly disclosed by Kraken’s Chief Security Officer Nick Percoco on social media.

According to Percoco, Kraken first received a bug report from a purported “security researcher” on June 9. The flaw, stemming from a recent user experience (UX) update, allowed users to credit their accounts before asset clearance, enabling unauthorized real-time trading. Percoco admitted that the UX change had not been tested against this particular attack vector before deployment.

“This UX change was not thoroughly tested against this specific attack vector,” Percoco stated.

Subsequent investigations revealed that the vulnerability had been exploited on three separate occasions before it was patched. Instead of following ethical disclosure practices, the researcher allegedly shared the exploit with two accomplices, leading to the illicit withdrawal of nearly $3 million from Kraken’s reserves.

The security researcher’s initial bug report was incomplete, necessitating further verification before considering any reward for identifying the flaw. Kraken’s request for a detailed account of their actions, a proof of concept, and the return of the stolen funds was refused, which Percoco condemned as “extortion,” diverging from standard ethical hacking protocols.

As of now, Kraken has not clarified whether they have identified all involved parties or recovered the lost assets.

source