Cryptocurrency exchange Kraken has accused a group of security researchers of extortion after they exploited a vulnerability to withdraw nearly $3 million from the exchange’s treasury. Kraken claims the researchers are withholding the stolen funds until they are offered a bounty.
Security Researchers Alert Kraken
On June 9, 2024, a security researcher alerted Kraken to a critical vulnerability that allowed users to artificially inflate their account balances. This bug enabled deposits to be completed without the necessary funds being fully transferred. Despite quickly fixing the issue, Kraken discovered that the researcher had informed two others, who withdrew approximately $3 million from the platform.
Kraken’s Response
Kraken’s Chief Security Officer, Nick Percoco, detailed the incident in a post on the social media platform X (formerly Twitter). He explained that while the bug was promptly addressed, the researchers’ subsequent actions deviated from ethical hacking norms. They demanded a bounty without following Kraken’s bug bounty program rules, which require minimal exploitation to prove the bug, returning any withdrawn assets, and providing comprehensive vulnerability details.
Kraken has refused to pay the bounty, labeling the researchers’ demands as extortion. The exchange emphasized that the stolen funds were from its treasury, and no user assets were compromised.
This incident highlights the delicate balance between encouraging security research through bug bounty programs and preventing malicious exploitation. Kraken’s firm stance on rule adherence underlines the importance of ethical conduct in cybersecurity.