Kraken Says Hackers Turned to 'Extortion' After Exploiting Bug for $3M

The bug found by a "security researcher" led to nearly $3 million stolen from Kraken's treasuries.

AccessTimeIconJun 19, 2024 at 3:22 p.m. UTC
Updated Jun 19, 2024 at 6:32 p.m. UTC
  • Kraken said third-party security researchers found a vulnerability, which was fixed by the crypto exchange.
  • The researchers secretly withdrew nearly $3 million and refused to give it back without seeing the bounty amount first, Kraken said.
  • Blockchain code editor Certik said it found a vulnerability in Kraken's platform and claims to have been "threatened" by the exchange.
  • Scammers Took Advantage of the Ethereum Merge to Make Millions: Chainalysis
    Scammers Took Advantage of the Ethereum Merge to Make Millions: Chainalysis
  • $40M in Insurance 'Will Not Be Touched' to Recover Lost Funds in Hot Wallet Hack: Deribit Exec
    $40M in Insurance 'Will Not Be Touched' to Recover Lost Funds in Hot Wallet Hack: Deribit Exec
  • Cybercriminals Are Opportunists: Former FBI Special Agent
    Cybercriminals Are Opportunists: Former FBI Special Agent
  • Crypto exchange Kraken said "security researchers" who found a vulnerability on the platform turned to "extortion" after withdrawing about $3 million from the exchange's treasury.

    Nick Percoco, Kraken's chief security officer, said in a post on social media platform X (formerly Twitter) that the firm received a "bug bounty program" alert from a security researcher on June 9 about a vulnerability that allows users to artificially inflate their balance. The bug "allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit," Percoco added.

    Upon receiving the report, Kraken fixed the issue swiftly and no user funds were affected, Percoco noted.

    What came after raised red flags for Kraken's team.

    The security researcher, upon finding the bug, allegedly disclosed it to two other individuals, who then "fraudulently" withdrew nearly $3 million from their Kraken accounts. "This was from Kraken’s treasuries, not other client assets," Percoco said.

    The initial bug report didn't mention the two other individuals' transactions, and when Kraken asked for more details of their activities, they refused.

    "Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!" Percoco wrote.

    Kraken didn't disclose who the researchers were, but blockchain code editor Certik subsequently said in a social media post that it found several vulnerabilities in the crypto exchange.

    Certik said it conducted "multi-day testing" and noted that the bug could be exploited to create millions of dollars worth of crypto. "Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period," the post said.

    However, Certik said things went sour after the initial conversation with Kraken. "Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses," the X post added.

    Bug bounty programs – used by many firms to strengthen their security systems – invite third-party hackers, known as "white hats," to find vulnerabilities so the company can fix them before a malicious actor exploits them. Kraken's competitor, Coinbase, has a similar program to help alert the exchange of vulnerabilities.

    To be paid the bounty, Kraken's program requires a third party to find the problem, exploit the minimum amount needed to prove the bug, return the assets and provide details of the vulnerability, Kraken said in a blog post, adding that since the security researchers didn't follow these rules, they won't get the bounty.

    "We engaged these researchers in good faith and, in-line with a decade of running a bug bounty program, had offered a sizable bounty for their efforts. We’re disappointed by this experience and are now working with law enforcement agencies to retrieve the assets from these security researchers," a Kraken spokesperson told CoinDesk.

    UPDATE (June 19, 18:30 UTC): Updates story throughout to add Certik's comments.

    Edited by Sheldon Reback.


    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

    Aoyon Ashraf

    Aoyon Ashraf is managing editor with more than a decade of experience in covering equity markets