Crypto exchange Kraken recently faced a challenging situation involving security researchers who allegedly crossed the line into extortion. Nick Percoco, Kraken’s Chief Security Officer, detailed the incident on social media platform X.
According to Percoco, on June 9, Kraken received a report from a security researcher about a vulnerability that allowed users to artificially inflate their account balances. This flaw enabled a malicious attacker to initiate deposits and receive funds without completing the process.
Kraken promptly fixed the issue, ensuring no user funds were affected. However, the aftermath of the report raised serious concerns.
Kraken found that the individual who discovered the bug had leveraged it to credit their account with $4 in crypto. his would have been sufficient to prove the flaw, file a bug bounty report with them, and collect a reward.
Instead of contacting Kraken immediately, the security researcher reportedly shared the vulnerability with two other individuals.
These individuals then exploited the flaw, withdrawing nearly $3 million from Kraken’s treasury, not from other clients’ assets. The initial bug report did not mention these fraudulent transactions, and when Kraken sought further details, the researchers refused to cooperate.
Instead, they demanded a meeting with Kraken’s business development team and declined to return the funds until Kraken speculated on the potential financial impact of the bug if it had gone undisclosed. Percoco labeled this demand as extortion rather than ethical hacking.
Bug bounty programs, like those run by Kraken and its competitor Coinbase, are designed to incentivize third-party hackers, known as “white hats,” to find and report vulnerabilities responsibly. These programs typically require hackers to exploit the minimum amount necessary to prove the bug, return any assets obtained, and provide detailed information about the vulnerability.
Kraken’s resilience shines amid recent challenges. Kraken’s Chief Security Officer, Nick Percoco, shared “We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly. We’re thankful this issue was reported, but that’s where that thought ends.”
Also Read: Indian Hacker Loses 1,112 ETH in London Machete Robbery
