Kraken’s chief security officer, Nick Percoco, took to the social media platform X to reveal that a black hat entity managed to steal $3 million from the firm by exploiting a bug in the exchange’s systems. According to Percoco, Kraken received an update from their Bug Bounty program, warning about an “extremely critical” bug that could be used by hackers to artificially inflate their funds.
“After detecting an isolated bug within minutes, we realized that a malicious attacker could initiate a deposit onto our platform and receive funds in their account without completing the deposit,” Percoco explained. He clarified that no client assets were at risk, but a malicious attacker could essentially create assets in their Kraken account for a limited time.
Once the bug was patched, Kraken discovered that three accounts had taken advantage of the flaw. Through know-your-customer (KYC) forms, the company was able to link one of the accounts to a person who claimed to be a security expert. Rather than reporting the exploit to Kraken, the individual allegedly shared it with two others, who proceeded to withdraw nearly $3 million from their accounts.
Percoco accused the person and his accomplices of refusing to return the money and instead demanding a speculated amount of money that the bug would have caused had they not found it. Bug bounty programs are designed to allow companies to compensate individuals who find and report bugs, but using them to exploit firms makes one a criminal, according to Percoco.
“As a security researcher, your license to ‘hack’ a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your ‘license to hack.’ It makes you, and your company, criminals,” Percoco stated.
The Daily Hodl is not an investment advisor and does not recommend the buying or selling of any cryptocurrencies or digital assets. Please note that The Daily Hodl participates in affiliate marketing.