In a recent incident, renowned crypto exchange Kraken fell victim to the unethical actions of a rogue security research company. The company reportedly discovered a critical bug in Kraken’s funding system, allowing them to exploit the flaw and withdraw nearly $3 million in digital assets from the platform. Kraken’s Chief Security Officer, Nick Percoco, detailed the incident, revealing the extent of the breach.
According to Percoco, the bug stemmed from a recent user experience (UX) change implemented by Kraken. This change, unbeknownst to the exchange’s security team, allowed users to artificially inflate their account balances and trade in real-time before asset clearance. The flaw was a result of inadequate testing against this specific vulnerability, highlighting a failure on Kraken’s part to thoroughly assess the impact of their UX changes on security measures.
After fixing the bug, Kraken discovered that three accounts had taken advantage of the flaw. Percoco revealed that the security researcher who initially reported the bug had shared the information with two associates, who proceeded to withdraw the funds from Kraken’s treasury. Despite Kraken’s attempts to contact the individuals and request the return of the funds, the researchers demanded a speculative sum for potential damages caused by the bug.
Percoco condemned these actions as unethical and criminal, emphasizing the importance of following the rules of bug bounty programs. By ignoring these rules and extorting the company, the security researcher and their associates had crossed a moral and legal line. Percoco made it clear that such behavior revoked their “license to hack” and labeled them as criminals.
Kraken has since escalated the incident to a criminal level, cooperating with law enforcement authorities to address the exploitation of their bug bounty program. The platform is taking a firm stance against the rogue security research company and is committed to holding them accountable for their actions. This incident serves as a stark reminder of the risks associated with inadequate security measures and the importance of ethical behavior in the cybersecurity community.