Cryptocurrency exchange Kraken reports that a research team holds $3 million in digital assets appropriated through a recently discovered bug. Despite this, Kraken asserts that no user funds were at risk.
Discovery and Exploitation of the Bug
An anonymous individual, claiming to be a ‘security researcher,’ discovered a critical security flaw and reported it to Kraken on June 9. However, according to Nick Percoco, Kraken’s Chief Security Officer, two accounts linked to the researcher exploited the bug, withdrawing over $3 million worth of digital assets.
Following the multi-million-dollar withdrawal, the researcher demanded a reward for the stolen funds. Percoco described the situation in a June 19 post on X:
“Instead, they demanded a call with their business development team (i.e., their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking; it is extortion!”
Kraken clarified that the stolen cryptocurrency came directly from its treasury, ensuring no user funds were endangered.
Kraken Denounces Extortion Tactics
Among the three Kraken accounts involved, one had completed Know Your Customer (KYC) verification under the identity of a self-proclaimed security researcher. This individual initially proved the flaw with a $4 crypto transfer, which would have been sufficient to earn a sizable reward from Kraken’s bug bounty program. However, the researcher shared the bug with two other accounts, which then fraudulently siphoned nearly $3 million.
Percoco condemned these actions as extortion, stating:
“In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that ‘white-hat hackers’ return what they stole from us. Unbelievable.”
Rising Crypto Hacks in 2024
Crypto hacks and exploits are on the rise in 2024, potentially outpacing those in 2023. In the first quarter of 2024, hackers stole digital assets worth $542.7 million, a 42% increase compared to the same period in 2023. Surprisingly, private key leaks, not smart contract vulnerabilities, were the primary cause of these exploits.
According to Merkle Science’s “2024 Crypto HackHub Report,” hacked funds lost to smart contract vulnerabilities fell by 92% to $179 million in 2023, down from $2.6 billion in 2022. Over 55% of hacked digital assets were lost to private key leaks in 2023.
The cryptocurrency industry has endured 785 reported hacks and exploits, resulting in nearly $19 billion in losses over the past 13 years.
