-
Kraken
said
third-party
security
researchers
found
a
vulnerability,
which
was
fixed
by
the
crypto
exchange. -
The
researchers
secretly
withdrew
nearly
$3
million
and
refused
to
give
it
back
without
seeing
the
bounty
amount
first,
Kraken
said. -
Blockchain
code
editor
Certik
said
it
found
a
vulnerability
in
Kraken’s
platform
and
claims
to
have
been
“threatened”
by
the
exchange.
-
07:26
Scammers
Took
Advantage
of
the
Ethereum
Merge
to
Make
Millions:
Chainalysis -
00:40
$40M
in
Insurance
‘Will
Not
Be
Touched’
to
Recover
Lost
Funds
in
Hot
Wallet
Hack:
Deribit
Exec -
01:04
Cybercriminals
Are
Opportunists:
Former
FBI
Special
Agent
Crypto
exchange
Kraken
said
“security
researchers”
who
found
a
vulnerability
on
the
platform
turned
to
“extortion”
after
withdrawing
about
$3
million
from
the
exchange’s
treasury.
Nick
Percoco,
Kraken’s
chief
security
officer,
said
in
a
post
on
social
media
platform
X
(formerly
Twitter)
that
the
firm
received
a
“bug
bounty
program”
alert
from
a
security
researcher
on
June
9
about
a
vulnerability
that
allows
users
to
artificially
inflate
their
balance.
The
bug
“allowed
a
malicious
attacker,
under
the
right
circumstances,
to
initiate
a
deposit
onto
our
platform
and
receive
funds
in
their
account
without
fully
completing
the
deposit,”
Percoco
added.
Upon
receiving
the
report,
Kraken
fixed
the
issue
swiftly
and
no
user
funds
were
affected,
Percoco
noted.
What
came
after
raised
red
flags
for
Kraken’s
team.
The
security
researcher,
upon
finding
the
bug,
allegedly
disclosed
it
to
two
other
individuals,
who
then
“fraudulently”
withdrew
nearly
$3
million
from
their
Kraken
accounts.
“This
was
from
Kraken’s
treasuries,
not
other
client
assets,”
Percoco
said.
The
initial
bug
report
didn’t
mention
the
two
other
individuals’
transactions,
and
when
Kraken
asked
for
more
details
of
their
activities,
they
refused.
“Instead,
they
demanded
a
call
with
their
business
development
team
(i.e.
their
sales
reps)
and
have
not
agreed
to
return
any
funds
until
we
provide
a
speculated
$
amount
that
this
bug
could
have
caused
if
they
had
not
disclosed
it.
This
is
not
white-hat
hacking,
it
is
extortion!”
Percoco
wrote.
Kraken
didn’t
disclose
who
the
researchers
were,
but
blockchain
code
editor
Certik
subsequently
said
in
a
social
media
post
that
it
found
several
vulnerabilities
in
the
crypto
exchange.
Certik
said
it
conducted
“multi-day
testing”
and
noted
that
the
bug
could
be
exploited
to
create
millions
of
dollars
worth
of
crypto.
“Millions
of
dollars
can
be
deposited
to
ANY
Kraken
account.
A
huge
amount
of
fabricated
crypto
(worth
more
than
1M+
USD)
can
be
withdrawn
from
the
account
and
converted
into
valid
cryptos.
Worse
yet,
no
alerts
were
triggered
during
the
multi-day
testing
period,”
the
post
said.
However,
Certik
said
things
went
sour
after
the
initial
conversation
with
Kraken.
“Kraken’s
security
operation
team
has
THREATENED
individual
CertiK
employees
to
repay
a
MISMATCHED
amount
of
crypto
in
an
UNREASONABLE
time
even
WITHOUT
providing
repayment
addresses,”
the
X
post
added.
Bug
bounty
programs
–
used
by
many
firms
to
strengthen
their
security
systems
–
invite
third-party
hackers,
known
as
“white
hats,”
to
find
vulnerabilities
so
the
company
can
fix
them
before
a
malicious
actor
exploits
them.
Kraken’s
competitor,
Coinbase,
has
a
similar
program
to
help
alert
the
exchange
of
vulnerabilities.
To
be
paid
the
bounty,
Kraken’s
program
requires
a
third
party
to
find
the
problem,
exploit
the
minimum
amount
needed
to
prove
the
bug,
return
the
assets
and
provide
details
of
the
vulnerability,
Kraken
said
in
a
blog
post,
adding
that
since
the
security
researchers
didn’t
follow
these
rules,
they
won’t
get
the
bounty.
“We
engaged
these
researchers
in
good
faith
and,
in-line
with
a
decade
of
running
a
bug
bounty
program,
had
offered
a
sizable
bounty
for
their
efforts.
We’re
disappointed
by
this
experience
and
are
now
working
with
law
enforcement
agencies
to
retrieve
the
assets
from
these
security
researchers,”
a
Kraken
spokesperson
told
CoinDesk.
UPDATE
(June
19,
18:30
UTC):
Updates
story
throughout
to
add
Certik’s
comments.
