Kraken Unveils $3 Million Crypto Heist by Exploiting Zero-Day Flaw
Crypto exchange Kraken has revealed that an unidentified security researcher exploited an “extremely critical” zero-day flaw in its platform, resulting in the theft of $3 million in digital assets. The perpetrator has refused to return the stolen funds.
Kraken’s Chief Security Officer, Nick Percoco, shared details of the incident on X (formerly Twitter). He stated that the company received an alert through its Bug Bounty program about a bug that “allowed them to artificially inflate their balance on our platform” without providing additional specifics.
Within minutes of receiving the alert, Kraken identified a security issue that essentially allowed an attacker to “initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.”
While Kraken emphasized that no client assets were at risk due to this flaw, it acknowledged that a threat actor could have generated assets within their accounts. The issue was resolved within 47 minutes, according to Kraken.
The flaw originated from a recent user interface change that permitted customers to deposit funds and use them before they were cleared. Further investigation revealed that three accounts, including one linked to the supposed security researcher, exploited the flaw within a few days, siphoning $3 million.
“This individual discovered the bug in our funding system and used it to credit their account with $4 in crypto,” Percoco explained. “This would have been enough to prove the flaw, file a bug bounty report with our team, and collect a significant reward under the terms of our program.”
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
“Instead, the ‘security researcher’ disclosed this bug to two other individuals they work with, who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets.”
In a surprising turn of events, when approached by Kraken to share their proof-of-concept (PoC) exploit used to create the on-chain activity and arrange the return of the withdrawn funds, they demanded that the company contact their business development team to pay a set amount to release the assets.
“This is not white hat hacking; it is extortion,” Percoco stated, urging the involved parties to return the stolen funds.
Although Kraken did not disclose the name of the company, it said it is treating the security incident as a criminal case and is coordinating with law enforcement agencies on the matter.
“As a security researcher, your license to ‘hack’ a company is enabled by following the simple rules of the bug bounty program you are participating in,” Percoco noted. “Ignoring those rules and extorting the company revokes your ‘license to hack.’ It makes you, and your company, criminals.”
Trending: Offensive Security Tool: SecretOpt1c
Latest Developments
Blockchain security firm CertiK has admitted to being behind the breach on Kraken, claiming that it detected several critical flaws that made it possible to mint (i.e., fabricate) crypto on any account, which could then be withdrawn and converted into valid crypto assets.
“Millions of dollars of crypto were minted out of thin air, and no real Kraken user’s assets were directly involved in our research activities,” the company wrote on X, defending its actions.
“For several days, with many fabricated tokens generated and withdrawn to valid cryptos, no risk control or prevention mechanisms were triggered until reported by CertiK. The real question should be why Kraken’s in-depth defense system failed to detect so many test transactions. Continuous large withdrawals from different testing accounts were part of our testing.”
CertiK further asserted that “Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.”
Additionally, evidence has surfaced indicating that a CertiK researcher may have been conducting probing and testing as early as May 27, 2024, contradicting the company’s timeline of events.
The development comes as Kraken, in a blog post, accused the “third-party security research company” of exploiting the flaw for financial gain before reporting it. The now-resolved security vulnerability “allowed certain users, for a short period, to artificially increase the value of their Kraken account balance without fully completing a deposit.”
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
