White hat hackers refuse to return $3 million stolen from Kraken treasury

Kraken’s head of security, Nick Percoco, has revealed that an undisclosed group of white hat hackers have refused to return approximately $3 million worth of digital assets, which they stole from the platform’s treasury exploiting a bug in their system.

In a series of X posts, Percoco said security researchers are asking the crypto exchange to provide a speculated amount of money it could have lost if they hadn’t disclosed the bug before they could return the stolen funds.

Security researchers reveal the Kraken bug

According to Percoco, a security researcher sent a Bug Bounty Program alert to Kraken on June 9, stating that they had found an “extremely critical” bug that allowed users to artificially inflate their balance on the platform. Although the exchange was wary of receiving multiple fake bug bounty reports on a daily basis, it took the claim seriously and assembled a team to investigate the issue.

The team found a bug that allowed cybercriminals to initiate deposits to Kraken and receive funds into their accounts without completing the deposits. While the bug did not put customer funds at risk, an attacker could print assets in their accounts and make withdrawals that could be taken from Kraken’s treasury.

The problem was contained within two hours of being identified. The team discovered that the bug stems from a flaw in Kraken’s latest user experience (UX). Upon further investigation, Kraken found that three accounts had already exploited the flaw. One account was linked to a user claiming to be a security researcher.

It turns out that the researcher found the bug first, leveraged it to credit his Kraken account with $4 in crypto, and instead of filing a bug bounty report with the right team, reported his two colleagues, who exploited the flaw for larger sums. Collectively, they withdrew approximately $3 million in crypto from their accounts.

Bug Bounty turned into extortion

When Kraken contacted security researchers and demanded an account of their activities and the return of the assets they withdrew, they refused. They called Kraken unreasonable and unprofessional and demanded that the platform provide an estimate of the damage the bug could have caused.

Percoco said Kraken has taken the case to law enforcement agencies as the case is extortion.

“We are treating this as a criminal case and we are coordinating with law enforcement accordingly. We are grateful that this issue has been reported, but that’s where that thinking ends,” Percoco said.

SPECIAL OFFER (Sponsored) Binance Free $600 (Exclusive to CryptoPotato): Use this link to register a new account and receive an exclusive welcome offer of $600 to Binance (full details).

LIMITED OFFER 2024 on BYDFi Exchange – Up to $2888 Welcome Reward, Use this link to register and open a 100 USDT-M position for free!