News

Cryptocurrency exchange Kraken hit by $3 million theft exploiting zero-day flaw

Published

5 months ago

on

Cryptocurrency exchange Kraken has revealed that an anonymous security researcher exploited a “highly critical” zero-day flaw in its platform to steal $3 million in digital assets and refuse to return them.

The details of the accident were shared from Kraken Chief Security Officer Nick Percoco on other details

Within minutes of receiving the alert, the company said it had identified a security flaw that essentially allowed an attacker to “initiate a deposit on our platform and receive funds into their account without fully completing the deposit.”

While Kraken stressed that no customer assets were at risk from the issue, it could have allowed a threat actor to print assets into their accounts. The problem was resolved within 47 minutes, he said.

It further said that the flaw stems from a recent user interface change that allows customers to deposit funds and use them before they are liquidated.

On top of that, further investigation uncovered the fact that three accounts, including one belonging to the alleged security researcher, had exploited the flaw within days of each other and stolen $3 million.

“This individual discovered the bug in our funding system and exploited it to credit his account with $4 in cryptocurrency,” Percoco said. “This would have been enough to prove the flaw, file a bug bounty report with our team, and collect a very sizable reward under the terms of our program.”

“Instead, the ‘security researcher’ disclosed this bug to two other people they worked with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This came from Kraken’s treasuries, not from other customer assets.”

In a strange turn of events, when they were contacted by Kraken to share their proof-of-concept (PoC) exploit used to create the on-chain asset and to arrange the return of funds they had withdrawn, they instead requested that The company contacts its business development team to pay a set amount in order to free up the resources.

“This is not white hat hacking, it is extortion,” Percoco said, urging affected parties to return the stolen funds.

The company’s name was not revealed, but Kraken said it is treating the security event as a criminal case and is coordinating with law enforcement on the matter.

“As a security researcher, your license to ‘hack’ a company is enabled by following the simple rules of the bug bounty program you are participating in,” Percoco noted. “Ignoring these rules and extorting money from the company revokes your ‘license to hack’. It makes you and your company criminals.”

CertiK responds

Blockchain security firm CertiK has come forward as the entity behind the Kraken breach, claiming to have detected several critical flaws that made it possible to mint (i.e. fabricate) cryptocurrencies on any account, which could then be withdrawn and converted into valid crypto assets. .

“Millions [of] Cryptocurrency dollars were minted [thin] air, and no actual Kraken users were directly involved in our research activities,” the company said he wrote on X, defending his actions.

“For several days, with many fabricated tokens generated and withdrawn into valid cryptocurrencies, no risk control or prevention mechanism was activated until it was reported by CertiK. The real question should be why the Kraken’s thorough defense failed to detect so many test transactions. Continuous large withdrawals from several test accounts were part of our tests.”

CertiK further alleged that “Kraken’s security operations team has THREATENED individual CertiK employees to refund an INCORRECT amount of cryptocurrency in an UNREASONABLE time frame even WITHOUT providing refund addresses.”

That said, there is also some evidence emerged that a CertiK researcher may have conducted investigations and tests as early as May 27, 2024, contradicting the company’s timeline of events.

The development comes as Kraken, in a blog post, accused the “third-party security research firm” to exploit the flaw for profit before reporting it. The now-fixed security vulnerability “allowed some users, for a short period of time, to artificially increase the value of their Kraken account balance without fully completing a deposit.”

Funds returned to Kraken

Kraken CSO Nick Percoco, June 20, published an update stating that all funds have been returned to the company, with a small amount lost due to fees. The company later distributed the recovered $2.9 million to its users via a USDT airdrop.

Did you find this article interesting? Follow us on Twitter AND LinkedIn to read the most exclusive content we publish.


Fuente

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version