Hack Statement from the Giant Cryptocurrency Exchange: There is a Loss, Precautions Have Been Taken!

Kraken, a major cryptocurrency exchange, recently orchestrated a security breach and potential extortion attempt after a so-called bug bounty report turned into a money request. Chief Security Officer Nick Percoco summarized the events, stating that a flaw was exploited to artificially inflate account balances. This incident led to an investigation involving law enforcement. He also emphasized the importance of adhering to ethical practices in security research.

Statement from the cryptocurrency exchange

cryptokoin.com As you can follow from , hacking and fraud incidents occur quite frequently in the crypto world. One of these was encountered by the cryptocurrency exchange Kraken. According to the exchange’s Chief Security Officer Nick Percoco, the exchange received a scam bounty program alert on June 9. The warning included an “extremely critical” bug that could allow an attacker to artificially inflate their balance on the platform. Percoco said the application was being reviewed, although it lacked details. He stated that during this process, they discovered an isolated flaw that allowed a malicious attacker to initiate the deposit process to the platform and receive money into their accounts without fully completing the deposit process. Percoco noted that this is only the case in a reasonable set of circumstances.

The Security Officer underlined that no customer assets were at risk. However, he claimed that the flaw was caused by a flaw in a recent UX change that credited customers’ accounts before their asset deposits were fully cleared, allowing a malicious attacker to effectively “print assets” in their Kraken accounts “for a period of time.”

Abuse took place before the award presentation

According to Nick Percoco, this defect was completely corrected within a few hours. However, a subsequent investigation revealed that the bug was exploited by three accounts within a few days, he said. Percoco claimed that one of the accounts was KYCed to the person who discovered the hoax and claimed to be a “security researcher.” The person responsible said that the person in question took advantage of the mistake and deposited $4 into his account, which was enough to prove the mistake, prepare a defect reward report and claim a large reward.

However, Kraken’s CSO argued that the researcher instead disclosed the delusion to two other individuals with whom they worked. He also said that these individuals then withdrew much larger amounts from their Kraken accounts, making a total of approximately $3 million. “This was from Kraken’s treasuries, not from other client assets,” Percoco explained.

“ This is not white hat hacking, this is extortion!”

Nick Percoco said he is demanding a full accounting of Kraken’s activities and the return of the funds. But the researchers allegedly refused to return any funds until Kraken explained the potential extent of the exploit had they not disclosed the bug. Percoco: “This is not white hat hacking, this is outright extortion!” said.

Percoco said the cryptocurrency exchange was accused by investigators of being “unreasonable” and “unprofessional” in its demands. He also stated that Kraken will not disclose the relevant research firm. However, he added that he would treat this as a criminal case due to the violation of the terms of the award. In this context, Percoco made the following statement:

We will not disclose this research company because they do not deserve to be recognized for their actions. We are treating this as a criminal case and are cooperating with law enforcement accordingly.