Kraken Chief Security Officer Nick Percoco revealed that alleged security researchers exploited a zero-day flaw to steal $3 million worth of cryptocurrency. The researchers are refusing to return the stolen funds.
Percoco revealed that a security researcher reported an “extremely critical” bug to the exchange on June 9. The researcher did not disclose technical details about the issues, they only explained that the flaw allowed anyone to arbitrary increase the balances in a wallet.
“Everyday we receive fake bug bounty reports from people claiming to be “security researchers”. This is not new to anyone who runs a bug bounty program. However, we treated this seriously and quickly assembled a cross functional team to dig into this issue.” Percoco explained.
The kraken security team discovered “an isolated bug” that allowed an attacker, under specific circumstances, to initiate a deposit onto the platform and receive funds in their account without fully completing the deposit.
The company pointed out that the client’s assets are not at risk, however, an attacker could effectively print assets in their Kraken account for a while.
The security team addressed the vulnerability within an hour. The vulnerability derived from a recent change in the user interface that would promptly credit client accounts before their assets cleared allowing clients to effectively trade crypto markets in real time.
“This UX change was not thoroughly tested against this specific attack vector.” continues the
After patching the vulnerability, the experts discovered that three accounts exploited the vulnerability within a few days. One of these accounts was verified by an individual claiming to be a security researcher.
Percoco added that the researcher disclosed the bug to two other individuals who used it to withdraw $3 million in stolen funds from their Kraken accounts.
The company requested the researchers to return the stolen funds, but they refused.
“This is not white-hat hacking, it is extortion!” said Percoco, who added that his company notified law enforcement.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)