News

“Researchers” Exploit Kraken Exchange Bug and Steal $3 Million in Cryptocurrencies

Published

7 months ago

on

Cryptocurrency exchange Kraken revealed today that alleged security researchers exploited a zero-day website bug to steal $3 million in cryptocurrency and then refused to return the funds.

The hack was disclosed by Kraken Chief Security Officer Nick Percoco on balances in a Kraken wallet.

Kraken says it investigated the report and discovered a bug that allows attackers to initiate deposits and receive the funds, even if the deposit failed.

“Within minutes we discovered an isolated bug. This allowed an attacker, under the right circumstances, to initiate a deposit on our platform and receive funds into their account without fully completing the deposit,” Percoco explained.

“To be clear, no customer’s assets were ever at risk. However, an attacker could actually print assets into their Kraken account over a period of time.”

Percoco says the Kraken security team fixed the issue within an hour and discovered that it stemmed from a recent user interface change that allows customers to deposit funds and use them before they are deleted.

This is where things take a strange turn.

After fixing the bug, they discovered that three users exploited it as a zero-day to steal $3 million from the exchange’s coffers.

One member was linked to a person claiming to be a researcher, who used him to deposit $4 in cryptocurrency into his account to demonstrate the bug.

However, Percoco says the bug was revealed to two other people associated with the researcher, who used it to withdraw another $3 million in stolen funds from their Kraken accounts.

After contacting the researcher about this recall, Percoco says the researchers refused to return the cryptocurrency or share any information regarding the vulnerability as expected in a bug disclosure.

“Instead, they requested a call to their business development team (i.e. their sales reps) and did not agree to return any funds until we provided an assumed dollar amount that this bug might cause if they didn’t disclose it, ” Percoco said.

“This isn’t white-hat hacking, it’s extortion!”

Percoco says Kraken does not reveal the researchers’ identities because they “do not deserve recognition for their actions.”

Kraken now says it is treating it as a criminal case and has notified law enforcement.

BleepingComputer has reached out to Kraken for more information and will update the story if we receive a response.

Fuente

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version