Kraken Extorts Stolen 3 Million Euros through Vulnerabilities Certik Faces Threats from Kraken

US-based leading cryptocurrency exchange Kraken recently suffered a major security vulnerability, resulting in the theft of at least $3 million worth of digital assets. However, Kraken emphasized that user funds were not compromised.

Contents:
Toggle
Research team holds $3 million in Kraken assets
Exploited vulnerability leads to $3 million fund theft
User funds remain unaffected
Kraken’s response: This is not white-hat hacker behavior
Security team Certik strikes back: Threatened by Kraken
Kraken’s major security vulnerability
Fake trades and unauthorized withdrawals
Kraken’s response and follow-up actions

Kraken announced that a research team discovered a major security vulnerability in the exchange, resulting in them holding $3 million worth of digital assets. The vulnerability was first discovered on June 9 by an anonymous individual claiming to be a “security researcher,” who then informed Kraken.

However, Kraken’s Chief Security Officer, Nick Percoco, stated that two accounts associated with the researcher exploited the vulnerability and withdrew over $3 million in digital assets. Percoco said, “They requested a call with our business team and refused to return any funds until we provided an estimate of the potential losses caused by the vulnerability. This is not white-hat hacker behavior, it’s extortion!”

Kraken emphasized that the stolen cryptocurrencies were taken from its own funds and user funds were not compromised.

In this incident, one of the three Kraken accounts involved with the vulnerability had passed the KYC verification process. The account owner claimed to be a security researcher, although their identity has not been disclosed. This researcher initially demonstrated the vulnerability by making a $4 cryptocurrency transfer, which was sufficient to earn them a “substantial reward” from Kraken’s bug bounty program.

However, this researcher then informed the other two accounts about the vulnerability, and these two accounts improperly withdrew nearly $3 million. Nick Percoco, Kraken’s Chief Security Officer, stated, “For transparency, we are disclosing this vulnerability to the industry today. We asked these ‘white-hat hackers’ to return what they stole from us and were accused of being unreasonable and unprofessional. Unbelievable.”

Security team CertiK appears to be the central figure in this dispute and has accused Kraken of threatening them.

CertiK stated that the investigation began with a significant discovery regarding Kraken’s deposit system. CertiK’s team found that the system failed to differentiate between different internal transfer statuses, leading to a comprehensive examination centered around three key questions:
– Can a malicious actor forge a deposit transaction to a Kraken account?
– Can a malicious actor withdraw forged funds?
– What risk controls and asset protection measures can be triggered by large withdrawal requests?

The investigation results were shocking. CertiK found that millions of dollars could be fraudulently deposited into any Kraken account. More concerning was that over $1 million worth of forged cryptocurrencies could be withdrawn from the account and converted into legitimate digital assets without triggering any alarms. Kraken took action and locked the test accounts only several days after CertiK formally reported the incident.

Following CertiK’s report, Kraken’s security team classified the issue as “critical,” the highest severity level. While the initial dialogue in identifying and fixing the vulnerability seemed successful, the situation quickly deteriorated. Kraken’s security operations team threatened individual CertiK employees, demanding the return of an incorrect quantity of cryptocurrencies within an unreasonable timeframe and failing to provide any repayment address.

CertiK urged Kraken to cease the intimidation of white-hat hackers and emphasized the importance of collaboration in addressing security risks and protecting the future of decentralized finance.

(Kraken infuriated by security company Certik’s ransom and theft of coins? Online commentary: Already known for bad behavior)

Kraken

Further reading
Kraken considers delisting USDT amid impending EU crypto legislation MiCA

Leave a Reply

Your email address will not be published. Required fields are marked *