Kraken Ransom White Hat Hackers Exploit Vulnerabilities to Extort Stolen 3 Million Euros Certik Faces Kraken Threat
The well-known American cryptocurrency exchange Kraken recently experienced a major security vulnerability, resulting in the theft of at least $3 million worth of digital assets. However, Kraken emphasizes that user funds were not compromised.
Contents:
Toggle
Research team holds $3 million in Kraken assets
Vulnerability exploited, $3 million funds stolen
User funds not compromised
Kraken’s response: This is not white-hat hacking
Security team Certik counterattacks: Threatened by Kraken
Major security vulnerability at Kraken
Forgery of transactions and unauthorized withdrawals
Kraken’s response and subsequent actions
Kraken has announced that a research team discovered a major security vulnerability in the exchange, which allowed them to hold $3 million worth of digital assets. This vulnerability was first discovered on June 9th by an anonymous self-proclaimed “security researcher” who notified Kraken.
However, Kraken’s Chief Security Officer, Nick Percoco, stated that two accounts associated with this researcher exploited the vulnerability and withdrew over $3 million worth of digital assets. Percoco stated:
Advertisement – Continue Reading Below
“They requested a call with our business team and refused to return any funds until we provided an estimate of the potential losses caused by the vulnerability. This is not white-hat hacking; this is extortion!”
Kraken emphasizes that the stolen cryptocurrencies were taken from Kraken’s own funds and that user funds were not compromised.
In this incident, one of the three Kraken accounts related to the vulnerability had passed KYC verification, and the account owner claimed to be a security researcher, although their identity has not been disclosed. This researcher initially demonstrated the vulnerability through a $4 cryptocurrency transfer, which was enough for them to receive a “substantial reward” from Kraken’s bug bounty program.
However, this researcher informed the other two accounts about the vulnerability, and these accounts inappropriately withdrew nearly $3 million. Kraken’s Chief Security Officer, Nick Percoco, stated:
“For transparency, we are disclosing this vulnerability to the industry today. We asked these ‘white-hat hackers’ to return what they stole from us and were accused of being unreasonable and unprofessional. Unbelievable.”
The security team CertiK seems to be at the center of this dispute and claims to have been threatened by Kraken.
CertiK
states that the investigation began with a significant finding in Kraken’s deposit system. CertiK’s team discovered that the system was unable to differentiate between different internal transfer states. This prompted a comprehensive examination of three key questions:
Can malicious actors forge a deposit transaction to a Kraken account?
Can malicious actors withdraw forged funds?
What risk control and asset protection measures can be triggered by large withdrawal requests?
The investigation results were shocking. It was found that millions of dollars could be deposited fraudulently into any Kraken account. More concerning was the fact that over $1 million worth of forged cryptocurrencies could be withdrawn from the account and converted into legitimate cryptocurrencies. No alarms were triggered during multiple days of testing. Kraken only took action and locked the test accounts several days after CertiK formally reported the incident.
Upon receiving CertiK’s report, Kraken’s security team classified the issue as “critical,” the highest severity level. Although the initial discussions regarding identifying and fixing the vulnerability appeared to be successful, the situation quickly deteriorated. Kraken’s security operations team threatened individual employees of CertiK, demanding the return of an incorrect amount of cryptocurrencies within an unreasonable timeframe and without providing any repayment address.
CertiK urges Kraken to stop its intimidation tactics against white-hat hackers and emphasizes the importance of cooperation in addressing security risks and safeguarding the future of decentralized finance.
(
Security company Certik accused of extortion and theft? Kraken infuriated, online comments: They have a history of misconduct
)
Kraken
Further Reading
Security company Certik accused of extortion and theft? Kraken infuriated, online comments: They have a history of misconduct
EU cryptocurrency legislation MiCA about to take effect, is Kraken considering delisting USDT?