Cryptocurrency exchange Kraken has recently been in the spotlight after security researchers attempted to extort the firm following the discovery of a significant vulnerability in its platform. The researchers, who remain unnamed, identified a critical flaw on June 9 and promptly reported it to Kraken through a bug bounty program.
Upon investigation, Kraken’s Chief Security Officer, Nick Percoco, revealed that the vulnerability allowed attackers to initiate a deposit on the platform and receive funds in their account without completing the deposit process. While no client assets were at risk, malicious actors could exploit the flaw to artificially inflate their balance on the exchange.
Kraken acted swiftly to patch the vulnerability within two hours of being notified. However, it was discovered that three individuals had already taken advantage of the flaw to withdraw nearly $3 million from the exchange. When Kraken reached out to the researchers to request details of their activities and arrange for the return of the withdrawn funds, the researchers refused and instead demanded a meeting with Kraken’s business development team.
Percoco condemned the researchers’ actions, stating that their refusal to return the funds and their demand for a speculated amount of potential losses constituted extortion rather than ethical hacking. He emphasized that participating in bug bounty programs comes with clear rules that must be followed, and deviating from these rules to extort companies is criminal behavior.
As Kraken cooperates with law enforcement to address the situation, the incident serves as a reminder of the importance of ethical hacking practices and the potential consequences of exploiting vulnerabilities for personal gain. The exchange remains committed to enhancing its security measures to protect its users and prevent future incidents of this nature.