Kraken, a major cryptocurrency exchange, has been extorted by a security research team after they exploited a bug in the platform to withdraw nearly $3 million. The incident highlights the growing issue of malicious actors using bug bounty programs to extort companies rather than following ethical hacking practices.
The Bug Bounty Program Alert
On June 9, Kraken received a bug bounty program alert from a security researcher about a critical vulnerability in their funding system. The researcher claimed to have found a bug that allowed users to artificially inflate their balance on the platform without fully completing a deposit. Kraken's Chief Security Officer, Nick Percoco, confirmed that the company identified the issue within minutes of receiving the alert and patched it within an hour.
The Extortion
However, further investigation revealed that the security researcher had not acted alone. They had disclosed the bug to two other individuals, who then fraudulently generated much larger sums and withdrew nearly $3 million from Kraken's treasuries. The security researcher refused to return the funds, demanding that Kraken provide a speculated amount that the bug could have caused if they had not disclosed it. This is considered extortion rather than white-hat hacking.
Certik's Involvement
Certik, a blockchain code editor, has also been involved in the incident. Certik claimed to have found several vulnerabilities in Kraken's platform, including the one exploited by the security researchers. However, Certik's account of the events suggests that they were threatened by Kraken's security operation team to repay a mismatched amount of crypto in an unreasonable time without providing repayment addresses. This has led to accusations that Certik acted in bad faith.
The Incident's Significance
The incident highlights the importance of ethical hacking practices and the need for companies to be vigilant in their bug bounty programs. It also underscores the growing issue of malicious actors using bug bounty programs to extort companies rather than following ethical hacking practices. The incident serves as a reminder that companies must be prepared to address these types of incidents and work with law enforcement agencies to retrieve stolen assets.
Conclusion
Kraken's experience with the security research team's extortion highlights the need for companies to be cautious in their bug bounty programs and to ensure that they are working with ethical hackers. The incident also underscores the importance of ethical hacking practices and the need for companies to be prepared to address these types of incidents.