The cryptocurrency exchange Kraken has revealed that it continues to hold $3 million worth of crypto assets seized by a research team due to a recently discovered bug. An unidentified individual, who identifies as a security researcher, found a critical security flaw and alerted the crypto exchange on June 9.
What is Happening at Kraken?
According to Kraken’s Chief Security Officer Nick Percoco, two accounts associated with the security researcher exploited this flaw to withdraw over $3 million in crypto assets. In a June 19 X post, Percoco wrote that after the million-dollar withdrawal, the security researcher demanded a reward for the stolen funds and stated:
“Instead, they requested a meeting with our business development teams and refused to return any funds until we provided the estimated dollar amount of the damage this bug could have caused if they had not disclosed it. This is not white-hat hacking.”
The crypto assets in question were stolen directly from Kraken’s treasury, and the exchange claimed that no user funds were compromised.
Crypto Space and Security Issues
One of the three Kraken accounts involved in the attack had previously completed Know Your Customer (KYC) verification, claiming to be a security researcher, but the individual’s identity was not disclosed. The person who discovered the bug initially demonstrated the flaw with a crypto transfer worth $4, which could have been enough to prove the bug and benefit from Kraken’s reward program.
However, the hacker disclosed the bug to two other accounts, which fraudulently withdrew approximately $3 million from Kraken accounts. According to Percoco from Kraken, these actions are not ethical hacker behavior but rather extortion:
“In the spirit of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for demanding that the white-hat hackers return what they stole from us.”
Crypto hackers and exploiters may be poised for a more successful year in 2024 compared to 2023. According to Merkle Science’s 2024 Crypto HackHub Report, the hacked funds lost due to security vulnerabilities in smart contracts fell by 92% in 2023, down to $179 million from the $2.6 billion loss in 2022. More than 55% of the crypto assets hacked in 2023 were lost due to private key leaks. The cryptocurrency industry has faced 785 reported hack attacks over the past 13 years, resulting in approximately $19 billion in losses.
