Kraken claims it is being ‘extorted’ as white hat hacker demands reward after $3M theft

Share this article

US-based crypto exchange Kraken has disclosed that it is being “extorted” by a self-proclaimed security researcher who exploited a critical bug from their platform to steal $3 million worth of digital assets. The researcher reported the bug on June 9 but used it to withdraw funds from Kraken’s treasury rather than safeguarding them.

Nick Percoco, Kraken’s Chief Security Officer, revealed that the researcher, along with two associated accounts, used the bug to withdraw over $3 million. Following the exploit, the researcher demanded a speculative reward for the stolen funds before agreeing to return them. Percoco stated in a June 19 X post that this behavior is not white-hat hacking but extortion.

One of the accounts involved had completed Know Your Customer (KYC) verification, yet the identity of the researcher remains undisclosed. The individual initially demonstrated the bug with a $4 crypto transfer, which would have sufficed to earn a substantial reward through Kraken’s bounty program. However, the researcher shared the bug with two other accounts, leading to the significant theft.

In light of these events, Kraken emphasized that the stolen cryptocurrency came from its treasury, ensuring that no user funds were endangered. Percoco reiterated the unethical nature of the actions, stressing that Kraken is being unfairly criticized for requesting the return of the stolen assets.

In response to Kraken’s allegations, CertiK disclosed on X that its security researchers were behind the hack. CertiK further said that it informed Kraken of the vulnerability upon discovery. Kraken promptly classified it as a critical level issue and tried to fix it. The security firm later alleged Kraken of threatening their employees to repay a “mismatched” amount of crypto without providing repayment addresses.

Crypto Briefing reached out to CertiK for an official statement. The crypto security firm said that they made it clear during its whitehat operation that “millions of dollars of cryptocurrency were minted from air, and no real Kraken user’s assets were directly involved” throughout its execution of the research activities.

“Despite Kraken acknowledging this as the highest level of risk, they continued to delay their response. The verbal consensus reached during our meeting was not confirmed afterward. Ultimately, they publicly accused us of theft and even directly threatened our employees, which is completely unacceptable,” CertiK said in the statement shared with Crypto Briefing.

At the time of updating this article, CertiK has added several details to their communications with Kraken.

The incident highlights the growing threat of crypto hacks and exploits, although it should be noted that not all executions are made with the same financial intent. Data from a report by Merkle Science indicates that in the first quarter of 2024, hackers stole $542.7 million in digital assets, a 42% increase from the same period in 2023. Private key leaks, not smart contract vulnerabilities, were the leading cause. The same report finds that smart contract-related losses dropped significantly to $179 million in 2023 from $2.6 billion in 2022.

Update: This article has been updated to reflect the official statement from CertiK on the incident. Crypto Briefing has reached out to Kraken for comment. This story is still developing.

Share this article