Kraken claims it is being ‘extorted’ as white hat hacker demands reward after $3M theft
Share this article
US-based crypto exchange Kraken has disclosed that it is being “extorted” by a self-proclaimed security researcher who exploited a critical bug from their platform to steal $3 million worth of digital assets. The researcher reported the bug on June 9 but used it to withdraw funds from Kraken’s treasury rather than safeguarding them.
Nick Percoco, Kraken’s Chief Security Officer, revealed that the researcher, along with two associated accounts, used the bug to withdraw over $3 million. Following the exploit, the researcher demanded a speculative reward for the stolen funds before agreeing to return them. Percoco stated in a June 19 X post that this behavior is not white-hat hacking but extortion.
One of the accounts involved had completed Know Your Customer (KYC) verification, yet the identity of the researcher remains undisclosed. The individual initially demonstrated the bug with a $4 crypto transfer, which would have sufficed to earn a substantial reward through Kraken’s bounty program. However, the researcher shared the bug with two other accounts, leading to the significant theft.
In light of these events, Kraken emphasized that the stolen cryptocurrency came from its treasury, ensuring that no user funds were endangered. Percoco reiterated the unethical nature of the actions, stressing that Kraken is being unfairly criticized for requesting the return of the stolen assets.
In response to Kraken’s allegations, CertiK disclosed on X that its security researchers were behind the hack. CertiK further said that it informed Kraken of the vulnerability upon discovery. Kraken promptly classified it as a critical level issue and tried to fix it. The security firm later alleged Kraken of threatening their employees to repay a “mismatched” amount of crypto without providing repayment addresses.
Crypto Briefing reached out to CertiK for an official statement. The crypto security firm said that they made it clear during its whitehat operation that “millions of dollars of cryptocurrency were minted from air, and no real Kraken user’s assets were directly involved” throughout its execution of the research activities.
“Despite Kraken acknowledging this as the highest level of risk, they continued to delay their response. The verbal consensus reached during our meeting was not confirmed afterward. Ultimately, they publicly accused us of theft and even directly threatened our employees, which is completely unacceptable,” CertiK said in the statement shared with Crypto Briefing.
At the time of updating this article, CertiK has added several details to their communications with Kraken.
The incident highlights the growing threat of crypto hacks and exploits, although it should be noted that not all executions are made with the same financial intent. Data from a report by Merkle Science indicates that in the first quarter of 2024, hackers stole $542.7 million in digital assets, a 42% increase from the same period in 2023. Private key leaks, not smart contract vulnerabilities, were the leading cause. The same report finds that smart contract-related losses dropped significantly to $179 million in 2023 from $2.6 billion in 2022.
Update: This article has been updated to reflect the official statement from CertiK on the incident. Crypto Briefing has reached out to Kraken for comment. This story is still developing.
Share this article
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
Crypto Briefing may augment articles with AI-generated content created by Crypto Briefing’s own proprietary AI platform. We use AI as a tool to deliver fast, valuable and actionable information without losing the insight – and oversight – of experienced crypto natives. All AI augmented content is carefully reviewed, including for factural accuracy, by our editors and writers, and always draws from multiple primary and secondary sources when available to create our stories and articles.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.
See full terms and conditions.
Comments are closed, but trackbacks and pingbacks are open.