Priya PatelTLDR:
- Kraken Crypto Exchange was hit by a $3 million theft due to a zero-day flaw.
- An unnamed security researcher exploited the flaw to steal digital assets and refused to return them.
On June 19, 2024, the crypto exchange Kraken experienced a security breach where an unnamed security researcher exploited a zero-day flaw in the platform, resulting in the theft of $3 million in digital assets. The Chief Security Officer, Nick Percoco, shared details of the incident on social media, stating that the flaw allowed an attacker to artificially inflate their balance on the platform without fully completing a deposit. Kraken quickly addressed the issue, ensuring that no client assets were at risk, but the flaw still enabled the threat actor to print assets in their accounts.
Further investigation revealed that three accounts, including one belonging to the security researcher, had exploited the flaw and siphoned $3 million from Kraken’s treasury. The security researcher disclosed the bug to two other individuals who fraudulently generated larger sums and withdrew the funds. When approached by Kraken to return the stolen funds, they demanded payment instead, leading Kraken to treat the incident as a criminal case and involve law enforcement agencies.
Blockchain security firm CertiK later claimed responsibility for the breach on Kraken, stating that they detected critical flaws that allowed them to fabricate crypto on any account, which could then be withdrawn. Kraken accused CertiK of exploiting the flaw for financial gain before reporting it, leading to a dispute between the two parties. The incident highlights the importance of following bug bounty program rules and ethical hacking practices in the cybersecurity community.
Overall, the Kraken security breach serves as a cautionary tale about the risks of zero-day vulnerabilities in crypto exchanges and the importance of responsible disclosure and collaboration between security researchers and companies to prevent financial losses and protect user assets.
