Crypto Firm Kraken Calls the Cops After Researchers Attempt “Extortion
Cryptocurrency exchange Kraken has said it is “coordinating with law enforcement” after security researchers allegedly attempted to extort the firm following their discovery of a vulnerability in its platform.
A researcher from the unnamed company filed a bug bounty report with Kraken on June 9 after finding an “extremely critical” vulnerability.
“Within minutes we discovered an isolated bug. This allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit,” explained Kraken CSO, Nick Percoco.
“To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time.”
Read more on bug bounty programs: Google Paid $10m in Bug Bounties to Security Researchers in 2023
After patching within two hours of the notification, Kraken found that three individuals had exploited the flaw to artificially inflate their balance on the exchange. The first credited their account with just $4, presumably to test the exploit worked. However, the second two ended up withdrawing almost $3m from Kraken’s treasuries, said Percoco.
When Kraken got in touch to request – as is usual with bug bounty programs – “a full account of their activities, a proof of concept used to create the on-chain activity, and to arrange the return of the funds that they had withdrawn,” the researchers refused.
“Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion,” argued Percoco.
“As a security researcher, your license to ‘hack’ a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your ‘license to hack.’ It makes you, and your company, criminals.”
Image credit: rafapress / Shutterstock.com