$3 Million Siphoned From Kraken’s Treasury

Security researchers who unveiled a vulnerability on Kraken ended up siphoning $3 million from the crypto exchange’s treasury.

Nick Percoco, the Chief Security Officer at Kraken revealed via a detailed thread on X that the exchange received a bug bounty alert from a security researcher who flagged an “extremely critical” bug.

As the Kraken team looked into the issue, they found an isolated bug. This meant that any malicious attacker could end up effectively printing assets in their Kraken account for some time.

In other words, a deposit could be initiated onto Kraken and the attacker could receive the underlying amount without fully completing the deposit.

The team ultimately resolved the issue, and according to Percoco, it “could not reoccur again.”

What went wrong then?

The team ultimately found that three accounts leveraged the flaw whereby client accounts were credited before their assets were indeed cleared. One of those accounts - that had adhered to KYC norms - claimed to be a security researcher.

This person found the bug in Kraken’s funding system and conducted a $4 transaction that was successful. Percoco pointed out that this would have been sufficient to prove the flaw, file a bug bounty report with the team, and collect a sizable reward under the terms of the exchange's program.

However, the self-proclaimed researcher did not do so. Two other individuals were roped in and they together worked to fraudulently siphon a much heftier $3 million sum.

The researcher did not bring this transaction to light in the initial bug bounty report submitted. When contacted by the Kraken team to return the funds, they bluntly refused.

Percoco said,

“Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!”

Kraken has decided not to unveil the details of the people involved in the hack. For the sake of transparency, this was made public. That being said, the exchange is treating this as a criminal case and the Kraken team is coordinating with law enforcement agencies.

In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that “white-hat hackers” return what they stole from us. Unbelievable.
— Nick Percoco (@c7five) June 19, 2024

The CertiK tangent

Via another parallel post on X, smart contract audit platform CertiK said that its team had detected the Kraken bug. They conducted a "multi-day testing" and revealed that the bug could be exploited to create millions of dollars worth of crypto, without triggering any alerts.

However, things went downhill when they got in touch with the Kraken team. CertiK’s post highlighted,

“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.”

In another Q&A post, CertiK clarified that it had not refused to return the siphoned funds. In fact, it explicitly indicated that “all funds” that the firm held had been returned. However, the total amount differed from what Kraken commanded. The CertiK team initiated the return based on its records, and added,

“We returned: 734.19215 ETH, 29,001 USDT, 1021.1 XMR, while Kraken requested 155818.4468 MATIC, 907400.1803 USDT, 475.5557871 ETH, 1089.794737 XMR.”

Q&A to recent CertiK-Kraken whitehat operations:

1. Did any real user lose fund？
No. Cryptos were minted out of air, and no real Kraken user’s assets were directly involved in our research activities.

2. Have we refused to return the funds?
No. In our communication with…
— CertiK (@CertiK) June 20, 2024