Kraken, a major crypto exchange, recently received an alarming Bug Bounty report through an email. However, what seemed like a regular vulnerability report quickly turned into an extortion attempt involving $3 million. The exchange reassures that none of its user’s assets were actually in danger, despite the bug report being quite a serious one.
The Hunter Becomes the Prey
To investigate the bug report, Kraken’s Chief Security Officer Nick Percoco led the team that uncovered the $3 million exploit. The executive discussed the entire scenario on his X handle earlier today.
Kraken Security Update:
On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
— Nick Percoco (@c7five) June 19, 2024
The investigation crew found the bug that enabled mischief-makers to start a deposit on the exchange platform and get funds in their accounts without finishing the deposit.
The bug originated from a new User Experience (UX) update that credited user accounts before their assets were fully processed, allowing instant trading. Surprisingly, three accounts had taken advantage of the mentioned flaw within days of each other.
One account was linked to a person who professed to be a security researcher. This person used the bug to add $4 in crypto to his account to prove the flaw.
Instead of reporting the bug for a reward, the researcher shared it with two others who made millions from it. Percoco’s team contacted the researchers to verify details before rewarding them for finding the security flaw.
Things took a wrong turn when the researchers declined to give a detailed report of their actions and return of the withdrawn funds. Kraken has concluded to label this as “extortion” and is handling it as a criminal matter.
Extortion and Scams Surge In the Crypto World
This Extortion, along with various other cyber crimes and scams, is on the rise within the crypto industry.
Last month, Binance CEO, Richard Teng revealed that an anonymous actor in Nigeria requested for a payment of $150 million for the release of its detained employee. Though the payment was declined, the employee Tigran Gambaryan has seen the charges against him dropped.
In an unfortunate event, it was reported that Caitlyn Jenner, a famous celebrity’s X account was hacked to promote a crypto scam in May. According to a recent report from Crystal Blockchain, that $19 billion has been lost to crypto hacks and illicit activities since 2011.
Disclaimer: The information provided in this article is for informational purposes only. It does not constitute investment, financial, trading, or any other sort of advice. You should not treat any of Crypto-Vanguard’s content as such. Crypto-Vanguard does not recommend that any cryptocurrency should be bought, sold, or held by you. Do your due diligence and consult your financial advisor before making any investment decisions.