The world’s leading crypto trading platform, Kraken has recently admitted it fell victim to an attack that successfully leveraged a zero-day vulnerability to steal crypto worth millions.
The exploit unveiled
Kraken got an email from its Bug Bounty researcher on 9th June 2024, which alerted it about a serious vulnerability in the network. The flaw enabled an attacker to manipulate balance sheet figures on the site to a level not supported by actual funds as has been explained by Kraken’s Chief Security Officer, Nick Percoco.
This critical vulnerability allowed the attacker to make deposits and withdraw money in their account while yet to complete the deposit process.
Swift Response but not swift enough
Kraken was able to respond to the alert and eliminate the security problem within 47 minutes. The problem was traced to a new user interface introduced some time back that allowed customers to make deposits and utilize the money before the deposits were identified by the clearing house, if ever.
While Kraken stated that no clients’ cash was lost during the infiltration, the bug made it possible for people with ill intentions to deposit and withdraw fake cash.
In this case, three accounts began trying the identical move inside of a week and all of them tried to transfer $3 million out of the exchange. Of these, one account was owned by the security researcher who recently reported this bug.
As for the first identified vulnerability, Percoco commented that a person who aimed to exploit it invested $4 in crypto to illustrate the issue and it could be enough for a bug bounty report and subsequent reward. However, the researcher decided to give the bug details to two other participants, collectively, who were able to steal nearly $3 million from Kraken’s treasuries.
Ethical dilemma or extortion?
When Kraken approached the individuals to return the stolen funds and provide a proof-of-concept (PoC) exploit, the researchers demanded payment in exchange for the return of the assets. Percoco condemned this behaviour as extortion, emphasizing that it violated the ethical principles of white-hat hacking.
Kraken is treating the incident as a criminal case and is coordinating with law enforcement agencies
Also Read : SHOCKING: Crypto “Pig Butchering” Scams on the Rise! What You Should Know