Cryptocurrency exchange Kraken has revealed that a security researcher remains in possession of about $3 million worth of digital assets it had appropriated in a recently discovered bug.
An anonymous self-proclaimed “security researcher” found a critical security bug and alerted the cryptocurrency exchange on June 9.
However, two accounts related to the security researcher have exploited the bug to withdraw over $3 million worth of digital assets, according to Nicholas Percoco, chief security officer of Kraken.
Following the multimillion-dollar withdrawal, the security researcher is demanding a reward for the stolen funds, Percoco wrote in a June 19 X post:
“Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!”
The cryptocurrency was stolen directly from Kraken’s treasury. The exchange claims that no user funds were endangered.
Kraken will continue its bug bounty programs to assure the exchange’s security and is working with law enforcement to recover the stolen funds, a Kraken spokesperson told Cointelegraph:
“We’re disappointed by this experience and are now working with law enforcement agencies to retrieve the assets from these security researchers.”
This Is Not White-Hat Hacking: Kraken
One of the three Kraken accounts related to the exploit has previously completed Know Your Customer (KYC) verification to an individual claiming to be a security researcher, but his identity remains undisclosed.
The individual who discovered a bug has initially proven the flaw with a crypto transfer worth $4, which would have been sufficient to prove the bug and collect “sizable rewards” from Karken’s bounty program.
However, the individual disclosed the bug to two other accounts that fraudulently siphoned nearly $3 million from their Kraken accounts.
These actions are akin to extortion, not ethical hacker behavior, according to Kraken’s Percoco:
“In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that ‘white hat hackers’ return what they stole from us. Unbelievable.”
Crypto Hacks In 2024 Could Outperform 2023
Crypto hackers and exploiters could be poised for a more successful year in 2024, compared to 2023.
In the first quarter of 2024, hackers stole digital assets valued at $542.7 million, a 42% increase compared to the same period in 2023. In an interesting turn of events, private key leaks were the leading cause of the growing exploits, not smart contract-related exploits.
Hacked funds lost to smart contract vulnerabilities fell 92% to $179 million in 2023, down from a staggering $2.6 billion in 2022, according to Merkle Science’s “2024 Crypto HackHub Report.”
Over 55% of the hacked digital assets were lost to private key leaks during 2023.
The cryptocurrency industry suffered 785 reported hacks and exploits, resulting in nearly $19 billion lost over the past 13 years.
