Cryptocurrency Safety Company CertiK and Exchange Kraken Engaged in Controversy Over Bug Bounty following $3 Million Heist
In a surprising turn of events, Kraken, one of the world's largest cryptocurrency exchanges, has fallen victim to a theft worth more than $3 million. The theft appears to be linked to social engineering or hacking attacks by unidentified attacker groups rather than a firm.
According to Kraken's chief security officer, Nick Percoco, the theft occurred when three accounts took advantage of a vulnerability in Kraken's deposit system. This vulnerability, Percoco stated, was derived from a recent UX change that allowed real-time crediting of client accounts before their assets cleared.
The bug allowed anyone to initiate a deposit to the Kraken platform and receive the funds without completing the transaction. CertiK, a cybersecurity firm, was the first to identify this vulnerability on June 5. Despite reporting the issue to Kraken, the researchers refused to return the funds and were accused of extortion by Percoco.
CertiK made two significant transactions related to this incident. On June 5, they deposited 200 Matic and withdrew 90,000 Matic two days later. On June 9, they made a larger deposit and withdrawal, claiming to have withdrawn an amount worth more than $1 million.
Kraken's response to the report was delayed, with the exchange only locking the test accounts days after CertiK officially reported the incident. However, Percoco claims that Kraken was able to triage the bug within an hour and 47 minutes, and completely fix the issue within a few hours.
The vulnerability also allowed for the creation and withdrawal of fabricated cryptocurrency. Percoco stated that instead of filing the report, the accounts generated larger sums fraudulently and withdrew nearly $3 million from Kraken's treasuries, not client assets.
Three people connected with an undisclosed company refused to return the funds until Kraken made public the potential size of the exploit. CertiK claimed that Kraken's security operation team threatened individual CertiK employees to repay mismatched crypto amounts without providing reasonable time or repayment addresses.
As of now, there is no publicly known company behind the individuals who stole more than $3 million from Kraken's wallets. The investigation into the incident is ongoing, and Kraken has assured its users that their funds are safe and that the exchange is taking all necessary measures to prevent such incidents in the future.
