News

Cryptocurrency Exchange Kraken Says Hackers Used Bug Bounty Program for ‘Extortion’ After $3 Million Exploit

Published

7 months ago

on

Cryptocurrency exchange Kraken said “security researchers” who found a vulnerability on the platform turned to “extortion” after taking around $3 million from the exchange’s coffers.

Nick Percoco, chief security officer at Kraken, said in a post on social media platform X (formerly Twitter) that the company received a “bug bounty program” notice from a security researcher on June 9 about a vulnerability that allows users to artificially inflate their balance. The bug “allowed an attacker, under the right circumstances, to initiate a deposit on our platform and receive funds into their account without fully completing the deposit,” Percoco added.

After receiving the report, Kraken quickly resolved the issue and user funds were not affected, Percoco noted.

What happened next raised red flags for the Kraken team.

The security researcher, after finding the bug, allegedly disclosed it to two other people, who then “fraudulently” withdrew nearly $3 million from their Kraken accounts. “This came from Kraken’s treasuries, not from other client assets,” Percoco said.

The initial bug report did not mention the other two individuals’ transactions, and when Kraken asked for more details about their activities, they refused.

“Instead, they requested a call to their business development team (i.e. their sales reps) and did not agree to return any funds until we provided an assumed dollar amount that this bug could have caused if they had not revealed. This isn’t white-hacking, it’s extortion!” Percoco wrote.

Bug bounty programs, used by many companies to harden their security systems, invite third-party hackers, known as “white hats,” to find vulnerabilities so the company can fix them before a malicious actor exploits them . Kraken’s competitor, Coinbase, has a similar program to help alert the exchange to vulnerabilities.

To get paid, the Kraken program requires a third party to find the problem, exploit the minimum amount needed to demonstrate the bug, return the assets and provide details of the vulnerability, Kraken said in a blog postadding that since the security researchers did not follow these rules, they will not receive the bounty.

“We engaged these researchers in good faith and, consistent with a decade of running a bug bounty program, offered a substantial reward for their efforts. We are disappointed by this experience and are now working with law enforcement to recover the data assets of these security researchers,” a Kraken spokesperson told CoinDesk.

Fuente

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version