Security Researcher Turns Malicious, Poses Challenge for Bug Bounty Programs
On June 9, 2024, Kraken’s Chief Security Officer Nick Percoco revealed a serious security breach in a detailed account of how a hacker, posing as a security researcher, exploited a critical bug in Kraken’s platform to withdraw nearly $3 million.
Discovery and Response
The incident began when Kraken received an alert through its Bug Bounty program. The email from a security researcher claimed to have found an “extremely critical” bug that allowed them to artificially inflate their balance on the platform. While Kraken frequently receives fake reports, this claim was treated seriously, prompting the assembly of a cross-functional team to investigate.
Within minutes, the team identified a bug that allowed an attacker to initiate a deposit and receive funds in their account without fully completing the transaction. Although client assets were never at risk, the vulnerability allowed the attacker to generate assets in their Kraken account temporarily.
Kraken triaged the vulnerability as critical and mitigated the issue within 47 minutes, completely fixing it within a few hours. The flaw originated from a recent user experience (UX) change that credited client accounts before assets cleared, enabling real-time crypto trading but was not adequately tested against this attack vector.
Investigation and Exploitation
Following the patch, Kraken’s team discovered that three accounts had exploited the flaw over a few days. One of these accounts belonged to the individual who claimed to be a security researcher. Instead of reporting the bug through proper channels and earning a substantial reward, the researcher shared the exploit with two associates, who used it to withdraw almost $3 million from Kraken’s treasuries.
When contacted by Kraken for details to proceed with the reward, the researchers demanded a call with their business development team and refused to return the funds. They insisted on a speculative payout for the potential damage their discovery could have caused, turning the situation into extortion rather than ethical hacking.
Kraken’s Bug Bounty Program and Response
Kraken has maintained a Bug Bounty program for nearly a decade, emphasizing ethical guidelines: do not exploit beyond what is necessary to prove the vulnerability, provide proof of concept, and return any extracted funds immediately. This program is managed by highly skilled professionals and has never encountered such a breach of conduct.
In response to this incident, Kraken decided to disclose the bug to the industry to maintain transparency. The firm emphasized that ethical hacking requires adherence to the rules of the Bug Bounty program, and breaking these rules amounts to criminal activity. Kraken is treating this case as criminal and is working with law enforcement agencies.
Conclusion
Despite this setback, Kraken continues to value its Bug Bounty program as a crucial part of its security framework and remains committed to collaborating with ethical security researchers to strengthen the crypto ecosystem. This incident is considered an isolated case, and Kraken remains dedicated to enhancing platform security with the help of good faith actors.