Security Breach at Kraken Exchange Leads to $3 Million Loss
In early June, Kraken, an American crypto exchange, experienced a security breach that resulted in the loss of around $3 million worth of crypto. The breach was caused by a bug in the exchange’s funding system that was exploited by rogue security researchers. Kraken’s chief security officer, Nick Percoco, disclosed the incident and emphasized the breach of ethical standards by the individuals involved.
Response to the Security Breach
Upon receiving a notification from a security researcher about a potential bug on June 9, Kraken’s team discovered a flaw in the system that allowed credit client accounts before their assets cleared, enabling clients to trade crypto markets in real-time. The exchange admitted that they did not test the system against this specific attack vector prior to the breach. After patching the vulnerability, it was revealed that three accounts had exploited the same flaw, resulting in the withdrawal of nearly $3 million from Kraken’s treasuries.
Consequences of the Breach
Despite the security researcher failing to disclose the bug fully, Kraken attempted to reward them for identifying the security flaw. However, the individuals responsible for the breach refused to comply with Kraken’s requests for a full account of their activities, a proof of concept, and the return of the stolen funds. This led Percoco to characterize their actions as “extortion” rather than white-hat hacking. The exchange’s efforts to identify all the attackers and recover the stolen funds remain ongoing and uncertain.