Kraken hit by white hat ransomware attack, loses 3 million euros, Certik: Threatened by Kraken

The well-known U.S. cryptocurrency exchange Kraken recently experienced a major security vulnerability, resulting in the theft of at least $3 million worth of digital assets. However, Kraken emphasized that user funds were not at risk. Update: Certik has fully refunded the funds.

In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that “white-hat hackers” return what they stole from us. Unbelievable.

— Nick Percoco (@c7five) June 19, 2024

A research team holds $3 million in assets on Kraken

Kraken revealed that a research team discovered a significant security vulnerability in the exchange, resulting in the holding of $3 million worth of digital assets. This vulnerability was first discovered on June 9 by an anonymous self-proclaimed "security researcher" who then informed Kraken.

Exploited Vulnerability Leads to $3 Million Theft

However, Kraken's Chief Security Officer Nick Percoco stated that two accounts associated with the researcher exploited this vulnerability to withdraw over $3 million worth of digital assets. Percoco said:

"They requested a call with our business team and refused to return any funds until we provided an estimate of the potential loss from the vulnerability. This is not white-hat hacker behavior; it's extortion!"

User Funds Not Threatened

Kraken emphasized that the stolen cryptocurrencies were taken from Kraken's own treasury and that user funds were not at risk.

Kraken's Response: Not White-Hat Hacker Behavior

In this incident, one of the three Kraken accounts linked to the vulnerability had passed KYC verification, with the account owner claiming to be a security researcher, although their identity remains undisclosed. The researcher initially demonstrated the vulnerability through a $4 cryptocurrency transfer, which was enough to qualify for a "substantial reward" from Kraken's bug bounty program.

However, the researcher disclosed the vulnerability to two other accounts, which inappropriately withdrew nearly $3 million. Kraken's CSO Nick Percoco stated:

"For transparency, we are disclosing this vulnerability to the industry today. We asked these 'white-hat hackers' to return what they stole from us and were accused of being unreasonable and unprofessional. Unbelievable."

CertiK Security Team Counters: Threatened by Kraken

The security team CertiK appears to be central to this dispute and counters that they were threatened by Kraken.

Kraken's Major Security Vulnerability

CertiK stated that the investigation began with a critical discovery in Kraken's deposit system. CertiK's team found that the system might not differentiate between various internal transfer states, leading to a comprehensive examination around three key questions:

1. Can malicious actors forge a deposit transaction to a Kraken account?
2. Can malicious actors withdraw the forged funds?
3. What risk controls and asset protection measures might be triggered by large withdrawal requests?

The investigation results were alarming. Kraken failed all three tests, indicating that its deep defense system was breached in multiple ways.

Forged Transactions and Unauthorized Withdrawals

The investigation revealed that millions of dollars could be deposited into any Kraken account fraudulently. More concerning, over $1 million worth of forged cryptocurrencies could be withdrawn from the account and converted into legitimate crypto assets without triggering any alerts over several days of testing. Kraken only took action and locked the test accounts days after CertiK formally reported the incident.

Kraken's Response and Subsequent Actions

Upon receiving CertiK's report, Kraken's security team classified the issue as "critical," the highest severity level. While initial discussions on identifying and fixing the vulnerability seemed successful, the situation quickly deteriorated. Kraken's security operations team threatened individual CertiK employees, demanding the return of an incorrect amount of cryptocurrency within an unreasonable timeframe and failing to provide any repayment address.

CertiK urged Kraken to cease the intimidation of white-hat hackers, emphasizing the importance of collaboration in addressing security risks and safeguarding the future of decentralized finance.

Security firm CertiK extorting and stealing coins? Kraken furious, netizens comment: Already of bad character