Crypto exchange Kraken accuses blockchain security outfit CertiK of extortion

5 months ago 32
BOOK THIS SPACE FOR AD
ARTICLE AD

Kraken, one of the largest cryptocurrency exchanges in the world, has accused a trio of security researchers of discovering a critical bug, expoliting it to steal millions in digital cash, then using stolen funds to extort the exchange for more.

The exchange wrote about the issue yesterday, saying the exploit allowed some users "to artificially increase the value of their Kraken account balance without fully completing a deposit." Kraken chief security officer Nicholas Percoco said on X that the researchers didn't provide any details in their bug bounty report, but that his team discovered the bug within an hour.

According to Percoco, the issue derived from a recent UX change that would credit client accounts before assets actually cleared to create an artificial sense of real-time cryptocurrency trades. "This UX change was not thoroughly tested against this specific attack vector," Percoco admitted on X.

Simply reporting the bug would have been enough for a sizable bounty, Percoco added. The researcher who disclosed the vulnerability, who Kraken didn't name "because they didn't comply with any [bug bounty] industry expectations," didn't stop there, however. 

According to Percoco, the analyst behind the find shared it with a couple of coworkers, who then exploited the vulnerability to withdraw nearly $3 million from the platform. Kraken noted that the funds stolen in this way were from the Kraken treasury and weren't client assets.

Given this is the world of cryptocurrency, the wild ride didn't stop at the theft of millions.

Percoco said the researchers refused to provide a full account of their activity related to the exploit, demonstrate a proof of concept, or to return funds withdrawn via the vulnerability.

"Instead, they demanded a call with their business development team … and have not agreed to return any funds until we provide a speculated [dollar] amount that this bug could have caused if they had not disclosed it," Percoco said. "This is not white-hat hacking, it is extortion!"

Kraken didn't respond to questions from The Reg for this story. 

"We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly," Percoco added. "We're thankful this issue was reported, but that's where that thought ends."

Researchers strike back

Kraken may not have wanted to name the researchers behind the alleged extortion attempt, but the researchers themselves aren't being quiet – they're accusing Kraken of misconduct. 

US-based blockchain security firm CertiK said on X that it was the other party in this dispute, and said the conversation began well enough until Kraken's security team fixed the issue.

Oklahoma saddles up bill of rights for crypto wranglers and miners How two brothers allegedly swiped $25M in a 12-second Ethereum heist Crypto wallet providers urged to rethink security as criminals drain them of millions Cryptocurrency laundryman gets hung out to dry

"After initial successful conversions on identifying and fixing the vulnerability, Kraken's security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses," CertiK said on X.

CertiK also claimed that it had offered to return the funds and never tried to withhold them, however, the crypto community on X isn't going easy on the company. A number of respondents have claimed that wallets associated with CertiK have been caught using US-sactioned cryptocurrency mixers like TornadoCash and crypto-swapping platform ChangeNOW, while others highlighted what they claim were inconsistencies with CertiK's public disclosures and records on the blockchain.

Additionally, while Percoco said all funds have been returned, minus a portion that was lost to blockchain fees, several commentators allege that the amount CertiK said it owed Kraken was tens of thousands of dollars less than what Kraken said was stolen.

The Register asked a number of folks at CertiK for an explanation of the supposed inconsistencies in its report and to learn more about the incident, but haven't heard back. ®

Read Entire Article