Kraken Crypto Exchange Hit by $3 Million Theft Exploiting Zero-Day Flaw

Crypto exchange Kraken revealed that an unnamed security researcher exploited an “extremely critical” zero-day flaw in its platform to steal $3 million in digital assets and refused to return them.

Details of the incident were shared by Kraken’s Chief Security Officer, Nick Percoco, on X (formerly Twitter), stating it received a Bug Bounty program alert from the researcher about a bug that “allowed them to artificially inflate their balance on our platform” without sharing any other details

Within minutes of receiving the alert, the company said it identified a security issue that essentially permitted an attacker to “initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.”

While Kraken emphasized that no client assets were at risk due to the issue, it could have enabled a threat actor to print assets in their accounts. The problem was addressed within 47 minutes, it said.

Crypto exchange Kraken revealed that an unnamed security researcher exploited an “extremely critical” zero-day flaw in its platform to steal $3 million in digital assets and refused to return them.

Details of the incident were shared by Kraken’s Chief Security Officer, Nick Percoco, on X (formerly Twitter), stating it received a Bug Bounty program alert from the researcher about a bug that “allowed them to artificially inflate their balance on our platform” without sharing any other details

Within minutes of receiving the alert, the company said it identified a security issue that essentially permitted an attacker to “initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.”

While Kraken emphasized that no client assets were at risk due to the issue, it could have enabled a threat actor to print assets in their accounts. The problem was addressed within 47 minutes, it said.

CertiK further asserted that “Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.”

That said, evidence has also emerged that a CertiK researcher may have been conducting probing and testing as early as May 27, 2024, contradicting the company’s timeline of events.

The development comes as Kraken, in a blog post, accused the “third-party security research company” of exploiting the flaw for financial gain prior to reporting it. The now-resolved security vulnerability “allowed certain users, for a short period of time, to artificially increase the value of their Kraken account balance without fully completing a deposit.”