Zero-Day Exploit in Kraken Crypto Exchange Leads to $3 Million Theft

/in


Kraken Chief Security Officer Nick Percoco disclosed that someone claiming to be a security researcher exploited a zero-day vulnerability to steal $3 million worth of cryptocurrency. The individual involved is refusing to return the stolen assets.

“On June 9 2024, we received a Bug Bounty program alert from a security researcher,” reads Percoco’s post on X. “No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.”

Critical Bug on Kraken Lets Attackers Inflate Wallet Balances

Kraken received a report concerning an “extremely critical” bug from a researcher on June 9. While the researcher provided no technical details about the alleged findings, they did mention that it could allow anyone to artificially increase their wallet’s balances.

According to Percoco, after the bug bounty report, the crypto exchange quickly started investigating the issue, assembling a cross-functional team to analyze it. The investigation revealed an “isolated bug” that an attacker could’ve used, under certain circumstances, to initiate a deposit and receive funds without fully completing it.

The Flaw, Caused by a Recent User Interface Update

The vulnerability reportedly stemmed from a recent update affecting the user interface. The update credited client accounts immediately before their assets were cleared, enabling clients to trade on crypto markets in real time.

Although the vulnerability didn’t jeopardize client assets, it could let perpetrators artificially pump their Kraken accounts. Even though the company quickly addressed the shortcoming, the vulnerability had already been exploited within a few days, resulting in the theft of $3 million worth of crypto from the exchange platform’s treasury.

Alleged Researchers Refuse to Return Withdrawn Funds Totaling $3 Million

The security researcher who discovered the flaw is suspected of sharing the details with two others. Together, they exploited the flaw to extract $3 million from Kraken’s treasury. The company demanded a detailed account of their actions, a proof-of-concept for the on-chain activity, and the return of…

Source…