The crypto exchange Kraken has revealed that a research team still holds $3 million in appropriated digital assets through a recently discovered bug.
Discovery of the Bug and White Hat Hack
An anonymous self-proclaimed security researcher discovered a critical flaw and alerted Kraken on June 9th. However, according to Nick Percoco, Kraken’s Chief Security Officer, two accounts associated with this researcher exploited the flaw to withdraw over $3 million in digital assets.
Following this massive withdrawal, the security researcher is demanding a reward for the stolen funds. Percoco wrote in a post on X on June 19th: “Instead, they demanded a call with our business development team and refused to return the funds until we provided an estimated amount of the potential damage this bug could have caused if they hadn’t disclosed it. This is not ethical hacking; it’s extortion!”
When Kraken requested a Proof of Concept to study the on-chain activity of the white hat hacker, they refused before demanding a sum equivalent to the funds that could have potentially been stolen if the flaw hadn’t been discovered in time.
Unethical Practices?
According to Percoco, the stolen cryptocurrencies were taken directly from Kraken’s treasury, without putting user funds at risk. One of the three Kraken accounts linked to the hack had previously completed KYC verification for someone claiming to be a security researcher, although their identity remains unknown.
The researcher initially demonstrated the flaw with a cryptocurrency transfer worth $4, which would have sufficed to prove the bug and receive “substantial rewards” from Kraken’s bug bounty program. However, the individual disclosed the bug to two other accounts that fraudulently siphoned nearly $3 million from their Kraken accounts.
These actions resemble extortion rather than ethical hacking behavior, according to Kraken’s Percoco:
With transparency in mind, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for asking ‘ethical hackers’ to return what they stole from us. Unbelievable.
We are treating this as a criminal matter and coordinating our efforts with law enforcement accordingly.