Kraken Says Hackers Turned to 'Extortion' After Exploiting Bug for $3M

• Kraken said third-party security researchers found a vulnerability, which was fixed by the crypto exchange.
• The researchers secretly withdrew nearly $3 million and refused to give it back without seeing the bounty amount first, Kraken said.
• Blockchain code editor Certik said it found a vulnerability in Kraken's platform and claims to have been "threatened" by the exchange.

Crypto exchange Kraken said "security researchers" who found a vulnerability on the platform turned to "extortion" after withdrawing about $3 million from the exchange's treasury.

Nick Percoco, Kraken's chief security officer, said in a post on social media platform X (formerly Twitter) that the firm received a "bug bounty program" alert from a security researcher on June 9 about a vulnerability that allows users to artificially inflate their balance. The bug "allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit," Percoco added.

Upon receiving the report, Kraken fixed the issue swiftly and no user funds were affected, Percoco noted.

What came after raised red flags for Kraken's team.

The security researcher, upon finding the bug, allegedly disclosed it to two other individuals, who then "fraudulently" withdrew nearly $3 million from their Kraken accounts. "This was from Kraken’s treasuries, not other client assets," Percoco said.

The initial bug report didn't mention the two other individuals' transactions, and when Kraken asked for more details of their activities, they refused.

"Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!" Percoco wrote.

Kraken didn't disclose who the researchers were, but blockchain code editor Certik subsequently said in a social media post that it found several vulnerabilities in the crypto exchange.

Certik said it conducted "multi-day testing" and noted that the bug could be exploited to create millions of dollars worth of crypto. "Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period," the post said.

However, Certik said things went sour after the initial conversation with Kraken. "Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses," the X post added.

Bug bounty programs – used by many firms to strengthen their security systems – invite third-party hackers, known as "white hats," to find vulnerabilities so the company can fix them before a malicious actor exploits them. Kraken's competitor, Coinbase, has a similar program to help alert the exchange of vulnerabilities.

To be paid the bounty, Kraken's program requires a third party to find the problem, exploit the minimum amount needed to prove the bug, return the assets and provide details of the vulnerability, Kraken said in a blog post, adding that since the security researchers didn't follow these rules, they won't get the bounty.

"We engaged these researchers in good faith and, in-line with a decade of running a bug bounty program, had offered a sizable bounty for their efforts. We’re disappointed by this experience and are now working with law enforcement agencies to retrieve the assets from these security researchers," a Kraken spokesperson told CoinDesk.

Read more: Your Crypto Project Needs a Sheriff, Not a Bounty Hunter

UPDATE (June 19, 18:30 UTC): Updates story throughout to add Certik's comments.