As a researcher with experience in the crypto exchange industry, I find the recent incident at Kraken deeply concerning. The loss of around $3 million due to a bug exploited by rogue “security researchers” is a stark reminder of the importance of ethical standards and thorough testing in this field.
As a researcher studying Kraken’s security incidents, I uncovered that a defect in the exchange’s funding mechanism was exploited by malicious security researchers, resulting in a $3 million loss for Kraken.
In early June, approximately $3 million worth of cryptocurrency was stolen from American exchange Kraken as a result of a cunning attack on their funding system carried out by an unidentified “security researcher.” Kraken’s Chief Security Officer, Nick Percoco, revealed this information in a public forum, expressing his disappointment over the ethical lapse committed by those responsible.
In our daily operations, we encounter deceitful bug reports labeled as “submissions from security researchers.” This isn’t a novel occurrence for those managing a bug bounty program. Nevertheless, we took these allegations seriously and promptly formed a collaborative team to delve into the matter. Here’s what our investigation uncovered.
— Nick Percoco (@c7five) June 19, 2024
According to Percoco’s account, a “security researcher” alerted the team about a possible issue on June 9th. Subsequently, they identified a “flaw resulting from a recent user experience modification,” which permitted clients to access their credit accounts before their assets had been cleared. This enabled traders to engage in real-time crypto market transactions. Regrettably, Kraken’s CSO acknowledged that they hadn’t assessed the UX change for this specific type of attack before it occurred.
“This UX change was not thoroughly tested against this specific attack vector,” Percoco wrote.
As an analyst, I’ve uncovered that following the remediation of a vulnerability, three accounts at Kraken were found to have exploited it within a short timeframe of one another. Rather than disclosing this security issue to Kraken directly, the researcher is claimed to have passed on the information to two companions, according to Percoco’s statement. The identity of these individuals remains undisclosed, but they were able to withdraw approximately $3 million from Kraken’s funds as a result.
When Percoco spoke, he highlighted that the original report from the self-proclaimed “security researcher” was not entirely transparent about the discovered vulnerability. Consequently, the team needed to double-check certain aspects before proceeding with granting the reward for unearthing a security issue.
As a researcher studying this incident, I can paraphrase it by saying that Kraken demanded a complete explanation of the actions taken, a demonstration of their capabilities, and the restoration of the seized funds. However, the individuals concerned declined to oblige, with Percoco characterizing their behavior as “extortion” instead of ethical hacking. The details surrounding whether Kraken successfully identified all the perpetrators or recovered the stolen funds remain uncertain.
Read More
Sorry. No data so far.
2024-06-19 17:16