See More

Kraken Reports Nearly $3 Million Bug-Related Exploit

2 mins
Updated by Daria Krasnova
Join our Trading Community on Telegram

In Brief

  • Kraken suffered a bug attack a bug that saw it lose almost $3 million less than two weeks ago.
  • Anyone could initiate a deposit to the platform and receive the funds without completing it.
  • Kraken treats the incident as a criminal case, commits to coordinate with law enforcement.
  • promo

Cryptocurrency trading platform Kraken has reported an exploit less than a fortnight ago that saw it lose almost $3 million in a bug-related attack.

The incident highlights the insecurities and vulnerabilities that continue to infest the industry.

Kraken Lost $3 Million in a Bug Attack

Kraken revealed a bug attack on June 9, which saw the bad actor make away with nearly $3 million. Based on the report shared by Kraken Chief Security Officer Nick Percoco, the exchange received a bug bounty program alert.

“On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform,” noted Percoco in a post on Wednesday.

The CSO noted that a further probe revealed an isolated bug that gave the bad actor unmerited privileges. Specifically, they could initiate a deposit on Kraken Exchange and receive funds in their account even though they had not fully completed the deposit.

Read more: Kraken Review 2024: Security and Features

A forensic analysis revealed a vulnerability in a recent UX change on Kraken’s platform. This flaw allowed a malicious attacker to “print assets” in their account for a period of time. Importantly, no client assets were compromised, and the issue has been fixed. However, a subsequent probe discovered that three accounts had already exploited the bug within a few days of each other.

“After patching the risk, we thoroughly investigated the situation and quickly discovered that 3 accounts had leveraged this flaw within a few days of each other. As we dug deeper, we noticed that one account was KYC’d to an individual who claimed to be a security researcher,” Percoco said.

A security researcher discovered a bug in Kraken’s funding system and credited their account with $4 in cryptocurrency. This amount was enough to demonstrate the flaw and file a bug bounty report, which would have earned a significant reward under Kraken’s program.

Instead, the researcher shared the bug with two colleagues, who exploited it to generate much larger sums fraudulently. This collusion led to a loss of nearly $3 million, taken from Kraken’s treasuries rather than client assets.

Read more: Top 5 Flaws in Crypto Security and How To Avoid Them

The incident culminated in a case of extortion after the crypto trading platform tried to recover the funds from the researchers. Kraken requested a full account of the researchers’ activities, including the proof of concept used to create the on-chain activity and arrangements to return the withdrawn funds. 

“These security researchers refused. Instead, they demanded a call with their business development team and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!” Percoco resented.

Kraken has therefore resorted to treating the incident as a criminal case, committing to coordinating with law enforcement. The research company remains undisclosed.

Top crypto projects in the US | July 2024
Harambe AI Harambe AI Explore
Uphold Uphold Explore
Coinbase Coinbase Explore
Chain GPT Chain GPT Explore
Top crypto projects in the US | July 2024
Harambe AI Harambe AI Explore
Uphold Uphold Explore
Coinbase Coinbase Explore
Chain GPT Chain GPT Explore
Top crypto projects in the US | July 2024



In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content. Please note that our Terms and ConditionsPrivacy Policy, and Disclaimers have been updated.

Lockridge Okoth
Lockridge Okoth is a journalist at BeInCrypto, focusing on prominent industry companies such as Coinbase, Binance, and Tether. He covers a wide range of topics, including regulatory developments in decentralized finance (DeFi), decentralized physical infrastructure networks (DePIN), real-world assets (RWA), GameFi, and cryptocurrencies. Previously, Lockridge conducted market analysis and technical assessments of digital assets, including Bitcoin and altcoins such as Arbitrum, Polkadot, and...