• Cyber Syrup
  • Posts
  • Crypto Exchange Kraken Hacked For 3 Million Dollars

Crypto Exchange Kraken Hacked For 3 Million Dollars

Crypto exchange Kraken recently disclosed that an unnamed security researcher exploited an "extremely critical" zero-day flaw in its platform

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

FREE AI & ChatGPT Masterclass to automate 50% of your workflow

More than 300 Million people use AI across the globe, but just the top 1% know the right ones for the right use-cases.

Join this free masterclass on AI tools that will teach you the 25 most useful AI tools on the internet – that too for $0 (they have 100 free seats only!)

This masterclass will teach you how to:

  • Build business strategies & solve problems like a pro

  • Write content for emails, socials & more in minutes

  • Build AI assistants & custom bots in minutes

  • Research 10x faster, do more in less time & make your life easier

You’ll wish you knew about this FREE AI masterclass sooner 😉

Crypto Exchange Kraken Hacked For 3 Million Dollars

Crypto exchange Kraken recently disclosed that an unnamed security researcher exploited an "extremely critical" zero-day flaw in its platform to steal $3 million in digital assets and refused to return them. Kraken's Chief Security Officer, Nick Percoco, shared details of the incident, revealing that the company received a Bug Bounty program alert about a vulnerability that allowed the exploiter to artificially inflate their balance without completing a deposit.

Details of the Exploit

Kraken identified the security issue within minutes of receiving the alert. The flaw allowed an attacker to initiate a deposit and receive funds in their account without fully completing the transaction. While the company emphasized that no client assets were at risk, the issue enabled the creation of funds in user accounts. The problem was fixed within 47 minutes.

The flaw originated from a recent user interface change that allowed customers to deposit funds and use them before they were cleared. Further investigation revealed that three accounts, including one belonging to the supposed security researcher, exploited the flaw and siphoned $3 million.

Who is at Risk?

It's important to note that no Kraken users were at risk due to this vulnerability. The stolen funds came from Kraken's own treasury, not from client accounts. Therefore, the primary risk was to Kraken itself.

Bug Bounties vs. Criminal Hacking

Bug Bounties

Bug bounties are programs set up by companies to incentivize security researchers to find and report vulnerabilities in their systems. These programs offer financial rewards to researchers who follow the rules and responsibly disclose security flaws. The goal is to improve the security of the company's systems by allowing ethical hackers to test them and report issues before malicious actors can exploit them.

Criminal Hacking

Criminal hacking, on the other hand, involves exploiting vulnerabilities for personal gain without the intent of helping the company improve its security. In this case, the supposed security researcher discovered a flaw that could have been reported to Kraken for a legitimate bug bounty reward. Instead, they chose to exploit the vulnerability to steal funds and then demanded payment for returning the stolen assets. This behavior crosses the line from ethical hacking into criminal activity.

The Incident

"This individual discovered the bug in our funding system and leveraged it to credit their account with $4 in crypto," Percoco said. "This would have been sufficient to prove the flaw, file a bug bounty report with our team, and collect a very sizable reward under the terms of our program."

However, instead of reporting the bug and claiming the reward, the individual disclosed the bug to two other associates who fraudulently generated larger sums, ultimately withdrawing nearly $3 million from Kraken's treasuries. When approached by Kraken to share their proof-of-concept (PoC) exploit and return the funds, they demanded payment for releasing the assets, which Kraken rightly identified as extortion.

Conclusion

The distinction between ethical hacking and criminal hacking lies in the intent and actions of the hacker. Ethical hackers, or white-hat hackers, work within the guidelines of bug bounty programs to improve security and are rewarded for their efforts. Criminal hackers exploit vulnerabilities for personal gain, often causing financial and reputational damage to companies.

In this incident, the actions of the supposed security researcher were clearly outside the bounds of ethical hacking. By exploiting the flaw for financial gain and demanding payment for the return of stolen assets, they committed a criminal act. Kraken's response, involving coordination with law enforcement, underscores the seriousness of such breaches and the importance of adhering to ethical standards in cybersecurity research.

As Nick Percoco noted, "As a security researcher, your license to 'hack' a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your 'license to hack.' It makes you, and your company, criminals."

This incident serves as a reminder of the critical role that ethical hacking plays in maintaining the security of digital platforms and the severe consequences of deviating from accepted practices.