Crypto exchange Kraken is being extorted by a research team who reportedly withdrew $3 million of the company’s funds as part of a hack after discovering a bug in its funding system, Kraken’s Chief Security Officer Nick Percoco revealed Wednesday morning.
According to Percoco, after the security researcher discovered the funding system’s flaw on June 9, the anonymous party disclosed the bug to “two other individuals who they work with” in order to withdraw millions of dollars from Kraken’s treasury.
The security researcher in question did not include this in their original bug bounty report, however, prompting skepticism from within the company.
Kraken Security Update:
On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.
— Nick Percoco (@c7five) June 19, 2024
“We requested a full account of their activities, a proof of concept used to create the on-chain activity, and to arrange the return of the funds that they had withdrawn,” Percoco said. “This is common practice for any Bug Bounty program. These security researchers refused.”
The Kraken CSO then claimed that the alleged crypto hackers have agreed not to return any funds until the crypto exchange provides the “speculated $ amount that this bug could have caused if they had not disclosed it.”
“This is not white-hat hacking,” Percoco continued. “This is extortion!”
According to blockchain analytics firm Chainalysis’ 2024 Crypto Crime Report, hackers stole an estimated $1.7 billion worth of funds worth of digital assets in 2023 alone, with hacking incidents totaling 231