Kraken crypto exchange suffered a significant security breach when alleged researchers exploited a zero-day vulnerability to steal $3 million worth of cryptocurrency. Kraken’s Chief Security Officer Nick Percoco explained that the attackers utilized a critical bug allowing them to arbitrarily increase wallet balances and withdraw the inflated funds. Despite treating the bug report seriously and assembling a cross-functional team, the security team discovered an isolated bug that enabled attackers to initiate deposits and receive funds without fully completing the transactions.
The vulnerability originated from a recent change in the user interface, which credited client accounts promptly before their assets cleared, allowing real-time crypto trading. This UX change was not thoroughly tested against specific attack vectors, resulting in the flaw being exploited by three accounts over a few days. One of the accounts was linked to an individual claiming to be a security researcher, who further disclosed the bug to two other people, leading to the $3 million theft.
Kraken’s security team quickly addressed the vulnerability within an hour of discovery, ensuring that client assets were not at risk despite the attackers’ ability to print assets in their accounts temporarily. Following the breach, Kraken requested the return of the stolen funds, but the researchers refused, prompting Percoco to label the incident as extortion rather than white-hat hacking.
In response to the theft, Kraken notified law enforcement authorities. The exchange’s swift actions and transparency highlight the critical need for thorough testing of UX changes and robust security measures to prevent such breaches. As the investigation continues, Kraken remains vigilant in safeguarding its platform and clients against similar threats.
