Kraken, a major cryptocurrency exchange, has announced that it is being extorted after a self-proclaimed “security researcher” exploited a discovered bug to siphon off $3 million in digital assets. The exchange revealed the ongoing situation on June 19, following the initial bug report on June 9.
According to Nicholas Percoco, Kraken’s Chief Security Officer, the anonymous researcher found a critical security flaw and then used it to withdraw funds from Kraken’s treasury. Despite contacting Kraken with the bug report, the researcher, along with two related accounts, refused to return the funds unless they received a substantial reward.
“This is not white-hat hacking; it is extortion,” Percoco stated in a post on social media platform X. Kraken maintains that user funds were never at risk and that the stolen cryptocurrency came directly from its treasury.
Kraken is actively working with law enforcement to recover the stolen assets and continues to support its bug bounty programs aimed at enhancing the exchange’s security. A spokesperson expressed disappointment over the incident, emphasizing Kraken’s commitment to security and transparency.
Interestingly, one of the accounts involved had previously completed Know Your Customer (KYC) verification, linking it to an individual claiming to be a security researcher. Initially, a $4 transfer demonstrated the bug, which could have earned a substantial reward through Kraken’s bounty program. However, the individual shared the bug with others, leading to the fraudulent withdrawal of nearly $3 million.
The incident highlights the fine line between ethical hacking and criminal activity. Percoco condemned the actions, emphasizing Kraken’s efforts to handle the situation professionally and transparently.