Crypto exchange Kraken has disclosed that $3 million worth of digital assets that it had taken advantage of in a newly found fault are still in the control of a research team.On June 9, a cryptocurrency exchange was notified by an unidentified self-described “security researcher” who had discovered a serious vulnerability. According to Nick Percoco, the chief security officer of Kraken, two accounts connected to the security researcher have taken advantage of the defect and taken out more than $3 million in digital assets. The security researcher is requesting a reward for the cash that were stolen after the multi-million dollar withdrawal, according to Percoco, who posted on June 19 on X.
“Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!”
The cryptocurrency was stolen directly from Kraken’s treasury. The exchange claims that no user funds were endangered.
One of the three Kraken accounts associated with the exploit has already finished the Know Your Customer (KYC) process for a person posing as a security researcher; nevertheless, his identity is still unknown.
The bug’s initial proof was a $4 cryptocurrency transfer from the person who found it, which would have been enough to validate the issue and qualify for “sizable rewards” from Karken’s bounty program. The person did, however, reveal the flaw to two additional accounts that were used to steal almost $3 million from their Kraken balances. Based on Kraken’s Percoco, these acts are more like extortion than ethical hacking.
“In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that “white-hat hackers” return what they stole from us. Unbelievable.”
Compared to 2023, cryptocurrency hackers and exploiters may be in for a better year in 2024. Hackers stole $542.7 million worth of digital assets in the first quarter of 2024, a 42% rise over the same time in 2023. In an intriguing turn of events, attacks unrelated to smart contracts were not the main source of the increased number of exploits; rather, it was private key leaks.The amount of money that was stolen due to smart contract vulnerabilities decreased dramatically from a whopping $2.6 billion in 2022 to just $179 million in 2023, as per Merkle Science’s “2024 Crypto HackHub Report.”
2023 saw the loss of almost 55% of the digital assets compromised by hacking due to private key leaks. Over the previous 13 years, there have been 785 documented hacks and attacks in the bitcoin space, costing the sector up to $19 billion.