Kraken disclosed nearly $3 million was taken from its wallets following a bug-related exploit that's since been fixed.

The crypto exchange received a bug bounty program alert on June 9, according to Kraken’s Chief Security Officer Nick Percoco. The alert warned it to an “extremely critical” bug, allowing an attacker to artificially inflate their balance on its platform.

Percoco said that while the submission was lacking in specifics, it looked into the issue and discovered an isolated bug allowing a malicious attacker to initiate a deposit onto its platform and receive funds in their account, without fully completing the deposit. He noted this was only in a specific set of circumstances.

Although no client assets were at risk, he claimed, the bug derived from a flaw in a recent UX change that credited clients’ accounts before asset deposits fully cleared, allowing a malicious attacker to effectively “print assets” in their Kraken account for "a period of time," Percoco said.

Exploited ahead of the bounty submission

The bug was completely fixed within a few hours, according to Percoco. However, a subsequent investigation revealed it had already been exploited by three accounts within a few days of each other, he said.

Percoco claimed that one of the accounts was KYC’d to the individual who discovered the bug and had claimed to be a “security researcher.” The individual purportedly leveraged the bug to credit their account with $4 — sufficient to prove the flaw, file a bug bounty report and claim a sizable reward, Percoco said.

However, Kraken’s CSO alleged that the researcher had instead disclosed the bug to two other individuals they work with, who subsequently withdrew much larger sums from their Kraken accounts totaling nearly $3 million. “This was from Kraken’s treasuries, not other client assets,” Percoco clarified.

Percoco said Kraken requested a full account of their activities and for the funds to be returned. However, the researchers allegedly refused to return any funds until Kraken disclosed the potential size of the exploit if they had not disclosed the bug. “This is not white-hat hacking, it is extortion!” Percoco said.

Start your day with the most influential events and analysis happening across the digital asset ecosystem.

By signing-up you agree to our Terms of Service and Privacy Policy

Also receive The Scoop, The Funding, and our weekly Data & Insights newsletters

By signing-up you agree to our Terms of Service and Privacy Policy

Percoco said the crypto exchange was accused by the researchers of being “unreasonable” and “unprofessional” in its requests, adding that while Kraken would not disclose the research firm involved, it would treat it as a criminal case given the breach of its bug bounty terms.

“We’ll not disclose this research company because they don’t deserve recognition for their actions. We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly,” Percoco said.

CertiK comes forward

Blockchain security firm CertiK later came forward as the company involved, alleging Kraken’s security team had “threatened” individual employees to repay a “mismatched” amount of crypto in an “unreasonable” time frame of six hours without providing a repayment address.

CertiK said it was transferring the funds to an account that Kraken could access based on its records. In an update on June 20, Percoco confirmed the funds had been returned, minus a small amount lost to fees.

Meanwhile, the crypto community alleged that CertiK’s timeline of events did not match up with onchain activity and that addresses connected to the withdrawals had also interacted with the U.S.-sanctioned mixer Tornado Cash and swapped assets using ChangeNOW — a pattern of activity not typical of white hat hackers.

CertiK did not respond to a request for comment from The Block regarding the allegations.

Updated with additional details.