Trading bots commonly found online are pure incompetence. This stuff is designed by script kiddies with no experience and no competitive edge on the market, who run their scripts from cheap unprotected VPSs.
You haven't confirmed whether the theft occurred via API, but as a general advice sharing your API secret keys with these guys is naive. It's akin to giving a perfect stranger your account password and 2fa token.
The bulk of anomalous trades you saw are a known technique to steal funds without having to authorize a withdrawal: the trades are paired against low capitalization coins on which your counterpart places trades against you.
Hello DavideBaldini,
I'm very surprised that big exchanges still allow this kind of techniques. ( Kraken is operating for years now ... )
Kraken is :
- Still providing the possibility to put any sell / buy order at any price. Seriously, is it a normal situation to sell an asset at 0.01% value of the current market value ?
Some other exchanges (newers) have put limit depending of the order book volume and depth.
- Still providing to hackers a easy way to withdraw money with some illiquid market (no volume and thin order book)
So it become easy to wipe the order book and simulate a withdrawal from 1 to 1.
Is kraken not supposed to protects users by providing markets with high liquidity ?
- No putting circuit breaker ( or at least throwing alert to their system to freeze fund waiting for more investigation ).
- Moreover, i'm curious about KYC / AML. As it's not a withdrawal to an external wallet, we can suppose that Kraken knows the (good or bad) identity of the hacker.
In case of bad identity, Kraken is not supposed to make some lawsuits ?
If not, so what's the purpose of KYC if anyone with a leaked api key ( with trades only ) can withdraw $$$ without any restriction to external wallet.
From victim pov, i really wonder what are the legal recourses to this kind of situation as the exchange (Kraken here) has a part of responsibility :
- Illiquid market ( open door to bypass all withdrawal restriction )
- Market / Sell order with abnormal price ( 0.01 % ). We are in free market ok but it's not derivates ( so no squeeze here ) but we can easily detect a fast transfer of wealth.
- Accepting traders with false KYC ( i guess ) with all possibilities to withdraw fund to terrorist entities / cybercrimes responsible / etc.
- In that case Kraken is not supposed to accept a part a responsibility and reimburse some stolen fund to the user ?
It's like to easy to say "Okay victim, someone with just "trades rights" has stolen billion of dollars, we don't know where it's going and it's not our affairs".
