Kraken - $3 million stolen

[Tipstar]

A recent UX change in Kraken seem to have opened a flaw that was misused to steal $3 million worth of crypto form Kraken exchange. Apparently a security tester first withdrew $3 million, let Kraken know about the bug and asked the withdrawn money as reward. Kraken seem to have consulted the authorities and a legal criminal investigation is underway. I highly doubt they'll be able to get anything.
$3 million is not a huge amount but at the current time of uncertainty, could be another reason for market to decrease. What are your thoughts on it.

https://cointelegraph.com/news/kraken-claims-extortion-bug-bounty-report

[MAAManda]

A recent UX change in Kraken seem to have opened a flaw that was misused to steal $3 million worth of crypto form Kraken exchange. Apparently a security tester first withdrew $3 million, let Kraken know about the bug and asked the withdrawn money as reward. Kraken seem to have consulted the authorities and a legal criminal investigation is underway. I highly doubt they'll be able to get anything.
$3 million is not a huge amount but at the current time of uncertainty, could be another reason for market to decrease. What are your thoughts on it.

The tester withdrew $3M, and then asked for it all for his prize, how funny, he should have created a win-win solution for both parties. For example, only ask for 10% - 30% of that amount. BTW, talking about the market. That's not a big amount considering Kraken is one of the big exchanges in the industry, after all $3M won't be able to move the crypto market, it could if it went to degen, LOL.

[Belarge]

A recent UX change in Kraken seem to have opened a flaw that was misused to steal $3 million worth of crypto form Kraken exchange. Apparently a security tester first withdrew $3 million, let Kraken know about the bug and asked the withdrawn money as reward. Kraken seem to have consulted the authorities and a legal criminal investigation is underway. I highly doubt they'll be able to get anything.
$3 million is not a huge amount but at the current time of uncertainty, could be another reason for market to decrease. What are your thoughts on it.

Wait a second, did I read it correctly? You clearly clarify that $3million is not substantial figure, it amazes me. However everyone have their opinion to throw regarding the $3 million stolen and we know the cybersecurity is doing their extreme duty to ensure they give track about these theft. This is cryptocurrency and we have encountered numerous fraudulent activities and we should be ready to face our fears in the space.

[hugeblack]

It is an extortion attempt, but instead of trying to blackmail them, obtaining this money from the rewards program legally would have been better, especially since they now have to return the money. Otherwise, the Cybercrime Unit may intervene and make their lives more difficult.
They may reach an agreement, but this attempt in this way proves that hacker may repeat it in the future.

[dkbit98]

I saw this news yesterday but it's more complicated than it first appeared to be.
Now it looks like security firm CertiK was responsible for finding and exploiting this bug, so now there is a war between Kraken and Certik.
CertiK dis claiming that Kraken had threatened their employees and they didn't give them enough time to reply about accusations.

CertiK recently identified a series of critical vulnerabilities in @krakenfx
 exchange which could potentially lead to hundreds of millions of dollars in losses.

Starting from a finding in @krakenfx
's deposit system where it may fail to differentiate between different internal transfer statuses, we conducted a thorough investigation with three key questions:

1/ Can a malicious actor fabricate a deposit transaction to a Kraken account?
2/ Can a malicious actor withdraw fabricated funds?
3/ What risk controls and asset protection might be triggered by a large withdrawal request?

According to our testing result: The Kraken exchange failed all these tests, indicating that Kraken’s defense in-depth-system is compromised on multiple fronts. Millions of dollars can be deposited to ANY Kraken account. A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident.

Upon discovery, we informed Kraken, whose security team classified it as Critical: the most serious classification level at Kraken.

After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.

In the spirit of transparency and our commitment to the Web3 community, we are going public to protect all users' security. We urge @krakenfx
 to cease any threats against whitehat hackers.

https://x.com/CertiK/status/1803450205389402215

[Text]

This is wild! Stealing $3 million and then trying to claim a bug bounty is a crazy move. I understand they found a vulnerability, but extorting a company out of millions isn't exactly ethical hacking. It sounds like Kraken is taking the right steps by involving law enforcement. While $3 million might not seem like a ton in the grand scheme of the crypto market, it's definitely not a drop in the bucket either.

Do these security researchers have a leg to stand on, or is this a clear-cut case of theft?

[Pmalek]

It has happened in the past that a company or project that got successfully attacked and had their money stolen promises a reward to the thief/hacker if the money is returned. But the reward is usually just a part of the spoils. In this situation, CertiK, or whoever is behind the theft, requests everything, and I don't think they will get it. Both parties need to feel satisfied with the deal and that's currently not the case. 

[albon]

I agree with the article above; it is clearly an act of extortion against Kraken by the security researcher. If he had been an ethical white hat hacker, he would have merely informed them of the bug after transferring one of the cryptocurrencies worth $4. He would have been eligible for the bug bounty program that Kraken offers to security researchers, allowing them to receive a large reward for their efforts and enabling the Kraken security team to fix critical bugs in their system.

However, it is evident that he exploited the bug through two other accounts belonging to him and withdrew 3 million dollars, which now puts him under the law's scrutiny. If he passes KYC in their exchange, it is a matter of time until they discover his identity and recover the stolen funds through the appropriate authorities. In fact, what happened to Kraken can happen to any exchange platform, as they are not free of bugs, so we always warn against using them as wallets.

[tabas]

The guy should have asked a consent first if he's into bug bounty. Kraken would reward him without having to face consequences. But then, he withdrew first and then asked for it. What a guy, he has to ask first if he has good intentions as a white hat hacker. However, he did it the other way and did hacked them without permission first and did the act first and then asking it afterwards doesn't sound professional but sounding like a criminal.

[Saint-loup]

AFAIK it's the first reported hack of Kraken. They've a solid reputation of ultra safe exchange against hacking. So I wonder how they've been able to find this vulnerability. Besides that, it's sad to notice that 100% unhackable and then 100% safe exchanges don't exist unfortunately. Storing our funds in non-custodial wallets is the only solution exclusively or almost exclusively depending on our OPSEC measures and our own responsibility. And nothing or anyone else in the end(except bugs from the wallet eventually ofc).