US-based crypto exchange Kraken has disclosed that it is being “extorted” by a self-proclaimed security researcher who exploited a critical bug from their platform to steal $3 million worth of digital assets. The researcher reported the bug on June 9 but used it to withdraw funds from Kraken’s treasury rather than safeguarding them.Nick Percoco, Kraken’s Chief Security Officer, revealed that the researcher, along with two associated accounts, used the bug to withdraw over $3 million. Following the exploit, the researcher demanded a speculative reward for the stolen funds before agreeing to return them. Percoco stated in a June 19 X post that this behavior is not white-hat hacking but extortion.
One of the accounts involved had completed Know Your Customer (KYC) verification, yet the identity of the researcher remains undisclosed. The individual initially demonstrated the bug with a $4 crypto transfer, which would have sufficed to earn a substantial reward through Kraken’s bounty program. However, the researcher shared the bug with two other accounts, leading to the significant theft.In light of these events, Kraken emphasized that the stolen cryptocurrency came from its treasury, ensuring that no user funds were endangered. Percoco reiterated the unethical nature of the actions, stressing that Kraken is being unfairly criticized for requesting the return of the stolen assets.The incident highlights the growing threat of crypto hacks and exploits. Data from a report by Merkle Science indicates that in the first quarter of 2024, hackers stole $542.7 million in digital assets, a 42% increase from the same period in 2023. Private key leaks, not smart contract vulnerabilities, were the leading cause. The same report finds that smart contract-related losses dropped significantly to $179 million in 2023 from $2.6 billion in 2022.