Key Takeaways
- Kraken has accused security researchers of extortion after a $3M bug exploit.
- The researchers demanded a bounty negotiation before returning any funds.
- Certik found several vulnerabilities in Kraken’s platform during multi-day testing.
Kraken revealed that security researchers exploited a vulnerability in its platform, stealing nearly $3 million from the exchange’s treasuries. According to Kraken’s Chief Security Officer Nick Percoco, the issue was reported on June 9 and swiftly fixed, ensuring no user funds were affected.
However, the researchers disclosed the bug to two other individuals, who then fraudulently withdrew the funds.
The researchers demanded a negotiation over the bounty amount before returning any funds, which Kraken labeled as extortion.
Percoco stated on social media platform X (formerly Twitter):
This is not white-hat hacking, it is extortion!
Blockchain coder
Blockchain code editor Certik, who claimed to have found several vulnerabilities during a multi-day test, also reported threats from Kraken. Certik alleged that Kraken demanded repayment of a mismatched amount within an unreasonable timeframe.
Kraken’s bug bounty program requires researchers to exploit the minimum amount necessary to prove the bug, return the assets, and provide details of the vulnerability to receive payment. Kraken stated the researchers did not follow these rules, so they will not be paid the bounty. A Kraken spokesperson mentioned they are now working with law enforcement to retrieve the stolen assets.
Bug bounty programs, like those run by Kraken and Coinbase, aim to strengthen security by inviting third-party hackers to find vulnerabilities before malicious actors exploit them.