Cryptocurrency exchange Kraken has disclosed that a research team has taken control of $3 million worth of digital assets after discovering and exploiting a critical security bug.
An anonymous individual, who identified themselves as a ‘security researcher,’ reported the bug to Kraken on June 9. However, Kraken’s Chief Security Officer, Nick Percoco, stated that two accounts linked to this researcher used the bug to withdraw over $3 million worth of digital assets.
Following the unauthorized withdrawals, the researcher is demanding a reward for the stolen funds. Percoco described this demand in a June 19 post on X, calling it extortion: “Instead, they demanded a call with their business development team (i.e., their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!”
Kraken clarified that the stolen cryptocurrency was taken directly from the exchange’s treasury, ensuring that no user funds were compromised.
One of the three accounts involved in the exploit had previously completed Know Your Customer (KYC) verification, identifying themselves as a security researcher, although their actual identity remains undisclosed.
Initially, the individual demonstrated the bug with a $4 crypto transfer, which would have sufficed to prove the bug and claim a reward from Kraken’s bounty program. However, the individual then shared the bug with two other accounts, which proceeded to siphon nearly $3 million from Kraken.
Percoco criticized these actions as extortion, not ethical hacking: “In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that ‘white-hat hackers’ return what they stole from us. Unbelievable.”
The news comes hot on the heels of recent reports suggesting that Kraken is exploring a funding round to raise over $100 million in preparation for an initial public offering (IPO). According to sources cited by Bloomberg on June 6, the funding round is expected to take place by 2025.
The exchange also faces a civil lawsuit filed by the U.S. Securities and Exchange Commission (SEC) in November 2023. The SEC’s lawsuit against Kraken started last November and accuses the exchange of operating without proper registrations as a broker, clearinghouse, or exchange. The legal action follows a settlement earlier in the year about Kraken’s staking services, where similar registration issues were raised.
In a recent court filing, Kraken refuted the SEC’s claims by arguing that the cryptocurrencies listed in the SEC’s complaint should be classified as commodities rather than securities. This classification would exempt them from certain regulatory requirements under the SEC’s jurisdiction. Kraken’s defense hinges on the application of the Howey test, which is used to determine whether certain transactions qualify as investment contracts and therefore constitute securities under U.S. law.
