{"id":14513,"date":"2024-06-19T17:46:30","date_gmt":"2024-06-19T14:46:30","guid":{"rendered":"https:\/\/forklog.com\/en\/kraken-bug-hunters-extract-3-million-via-extremely-critical-vulnerability\/"},"modified":"2024-06-19T17:46:30","modified_gmt":"2024-06-19T14:46:30","slug":"kraken-bug-hunters-extract-3-million-via-extremely-critical-vulnerability","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/kraken-bug-hunters-extract-3-million-via-extremely-critical-vulnerability\/","title":{"rendered":"Kraken Bug Hunters Extract $3 Million via &#8216;Extremely Critical&#8217; Vulnerability"},"content":{"rendered":"<p>The cryptocurrency exchange Kraken has resolved a dangerous exploit that allowed users to artificially inflate and then deplete their account balances.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Kraken Security Update:<\/p>\n<p>On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an \u201cextremely critical\u201d bug that allowed them to artificially inflate their balance on our platform.<\/p>\n<p>\u2014 Nick Percoco (@c7five) <a href=\"https:\/\/twitter.com\/c7five\/status\/1803403565865771370?ref_src=twsrc%5Etfw\">June 19, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to Nick Percoco, the Chief Security Officer of the trading platform, the company received a vulnerability report on June 9 as part of its Bug Bounty program.<\/p>\n<p>The researcher identified an \u201cextremely critical\u201d bug but did not provide any details, the executive noted.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cWithin minutes, we identified an isolated bug. It allowed attackers, under certain circumstances, to initiate a deposit on our platform and receive funds into their account without fully completing the transaction,\u201d Percoco explained.<\/p>\n<\/blockquote>\n<p>The Kraken team resolved the vulnerability in about an hour, conducting an impact analysis. The head of security assured that user funds were not affected.<\/p>\n<p>However, the exchange discovered three accounts that had exploited the vulnerability. One account with <span data-descr=\"know your customer\" class=\"old_tooltip\">KYC<\/span> belonged to the user who reported the bug through the Bug Bounty program.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThis individual found a flaw in our deposit system and used it to credit their account with $4 in cryptocurrency. This would have been sufficient to demonstrate the flaw, submit a report to our team, and receive a substantial reward under our program&#8217;s terms,\u201d Percoco noted.<\/p>\n<\/blockquote>\n<p>However, the user disclosed the exploit to two other accomplices, a Kraken representative stated. Ultimately, they used the vulnerability to withdraw approximately $3 million belonging to the exchange&#8217;s treasury.<\/p>\n<p>Subsequently, the trading platform requested a full report on the bug from the researchers, who turned out to be an unnamed security analytics firm. However, they refused to share the data and demanded more money as a reward.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThey demanded a call with their business development team (i.e., their sales representatives) and refused to return any funds until we sent them a specific dollar amount that would reflect the potential damage from disclosing the exploit. This is not hacking; this is extortion,\u201d wrote Kraken&#8217;s head of cybersecurity.<\/p>\n<\/blockquote>\n<p>Earlier, the exchange OKX revealed details of a series of account hacks. According to the platform, a hacker forged documents and bypassed additional security mechanisms such as two-factor authentication (2FA).<\/p>\n<p>Back in June, it was reported that an attacker gained control over a Chinese trader&#8217;s account on Binance without having the password or access to 2FA. After a series of trades, they withdrew assets worth $1 million.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The cryptocurrency exchange Kraken has resolved a dangerous exploit that allowed users to artificially inflate and then deplete their account balances. Kraken Security Update: On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an \u201cextremely critical\u201d bug that [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":14512,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1166,44,193],"class_list":["post-14513","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-centralized-exchanges-cex","tag-cybercrime","tag-kraken"],"aioseo_notices":[],"amp_enabled":true,"views":"22","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/14513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=14513"}],"version-history":[{"count":0,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/14513\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/14512"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=14513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=14513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=14513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}