There was a recent attack on a crypto exchange called Kraken, with the platform unveiling the turn of events over social media, claiming that security researchers exploited a zero-day vulnerability that stole as much as $3 million. This "extremely critical" bug was initially reported to the company to have been found by the security researchers and was later used to their advantage.
The platform claimed that since then, they had already fixed the issue, but before the report, it had already been exploited by the bad actors.
Kraken: $3M in Crypto Stolen by Security Researchers via Zero-Day
A recent attack against Kraken was made public by the company through the platform's Chief Security Officer, Nick Percoco, via X, where he claimed that on June 9, the platform received an alert from its Bug Bounty program. The security researcher claimed that there was a bug that allowed users to 'artificially inflate' their balance without actually depositing money.
The Kraken team isolated the bug in under two hours, said Percoco, and fixed it several hours later. It centered on a UX change that could credit the balance on a client's account without completing the deposit, allowing trading in real time.
Zero-Day Bug: 'Printing' Assets on Kraken's Platform
However, after patching the bug, the team found that three accounts had already taken advantage of this problem and collectively withdrew $3 million from the platform. It was directly taken from Kraken's treasuries and not from clients.
The so-called 'white-hat hackers' have then refused to return the stolen assets and asked for a speculated amount of how much the bug could have caused the company if they had not reported it. Percoco regarded this move as 'extortion,' with the company already coordinating with law enforcement officials against the attack.
Cryptocurrency and Security
Attacks and exploitation in the world of cryptocurrency are no longer new, as it is one of the fastest ways to earn money and do so securely, with many looking to make a fortune here and may make mistakes along the way.
There are different types of attacks or scams, and there is the 'address-poisoning' phishing scam, where a threat actor stole as much as $70.5 million in WBTC but later had a change of heart and returned half after being offered a bounty.
However, there have also been straight-up attacks in the market, and two brothers in the United States launched the alleged hack against Ethereum. It is believed that they were able to steal as much as $25 million in ETH cryptocurrency and were arrested by the FBI and US DOJ, charged with wire fraud, conspiracy, and money laundering.
Crypto is still in a grey area where these kinds of attacks are happening, with many outsmarting companies and platforms to benefit themselves. The latest attack on Kraken used a zero-day vulnerability to get away with stealing as much as $3 million from the platform's wallets, knowing the ins and outs as they are security researchers.