Elementos generales
Palabras exactas
Búsqueda en el título
Búsqueda en el contenido
Búsqueda en el resumen
Filter by Categorías
Crypto News Noticias Criptomonedas
Noticias Ethereum
Token Alertas
NFT news Noticias de NFTs
Videos Crypto World Alerts
Best Crypto Sport Gaming
Tenemos empleo Criptomonedas
Noticias de Allmedgroup

Noticias Criptomonedas Kraken crypto exchange faces extortion attempt from security researchers

Curador Noticias Crypto

Soy el curador de las Noticias Crypto de CryptoWorldAlerts. Si el documento o el contenido infringe cualquier derecho de autor, por favor señálelo en comentarios y será rápidamente borrado. A todos los artículos les incluimos el link del Recurso que consta como Source Link Si el presente artículo, video o foto intrigue cualquier derecho de autor por favor señálelo al correo del autor o en la caja de comentarios.

On June 9, 2024, Kraken, a prominent cryptocurrency exchange, received an alarming Bug Bounty report. The report, submitted by a security researcher, claimed to have discovered an “extremely critical” bug that allowed balance inflation. However, what initially seemed like a routine vulnerability report quickly turned into an extortion attempt.

While investigating the bug report, a team led by Nick Percoco, Kraken’s Chief Security Officer, identified a $3 million exploit. Specifically, the executive addressed the whole situation in a thread on X (formerly Twitter), posted on June 19.

Notably, the investigation revealed that three accounts had exploited the reported flaw within days of each other. One account belonged to an individual who claimed to be a security researcher. Essentially, this person discovered and leveraged the bug to credit their account with $4 in crypto.

Perococo described it as sufficient to prove the flaw and collect a substantial reward through Kraken’s Bug Bounty program. However, things escalated quickly after noticing the other two accounts, which allegedly benefited from the first person’s disclosure.

“Instead, the ‘security researcher’ disclosed this bug to two other individuals who they work with who fraudulently generated much larger sums. They ultimately withdrew nearly $3 million from their Kraken accounts. This was from Kraken’s treasuries, not other client assets.”

– Nick Percoco

From a bug report to an extortion attempt

When Kraken requested a full account of their activities and the return of the withdrawn funds, the security researchers refused and demanded a call with their business development team, engaging in what Percoco described as extortion.

Moreover, the Chief Security Office explained that Kraken’s Bug Bounty program, in place for nearly a decade, has clear rules. In particular:

“Do not exploit more than necessary to prove the vulnerability, provide a proof of concept, and immediately return any extracted funds.”

According to the exchange’s executive, legitimate researchers have never faced issues with Kraken, which has always been responsive.

In the interest of transparency, the company disclosed the bug to the industry and is treating the incident as a criminal case, coordinating with law enforcement agencies. The exchange emphasized that ignoring bug bounty program rules and attempting to extort the company revokes a researcher’s “license to hack” and makes them criminals.

Kraken’s bug investigation

Furthermore, Nick Percoco revealed that the exchange regularly receives fake bug bounty reports. Nevertheless, Kraken treated this report seriously and promptly assembled a team to investigate. Within minutes, they discovered an isolated bug that, under specific circumstances, allowed a malicious attacker to initiate a deposit and receive funds without fully completing the transaction.

“To be clear, no client’s assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time.”

– Nick Percoco

Kraken’s team mitigated the issue within an hour and 47 minutes, as reported by Percoco. The vulnerability was completely fixed within a few hours, ensuring it could not reoccur. The flaw stemmed from a recent user experience (UX) change that credited client accounts before their assets cleared, enabling real-time trading.

“This change was not thoroughly tested against the specific attack vector”

– Nick Percoco

Despite this isolated experience, Kraken remains committed to its Bug Bounty program, recognizing its importance in enhancing the overall security of the crypto ecosystem. The exchange looks forward to working with good-faith actors in the future while taking a stand against unethical behavior.

Link del artículo original
Si el presente artículo, video o foto intrigue cualquier derecho de autor por favor señálelo al correo del autor o en la caja de comentarios.


Crypto Review


Share This