Cryptocurrency exchange Kraken has disclosed that a research team still holds $3 million worth of digital assets taken through a recently discovered bug.
On June 9, an anonymous “security researcher” found a critical bug and informed the crypto exchange about it. However, instead of just reporting it, two accounts linked to this researcher used the bug to withdraw over $3 million worth of digital assets, according to Nicholas Percoco, Kraken’s chief security officer.
Demands for a Reward
After withdrawing the funds, the researcher demanded a reward. Percoco detailed the situation in a June 19 post on X (formerly Twitter), stating:
“Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!”
The stolen cryptocurrency came directly from Kraken’s treasury. The exchange emphasized that no user funds were at risk.
Kraken’s Response and Law Enforcement Involvement
The crypto exchange assured that it will continue its bug bounty programs to maintain security and is now working with law enforcement to recover the stolen assets. A spokesperson from Kraken told Cointelegraph:
“We’re disappointed by this experience and are now working with law enforcement agencies to retrieve the assets from these security researchers.”
Identity of the Researcher
One of the three Kraken accounts involved in the exploit had completed Know Your Customer (KYC) verification, but the identity of the individual claiming to be a security researcher remains unknown.
Initially, the bug finder demonstrated the flaw with a $4 crypto transfer, which would have been enough to earn a significant reward from the exchange’s bounty program. However, the bug was shared with two other accounts that then fraudulently withdrew nearly $3 million from Kraken.
Kraken’s Stance
Percoco criticized the actions as extortion, not ethical hacking:
“In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that ‘white hat hackers’ return what they stole from us. Unbelievable.”
