TechFlow reports that Kraken exchange's Chief Security Officer, Nick Percoco, disclosed on X that on June 9, 2024, Kraken received a bug bounty alert from a security researcher reporting an "extremely severe" vulnerability. The vulnerability allowed attackers to increase their account balance without completing a deposit under specific circumstances.
The Kraken team quickly patched the vulnerability and discovered three accounts had exploited it, one of which belonged to a self-proclaimed security researcher. The researcher, along with two others, withdrew nearly $3 million. After Kraken requested the return of the funds without success, the exchange labeled their actions as extortion and escalated the matter as a criminal case. Kraken reaffirmed the importance and transparency of its bug bounty program.




