Security News > 2024 > June > "Researchers" exploit Kraken exchange bug, steal $3 million in crypto
The Kraken crypto exchange disclosed today that alleged security researchers exploited a zero-day website bug to steal $3 million in cryptocurrency and then refused to return the funds.
The hack was disclosed by Kraken Chief Security Officer Nick Percoco on X, explaining that the exchange's security team received a vague bug report on June 9th about an "Extremely critical" that allowed anyone to increase the balances in a Kraken wallet artificially.
Kraken says they investigated the report and discovered a bug allowing attackers to initiate deposits and receive the funds, even if the deposit failed.
After fixing the bug, they discovered that three users exploited it as a zero-day to steal $3 million from the exchange's treasury.
Percoco says that the bug was disclosed to two other people associated with the researcher, who used it to withdraw an additional $3 million in stolen funds from their Kraken accounts.
After contacting the researcher about this withdrawal, Percoco says the researchers refused to return the crypto or share any information regarding the vulnerability as expected in a bug disclosure.