Kraken Chief Security Officer: Fraudsters withdraw nearly $3 million from Kraken accounts, client assets safe
On June 19, Nick Percoco, chief security officer of Kraken Exchange, disclosed in a post on the X platform that he received a Bug Bounty program alert from a security researcher on June 9. He initially did not disclose any specific details, but only claimed in an email that he had found an "extremely serious" vulnerability that allowed them to artificially increase the balance on our platform.
To be clear, the client's assets were never compromised. However, a malicious attacker could effectively steal the assets in their Kraken account for a period of time. Kraken classified this vulnerability as "critical", and within an hour (47 minutes to be exact), the expert team mitigated the issue. Within a few hours, the issue was fully fixed and will not happen again. After a thorough investigation of the situation, it was soon discovered that 3 accounts within a few days had exploited this vulnerability and ended up withdrawing nearly $3 million from Kraken accounts, which came from Kraken funds and not other client assets.