Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Alleged researchers stole $3 million from Kraken exchange

Alleged researchers have exploited a zero-day in Kraken crypto exchange to steal $3 million worth of cryptocurrency. Kraken Chief Security Officer Nick Percoco revealed that alleged security researchers exploited a zero-day flaw to steal $3 million worth of cryptocurrency. The researchers are refusing to return the stolen funds. Percoco revealed that a security researcher reported […]

Grinex

Alleged researchers have exploited a zero-day in Kraken crypto exchange to steal $3 million worth of cryptocurrency.

Kraken Chief Security Officer Nick Percoco revealed that alleged security researchers exploited a zero-day flaw to steal $3 million worth of cryptocurrency. The researchers are refusing to return the stolen funds.

Percoco revealed that a security researcher reported an “extremely critical” bug to the exchange on June 9. The researcher did not disclose technical details about the issues, they only explained that the flaw allowed anyone to arbitrary increase the balances in a wallet.

“Everyday we receive fake bug bounty reports from people claiming to be “security researchers”. This is not new to anyone who runs a bug bounty program. However, we treated this seriously and quickly assembled a cross functional team to dig into this issue.” Percoco explained.

The kraken security team discovered “an isolated bug” that allowed an attacker, under specific circumstances, to initiate a deposit onto the platform and receive funds in their account without fully completing the deposit.

The company pointed out that the client’s assets are not at risk, however, an attacker could effectively print assets in their Kraken account for a while.

The security team addressed the vulnerability within an hour. The vulnerability derived from a recent change in the user interface that would promptly credit client accounts before their assets cleared allowing clients to effectively trade crypto markets in real time.

“This UX change was not thoroughly tested against this specific attack vector.” continues the

After patching the vulnerability, the experts discovered that three accounts exploited the vulnerability within a few days. One of these accounts was verified by an individual claiming to be a security researcher.

Percoco added that the researcher disclosed the bug to two other individuals who used it to withdraw $3 million in stolen funds from their Kraken accounts.

The company requested the researchers to return the stolen funds, but they refused.

“This is not white-hat hacking, it is extortion!” said Percoco, who added that his company notified law enforcement.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)