Security & Audits
Share
Kraken, a prominent cryptocurrency exchange, recently faced a significant security breach involving its Bug Bounty program. The incident, detailed by Nick Percoco, Kraken's Chief Security Officer, revealed on X that fraudulent actions by so-called "security researchers" led to nearly $3 million being withdrawn from the exchange's treasuries.
On June 9, 2024, Kraken received an alert from a security researcher claiming to have discovered an "extremely critical" bug. This bug purportedly allowed for the artificial inflation of account balances on the Kraken platform. The initial report, however, did not disclose detailed transaction information.
Percoco noted that the researcher shared the bug with two colleagues, who then exploited it to generate large sums of money. These individuals managed to withdraw nearly $3 million from Kraken's treasuries. Crucially, no client assets were affected by this breach.
In response to the partial disclosure, Kraken's security team contacted the researchers to confirm details and arrange for the reward. This is standard procedure within Kraken's Bug Bounty program, which has been in place for nearly ten years and is staffed by top experts in the field.
Disclaimer of Warranty
The information provided in this article is for general informational purposes only. We make no warranties about the completeness, reliability, and accuracy of this information. Read full disclaimer
Kraken requested a full account of the activities, proof of concept, and the return of the withdrawn funds. The researchers, however, refused these requests and demanded a speculative amount in return for the bug's potential impact had it not been disclosed. Percoco described this demand as extortion rather than legitimate white-hat hacking.
Kraken has clarified that their Bug Bounty program is designed to enhance security and relies on ethical behavior from researchers. According to Percoco, the actions of these researchers violated the rules of the program and constituted criminal behavior. Kraken is now treating this incident as a criminal case and coordinating with law enforcement agencies.
Percoco emphasized that this breach is an isolated incident and that Kraken remains committed to its Bug Bounty program. The exchange will continue to work with ethical researchers to improve the security of the cryptocurrency ecosystem.
Kraken's transparency and swift action in this case underscore their commitment to protecting their platform and users, especially given that the stolen funds were from their treasury and not client funds. This incident also highlights the challenges of maintaining security in the rapidly evolving world of cryptocurrency.
Editor's Picks
Franklin Templeton’s 250 Digital Deal Signals a Shift Toward Active Crypto Management
Walid Abou Zaki
Apr 1, 2026
5 min
VARA Introduces Virtual Asset Derivatives Framework As Dubai Deepens Market Maturity
Walid Abou Zaki
Mar 31, 2026
7 min
Crypto-Collateral Mortgage Gap Signals Future Opportunity for Dubai
Walid Abou Zaki
Mar 28, 2026
7 min
Read More Articles
In the Same Space
Ethereum Foundation Locks In $93M More in ETH, Hits 70,000 Target
News Desk
Apr 3, 2026
3 min
X Prepares New Rule to Lock Accounts After First Crypto-Related Post
News Desk
Apr 3, 2026
3 min
Grayscale Predicts Bitcoin Rebound with a Potential End to the War in Iran
News Desk
Apr 3, 2026
4 min
Fed’s Barr Signals Strict Stablecoin Enforcement Ahead of GENIUS Act Deadline
Salma Naueihed
Apr 3, 2026
7 min
