The Kraken crypto exchange disclosed today that alleged security researchers exploited a zero-day website bug to steal $3 million in cryptocurrency and then refused to return the funds.
The hack was disclosed by Kraken Chief Security Officer Nick Percoco on X, explaining that the exchange's security team received a vague bug report on June 9th about an "extremely critical" vulnerability that allowed anyone to increase the balances in a Kraken wallet artificially.
Kraken says they investigated the report and discovered a bug allowing attackers to initiate deposits and receive the funds, even if the deposit failed.
"Within minutes we discovered an isolated bug. This allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit," explained Percoco.
"To be clear, no client's assets were ever at risk. However, a malicious attacker could effectively print assets in their Kraken account for a period of time."
Percoco says that the Kraken security team fixed the flaw within an hour and discovered that it stemmed from a recent user interface change that allows customers to deposit funds and use them before they were cleared.
This is where things take a strange turn.
After fixing the bug, they discovered that three users exploited it as a zero-day to steal $3 million from the exchange's treasury.
One member was linked to a person who claimed to be a researcher, who used it to deposit $4 in crypto to their account to prove the bug.
However, Percoco says that the bug was disclosed to two other people associated with the researcher, who used it to withdraw an additional $3 million in stolen funds from their Kraken accounts.
After contacting the researcher about this withdrawal, Percoco says the researchers refused to return the crypto or share any information regarding the vulnerability as expected in a bug disclosure.
"Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it," claimed Percoco.
"This is not white-hat hacking, it is extortion!"
Percoco says that Kraken is not disclosing the identity of the researchers as "they don't deserve recognition for their actions."
Kraken now says that they treat this as a criminal case and have notified law enforcement.
BleepingComputer contacted Kraken for more information and will update the story if we receive a response.