Kraken, a leading international crypto-exchange, has been the subject of intense dispute recently over a critical vulnerability exposed by a security group which provides a lesson in how not to conduct "white hat hacking".
"White hat hacking" involves using hacking tools for ethical purposes, and is a valuable part of information technology and crypto-assets and blockchain. Many projects offer bug bounties to encourage white hats to try and hack their systems and then report vulnerabilities so that they may be patched. Over time this should result in stronger and more resilient systems. White hats are contrasted against "black hat" hackers who hack for personal gain and profit or otherwise act maliciously. Kevin Mitnick is probably the most famous black hat hacker who broke into over 40 US government systems and ultimately went to jail and became a cybersecurity consultant.
"Grey hat" hackers sit between the white and black, often hacking without the invitation of a project owner, looking for vulnerabilities in systems and then approaching the owner, asking for a fee to assist in fixing the problem.
The Hack
Kraken's Chief Security Officer took to X (formerly Twitter) yesterday to announce that:
On 9 June, a bug bounty submission was received claiming to have found an 'extremely critical' bug allowing artificial account balance inflation (i.e. creating free money);
A flag in a recent interface change was found and fixed within a matter of hours.
3 accounts were identified which had leveraged the bug, one of those accounts took USD$4 in value and the other 2 accounts took USD$3M from Kraken.
One of the three accounts had know-your-customer information from a person who claimed to be a security researcher.
The security researcher declined to co-operate to provide information on the bug and demanded a call with their "business development team" and refused to return any of the USD$3M until a fee was agreed.
Mr Percoco said
This is not white-hat hacking, it is extortion!
Kraken did not identify the "security researcher" but indicated it was now a police matter:
Within a matter of hours, Certik posted on X to out themselves as having identified a critical vulnerability in Kraken and claimed they were threatened by Kraken and demanded to pay a "mismatched amount of crypto in an unreasonable time even without providing repayment addresses".
They asserted the tokens created were "minted out of thin air" prompting a smart reply from user CryptoFinally:
Certik also asserted:
The real question should be why Kraken's in-depth defense systems failed to detect so many test transactions. Continuous large withdrawals from different testing accounts was a part of our testing.
This position was roundly ridiculed by many users on X including the following gems:
The final nail in the coffin was uncovered courtesy of block explorers showing that the funds taken from Kraken were put through tornado cash.
The Take-away
Leading security researchers such as the Security Alliance are developing governance frameworks such as the SEAL 911 emergency helpline to facilitate safe disclosure of critical vulnerabilities and the SEAL Whitehat Safe Harbor to give white hat hackers clear guardrails to operate in circumstances where it may be necessary to take and return substantial sums of crypto-assets to protect them from an attacker.
The Kraken situation provides a lesson in the pretty clear line between white/grey and black hat hacking. It seems implausible that a true white hat hacker would engage in more than the minimum number of transactions necessary to demonstrate a flaw prior to informing the owner and giving all necessary information to fix the problem, and withholding funds for reasons such as "mismatched" amounts or "unreasonable timeframes" given the simplicity of requesting and verifying blockchain addresses will lead to the swift involvement of law enforcement.
By Michael Bacina