Zero-day website bug allows anyone to increase the balances in a Kraken wallet leading to steal $3 million in cryptocurrency

Continue reading
Kraken, a leading cryptocurrency exchange, recently revealed a critical security breach. Alleged security researchers exploited a zero-day website vulnerability, stealing $3 million in cryptocurrency.
On June 9th, Kraken's security team received a vulnerability disclosure report about an "extremely critical" vulnerability.
This flaw allowed users to artificially increase their wallet balances. The report, although vague, prompted immediate investigation by Kraken's Chief Security Officer, Nick Percoco.
The bug, introduced in January, allowed users to initiate deposits and have funds credited before the deposits were completed. This "deposit-before-completion" flaw effectively enabled attackers to create assets out of thin air within their Kraken accounts.
# Example of pseudo-code illustrating the flawed logic
def deposit_funds(user, amount):
if transaction_approved():
user.balance += amount
else:
user.balance += amount # Flawed logic, credits balance regardlessWithin minutes of the report, Kraken identified and isolated the bug. The flaw was patched within hours. This rapid response was crucial in limiting potential damage.
Three individuals exploited the bug. The first, a supposed security researcher, used it to deposit $4 to their account.
However, two others, informed by the initial researcher, withdrew nearly $3 million. This act bypassed Kraken's bug bounty protocols, transforming a security alert into a significant heist.
The exploit involved initiating a deposit, having the system credit the amount, and then canceling the deposit before completion.
This allowed the attackers to withdraw unearned funds. The critical flaw lay in the asynchronous processing of deposits.
# Simplified representation of the flawed deposit process
def process_deposit(transaction):
user = transaction.user
user.balance += transaction.amount # Immediate balance update
if not complete_transaction(transaction):
rollback_transaction(transaction)
# Missing logic to rollback user balanceSimilar vulnerabilities have surfaced in the past. In 2020, a glitch at Coinberry allowed users to exploit instant e-transfers, stealing $3 million in Bitcoin.
These incidents highlight the systemic risks in crypto exchanges' deposit handling processes.
The researchers' refusal to return the stolen funds and their demands for negotiations resemble extortion rather than ethical hacking. Ethical hackers are expected to disclose vulnerabilities responsibly, without exploiting them for personal gain.
Kraken is treating this breach as a criminal case. They have involved law enforcement to recover the stolen funds and hold the perpetrators accountable. This incident also raises questions about the effectiveness and integrity of bug bounty programs.
While no clients' assets were directly at risk, Kraken's treasury bore the losses. The incident tarnishes Kraken's reputation, especially as it faces a lawsuit from the SEC for alleged securities law violations. It also comes at a critical time as the company considers an IPO next year.
This breach serves as a stark reminder of the vulnerabilities within the crypto industry. It underscores the need for continuous security improvements and rigorous testing of financial systems to prevent similar exploits.
# Improved deposit handling with validation checks
def process_deposit(transaction):
user = transaction.user
if complete_transaction(transaction):
user.balance += transaction.amount
else:
raise DepositError("Transaction not completed")
Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.