How a cryptocurrency hacker managed to steal $ 3 million in just 47 minutes

The popular crypto exchange Kraken has reported the theft of $ 3 million due to a critical zero-day vulnerability that was discovered by an unnamed security researcher and exploited by him. Nick Percoco, Kraken’s chief security officer, said that the vulnerability allowed an unscrupulous researcher to artificially increase the balance on the platform.

The company quickly detected fraudulent activity, which allowed initiating a deposit and receiving funds without its full completion. Although the customers' assets were not affected, the problem could have allowed the attacker to create new assets in their accounts.

The problem reportedly arose from a recent interface change that allowed customers to use deposited funds before they were fully cleared. An investigation revealed that three users, including the unfortunate researcher, had exploited the vulnerability. And it was fixed in a record 47 minutes.

Percoco clarified that the above-mentioned researcher was the first to discover the bug and used it to credit $ 4 to his account. He could have reported it to the bounty program and received a substantial payout, but decided to share the discovery with two other people who generated much larger amounts and withdrew almost $ 3 million from the exchange.

When Kraken asked for the stolen funds to be returned, the attackers demanded that they contact their team to pay the ransom. The company considered this step to be extortion, so it is treating the incident as a criminal case and cooperating with law enforcement agencies.