![](https://images.cointelegraph.com/cdn-cgi/image/format=auto,onerror=redirect,quality=90,width=1200/https://s3.cointelegraph.com/uploads/2024-06/c59d42ea-3361-4733-bd45-cf4bcade9dbd.jpg)
Cryptocurrency exchange Kraken has revealed that a research team remains in possession of $3 million worth of digital assets it had s recently discovered bug.
An anonymous self-proclaimed ‘security researcher’ found a critical security bug and alerted the cryptocurrency exchange on June 9.
However, two accounts related to the security researcher have exploited the bug to withdraw over $3 million worth of digital assets, according to Nick Percoco, the chief security officer of Kraken.
Following the multi-million withdrawal, the security researcher is demanding a reward for the stolen funds, Percoco wrote in a June 19 X post:
“Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!”
The cryptocurrency was stolen directly from Kraken’s treasury. The exchange claims that no user funds were endangered.
Cointelegraph has approached Kraken for comment.
Related: Nomura crypto arm Laser Digital bags Abu Dhabi license
This is not white-hat hacking: Kraken
One of the three Kraken accounts related to the exploit has previously completed Know Your Customer (KYC) verification to an individual claiming to be a security researcher, but his identity remains undisclosed.
The individual who discovered a bug has initially proven the flaw with a crypto transfer worth $4, which would have been sufficient to prove the bug and collect “sizable rewards” from Karken’s bounty program.
However, the individual disclosed the bug to two other accounts that fraudulently siphoned nearly $3 million from their Kraken accounts.
These actions are akin to extortion, not ethical hacker behavior, according to Kraken’s Percoco:
“In the essence of transparency, we are disclosing this bug to the industry today. We are being accused of being unreasonable and unprofessional for requesting that “white-hat hackers” return what they stole from us. Unbelievable.”
Related: Stablecoin transfer volume increased 16x during past 4 years