It became known how a cryptocurrency hacker managed to steal $3 million in just 47 minutes

Popular crypto exchange Kraken has reported that $3 million was stolen due to a critical zero-day vulnerability. Unexpectedly, this vulnerability was discovered by a security researcher who decided to exploit it himself and then shared the information with other attackers.

Kraken Chief Security Officer Nick Percoco told that the vulnerability allowed artificially increasing the balance on the platform by initiating a deposit and withdrawing funds without it being fully completed. Although customer assets were not affected, the issue could have allowed an attacker to create new assets in their accounts.

The vulnerability was caused by a recent interface change that allowed customers to use deposited funds before they were fully cleared. The company quickly detected the fraudulent activity and fixed the problem in a record 47 minutes.

The investigation revealed that three users took advantage of the vulnerability, including the researcher who first discovered the bug and used it to credit $4 to his account. Instead of reporting the vulnerability as part of the bounty program, he shared the information with two other individuals who withdrew nearly $3 million from the exchange.

Kraken asked the attackers to return the stolen funds, but they demanded a ransom. The company has treated this as extortion and is cooperating with law enforcement agencies to investigate the incident.