Kraken recently patched a bug that allowed platform users to conjure up free money in their accounts for months on end, the company revealed on Wednesday.

In a post to Twitter, Chief Security Officer Nick Peroco said his team discovered an “isolated bug” earlier this month that let customers “artificially inflate their balance.” The team only discovered it after receiving a bug bounty program alert from a security researcher on June 9, claiming they had found an “extremely critical bug” in their system.

“The feature in question became present on the platform in January,” said Alexander Cassells, Communications lead at Kraken, in an email to Decrypt.

According to Percoco, users were able to initiate deposits to Kraken and have funds credited to their accounts before the deposit itself had actually been completed.


“A malicious attacker could effectively print assets in their Kraken account for a period of time,” he wrote.

Other crypto exchanges have seen similar exploits. Back in 2020, a software glitch at Canadian crypto exchange Coinberry led to more than 500 users stealing $3 million in Bitcoin from the exchange by initiating instant e-transfers to the platform, letting their accounts be credited, and then cancelling the deposit before it was finalized.

Theoretically, users could then withdraw the exchange’s rightful Bitcoin back to wallets that they controlled. Since on-chain Bitcoin withdrawals are irreversible, such glitches can lead to potentially irreparable losses for affected companies.


“This was not a simple every day bug that anyone could exploit,” Cassells said of Kraken’s bug, which was patched within hours of discovery. “It took a good amount of on-chain edge case expertise to discover, evidenced by the fact that no one discovered this issue until recently.”

Thankfully, nobody had actually exploited the bug during that time aside from the researcher who notified Kraken of the issue and two other researcbers who were notified by the first one about the bug.

However, while the individual who filed the bug bounty report used it to credit their wallet with $4, Perroco said the other two researchers fraudulently withdrew nearly $3 million from their Kraken accounts—with the losses borne by Kraken’s treasury.

The initial bug bounty report did not disclose the larger transactions, Perroco said. The researchers also refused to follow other standard steps of Kraken’s bug bounty procedure, and have since refused to return any funds until they know how much money Kraken could have lost without their help.

“We are treating this as a criminal case and are coordinating with law enforcement agencies accordingly,” wrote Perroco. “We’re thankful this issue was reported, but that’s where that thought ends.”

Kraken currently faces a lawsuit with the SEC alleging sweeping securities law violations. Some reports also suggest that the company is eyeing an IPO next year.

Edited by Stacy Elliott.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.