Kraken said it refused to pay a group of security researchers after they allegedly demanded compensation in exchange for not disclosing client data obtained during exploitation of a funding-system bug, according to the exchange’s June 19, 2024 security post. The company said the flaw was patched in less than an hour and that no client assets were at risk, but the dispute matters because it turns a bug bounty case into an extortion and disclosure fight with direct implications for exchange security standards.
Last Updated: April 19, 2026, 00:00 UTC
Incident Disclosure Date: June 19, 2024 (Kraken Blog)
Bug Mitigation Window: Less than 1 hour after discovery
Program Context: Kraken said its bug bounty program has operated for nearly a decade
Kraken’s refusal to pay turned a bug bounty dispute into an extortion case
Here is the core fact pattern. On June 19, 2024, Kraken disclosed that it had patched what it called an “isolated bug” in its deposit and funding systems, and said the flaw allowed certain users, for a short period, to artificially increase the value of a Kraken account balance without fully completing a deposit. Kraken said a cross-functional team mitigated the issue in less than one hour after discovery, and added that no client assets were impacted or vulnerable before disclosure. Those are the most important verified facts because they define both the technical scope and the customer-risk boundary.
[Embedded media — view the full article to watch]
The sharper angle is what happened next. Kraken said the third-party security research company that found the bug had exploited it for financial gain before reporting it through the bug bounty channel. The exchange also said the researchers later refused to return assets until Kraken estimated what a hypothetical maximum bug bounty payout would have been if the matter had been handled under normal rules. That is not standard coordinated disclosure. Kraken’s own bug bounty policy says submissions must never contain threats or extortion attempts, and it explicitly warns that such conduct may be referred to law enforcement.
Verified Incident Metrics
| Metric | Value | Source | Why It Matters |
|---|---|---|---|
| Public disclosure date | June 19, 2024 | Kraken Blog | Establishes the official timeline |
| Mitigation time | < 1 hour | Kraken Blog | Shows response speed |
| Client assets impacted | 0 | Kraken Blog | Limits direct custody risk |
| Bug bounty program age | Nearly 10 years | Kraken Blog | Adds policy context |
| Minimum bug bounty payout | $500 equivalent in BTC | Kraken Bug Bounty page | Confirms formal reward structure |
| Security acknowledgment SLA | 1 business day | Kraken Bug Bounty page | Shows expected intake speed |
| Triage SLA | 10 business days | Kraken Bug Bounty page | Shows review framework |
Methodology: This article uses only publicly available primary-source material from Kraken’s June 19, 2024 security disclosure and Kraken’s published bug bounty policy. Where possible, policy language is cross-checked against the incident description to separate confirmed facts from allegations. Updated: April 19, 2026, 00:00 UTC.
That distinction matters. A normal bug bounty case is simple: identify the flaw, report it quickly, avoid unnecessary data access, and wait for triage. Kraken’s published rules say researchers must minimize data collection, must not store or transmit other clients’ personally identifiable information, and must report any captured client PII immediately before destroying copies. The same policy says asking for payment in exchange for vulnerability details makes a submission ineligible for bounty rewards. So when Kraken says “no pay,” it is not merely haggling over a fee. It is asserting that the researchers stepped outside the bug bounty framework entirely.
Why the client-data allegation matters more than the bug itself
The bug was serious, but the data-handling allegation is the bigger reputational threat. Kraken said the researchers provided proof that they had accessed client data during their testing. The company did not frame the event as a broad platform hack, and it did not say customer funds were drained. Still, once internal client data enters the story, the incident stops being a narrow engineering patch and becomes a trust test.
Kraken Security Update
We are currently being extorted by a criminal group threatening to release videos of our internal systems with client data shown if we do not comply with their demands. It’s important to start with the most important points: our systems were never…
— Nick Percoco (@c7five) April 13, 2026
That is the part many quick takes missed at the time. The headline risk was not only “deposit bug patched.” It was the collision between three separate issues: unauthorized balance inflation, alleged retention of client data, and a payment demand tied to non-disclosure. Those are different categories of risk. One is technical. One is privacy-related. One is potentially legal.
Event Sequence: June 2024
June 19, 2024: Kraken publicly disclosed an isolated bug in deposit and funding systems and said the flaw had been fixed. (Kraken Blog)
June 19, 2024: Kraken said the issue was mitigated in less than one hour after discovery by a cross-functional team. (Kraken Blog)
June 19, 2024: Kraken said the researchers acted outside bug bounty rules, accessed client data, and sought payment before returning assets. (Kraken Blog)
There is also a compliance angle. Kraken’s bug bounty page says all reports must go to a dedicated mailbox, and that external portals are unofficial. It also says researchers should not do more than necessary to prove a vulnerability. That language is not cosmetic. It is designed to limit legal ambiguity when a researcher crosses from validation into exploitation. In practical terms, Kraken appears to be drawing a bright line: proving a flaw is one thing; using it to extract value or leverage is another.
Kraken says no client assets were hit while policy language shows zero tolerance
Kraken’s strongest defense is consistency between its incident post and its standing policy. The June 19, 2024 disclosure says no client assets were impacted or vulnerable. Its bug bounty rules separately say threats, ransom demands, and attempts at extortion are prohibited, and may be referred to law enforcement. The policy also says any captured client PII must be reported immediately and destroyed. Put together, that gives Kraken a coherent public position: the company patched the bug fast, customer funds were not exposed, and the researchers lost any claim to payment once they allegedly moved into coercive behavior.
Kraken, one of the world’s oldest crypto exchanges, said it’s being extorted by a criminal group that claims to have access to some client account information https://t.co/pCVoWd1K9D
— Bloomberg (@business) April 13, 2026
⚠️
Trust Risk Alert: Client data allegations can outlast the technical fix
Kraken said on June 19, 2024 that the bug itself was fixed in less than one hour, but privacy and disclosure disputes usually persist far longer than code remediation. Its bug bounty rules require immediate reporting and deletion of any client PII and state that extortion attempts may be referred to law enforcement. That means the long-tail risk here is reputational and procedural, not only technical.
Having covered exchange security incidents for years, that pattern is familiar. Fast patches calm traders. Data-access allegations do not. Markets can forgive a bug if funds are safe and the response is quick. They are less forgiving when the story raises questions about who touched customer information, how much was seen, and whether disclosure was handled in good faith. That is why this case still stands out: the operational fix was fast, but the governance questions were harder.
Can Kraken contain the fallout despite the leak threat?
Based on the public record, Kraken has two advantages. First, it disclosed the issue itself on a named corporate channel on June 19, 2024 rather than waiting for rumor to define the narrative. Second, its published bug bounty terms already covered the exact behaviors now in dispute: unnecessary data access, extortion, and off-process disclosure. That gives the company a documented framework for refusing payment.
Data Verification: The incident date, mitigation window, and “no client assets” statement are confirmed by Kraken’s June 19, 2024 blog post. The prohibition on extortion, the requirement to destroy captured client PII, the minimum payout of $500 in BTC equivalent, the one-business-day acknowledgment target, and the 10-business-day triage target are confirmed by Kraken’s public bug bounty policy.
What remains unknown from the public material is the exact volume of internal client data allegedly accessed, whether any of it was ultimately published, and whether any law-enforcement referral produced a public outcome. Those gaps matter, and they should not be filled with guesswork. What can be said, factually, is narrower: Kraken says it would not pay, says the bug was fixed quickly, says no client assets were at risk, and says the researchers’ conduct fell outside the rules that govern legitimate bug bounty work.
Frequently Asked Questions
What happened in the Kraken “no pay” incident?
Kraken said on June 19, 2024 that it patched an isolated bug in its deposit and funding systems that allowed certain users to artificially increase account balances without fully completing a deposit. The exchange said it refused to pay the researchers because they allegedly exploited the flaw, accessed client data, and demanded compensation outside normal bug bounty rules.
Did Kraken say customer funds were stolen?
No. Kraken’s June 19, 2024 security post said no client assets were impacted or vulnerable leading up to the disclosure. That is an important distinction: the company described a bug affecting balance inflation mechanics, not a direct loss of customer-held assets from custody.
Why did Kraken refuse payment?
Kraken’s public bug bounty policy says submissions must never include threats or extortion attempts, and that asking for payment in exchange for vulnerability details makes a report ineligible for bounty rewards. Kraken said the researchers’ conduct fell outside those rules, which is why it took a “no pay” position.
Was client data involved?
Kraken said the researchers showed proof that they had accessed client data. Its bug bounty rules require anyone who captures client PII to report it immediately and destroy all copies that are not their own. Publicly available Kraken materials do not specify the exact amount or type of data allegedly accessed.
How fast did Kraken respond to the bug?
Kraken said a cross-functional team mitigated the issue in less than one hour after discovery. Separately, its bug bounty page lists a one-business-day acknowledgment target and a 10-business-day triage target for standard submissions, which provides context for how the company says its disclosure process normally works.
Disclaimer: This article is for informational purposes only and does not constitute legal, cybersecurity, or investment advice. Readers should rely on official company disclosures and qualified professional counsel for decisions involving security incidents, privacy obligations, or financial risk.