Kraken, one of the largest cryptocurrency exchanges in the world, has accused a trio of security researchers of discovering a critical bug, exploiting it to steal millions in digital cash, and then using the stolen funds to pressure the exchange for more.

The exchange wrote about the issue yesterday, saying the exploit allowed some users "to artificially increase the value of their Kraken account balance without fully completing a deposit." Kraken security chief Nicholas Percoco told X that the researchers didn't provide any details in their bug report, but that his team discovered the flaw within an hour.

According to Percoco, the issue stemmed from a recent UX change that would credit customer accounts before the assets were actually cleared to create an artificial sense of real-time cryptocurrency trading. "This UX change was not thoroughly tested against this specific attack vector," admitted Percoco at X.

Just reporting the bug would have been enough for a sizable reward, Percoco added. The researcher who disclosed the vulnerability, which Kraken did not name "because they did not conform to industry expectations for [bug bounty]," did not stop there, however.