Cryptocurrency exchange Kraken confirmed on June 20 the recovery of nearly $3M in digital assets from blockchain security firm CertiK following extortion allegations that had overshadowed their white-hat hack.
Kraken’s Chief Security Officer Nick Percoco took to X to announce the return of the funds, minus the amount spent on transaction fees.
Update: We can now confirm the funds have been returned (minus a small amount lost to fees). https://t.co/cHkjPt3m2A
— Nick Percoco (@c7five) June 20, 2024
Kraken’s CSO first reported the $3 million in missing funds on June 19, stating that a “security researcher” had maliciously withdrawn them from the treasury after discovering and disclosing an existing bug.
Kraken alleged that the security researcher had extorted them, refusing to return the funds and demanding a reward along with a call with the exchange’s business development team.
CertiK Clears Up the Allegations
Shortly after Kraken’s post about the missing funds, blockchain security firm CertiK publicly identified itself as the “security researcher” that Kraken claimed stole $3 million of digital assets.
This came in an effort to challenge the allegations and dispel any notions of malicious intent.
In a June 19 X post, CertiK said it had informed Kraken of an exploit that allowed it to remove millions of dollars from the exchange’s accounts. CertiK also claimed to have been threatened by the exchange’s team.
“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses,” CertiK stated.
To clarify their side of the story, CertiK also released a timeline of events, covering the entire discourse, starting with identifying the exploit on June 5.
Why Did They Withdraw $3M?
Kraken’s CSO initially stated that the first malicious transfer, worth just $4, would have been sufficient to prove the bug and earn “sizable rewards” from Kraken’s bounty program.
The security researcher, later revealed to be CertiK, had instead minted nearly $3 million into their Kraken accounts.
In an X post following the return of the $3 million, CertiK answered many prominent questions surrounding the situation. Most importantly, they explained their justification for the big sum.
“We want to test the limit of Kraken’s protection and risk controls,” CertiK stated. “After multiple tests across multiple days and close to $3 million worth of crypto, no alerts were triggered and we still haven’t figured out the limit.”
Q&A to recent CertiK-Kraken whitehat operations:
1. Did any real user lose fund?
No. Cryptos were minted out of air, and no real Kraken user’s assets were directly involved in our research activities.2. Have we refused to return the funds?
No. In our communication with…— CertiK (@CertiK) June 20, 2024
Additionally, CertiK claims that they had no intentions of bringing a bounty into the picture; it was something mentioned in the exchange.
“We never mentioned any bounty request,” CertiK said. “It was Kraken who first mentioned their bounty to us, while we responded that the bounty was not the priority topic and we wanted to make sure the issue was fixed.”
CertiK highlighted that their efforts were not at the expense of any Kraken users. The funds were “minted out of air.”
Despite their claimed innocence, the situation has sparked debate about the nature of ethical hacking, proper communication protocols, and the appropriate handling of discovered vulnerabilities.
