The Kraken CertiK saga, in which the security firm CertiK claimed to carry out a white hat operation on certain Kraken accounts (not customers) and drained nearly $3 million (as claimed by Kraken), has taken another turn. The exchange claimed the total exploited amount was not returned to it, while CertiK claims to have returned all funds as per their record.
On June 20, CertiK took to X to offer an update on the situation and claimed they had returned 734.19215 Ether (ETH), 29,001 USDT, and 1021.1 Monero (XMR), while Kraken requested 155818.4468 Polygon (MATIC), 907400.1803 USDT, 475.5557871 ETH, and 1089.794737 XMR.
Kraken claims exploit, Certik says white hat operation
The Kraken-CertiK saga began on June 9, when Kraken claimed they had received a bug bounty program alert from an alleged security researcher. The alert highlighted a bug in Kraken’s system that allowed users to inflate their account balances. The crypto exchange rushed to patch the bug and discovered three accounts that had leveraged the flaw and taken out $3 million from the Kraken account.
Kraken, in its research, found that one of the three accounts was Know Your Customer (KYC) verified and the account used the bug to credit $4 in their account.
Kraken chief security officer Nick Percoco said that this would have been enough to prove the bug and claim the bounty, but the account allegedly then shared the flaw with two other accounts within days, and in total, the three accounts pocketed $3 million dollars from the exchange.
When the crypto exchange asked the alleged “security researcher” to return the fund and collect their bounty after offering the required onchain proofs, the white hat hacker in question allegedly refused to entertain the requests and asked for the bounty first. Although Kraken didn’t reveal the name of the security firm behind the “white hat” exploit, CertiK revealed that they were the security firm behind Kraken exploit.
CertiK claimed that their employee who discovered the vulnerability was threatened to return the stolen funds without offering any wallet address. Ronghui Gu, co-founder at CertiK, told Cointelegraph:
“The verbal consensus reached during our meeting was not confirmed afterward. Ultimately, they publicly accused us of theft and even directly threatened our employees, which is completely unacceptable.”
CertIK reportedly sent the stolen amount to crypto mixing services to Tornado Cash to avoid freezing from crypto exchanges. The move triggered much criticism from the crypto community, questioning CertiK’s motive behind the “white hat” operations.
Related: Crypto phishing attacks reached ‘alarming levels’ — CertiK co-founder
Crypto community calls out CertiK
The crypto community raised questions about why CertiK researchers moved millions of dollars worth of funds when a single transaction could have proven the vulnerability. Others reminded them that Tornado Cash is an Office of Foreign Assets Control OFAC-sanctioned tool, and using it could attract legal trouble for the security firm. Others questioned whether they planned to return the funds and why they sent them to an OFAC-sanctioned crypto mixer.
A majority of the crypto community sided with Kraken on the issue and called out CertiK for their ruthless behavior. Many accused them of “stealing” and then blackmailed Kraken for the bounty.
Kraken told Cointelegraph that they are in touch with law enforcement agencies regarding this situation.
Update: This article will be updated with comments from Kraken and CertiK.
Magazine: Crypto audits and bug bounties are broken: Here’s how to fix them
