CertiK Resolves Extortion Claims as Kraken Recovers $3M
By Harvey Hunter
Updated: June 20, 2024, 15:57 EDT | 2 min read
Kraken, the cryptocurrency exchange, announced on June 20 that it had successfully retrieved nearly $3 million in digital assets from CertiK, a blockchain security firm, after allegations of extortion marred what was initially considered a white-hat hacking incident.
Nick Percoco, Kraken’s Chief Security Officer, used X to communicate the return of the funds, minus transaction fees.
The saga began on June 19 when Kraken reported the disappearance of $3 million in funds, allegedly withdrawn by a “security researcher” who exploited a bug in their system. Kraken accused the researcher of extortion, claiming they refused to return the funds and demanded a reward and a meeting with Kraken’s business development team.
CertiK Steps In
Shortly after Kraken’s disclosure, CertiK publicly identified themselves as the security researcher in question, aiming to refute the accusations and clarify their actions.
In a statement on June 19 via X, CertiK acknowledged informing Kraken about an exploit that enabled the removal of millions from their accounts. They also alleged being threatened by Kraken’s security team.
“To clarify our position,” CertiK released a detailed timeline, beginning with their discovery of the exploit on June 5.
The $3 Million Withdrawal
Initially, Kraken stated that a minimal transfer of $4 would have sufficed to demonstrate the bug and potentially earn a reward from their bounty program. Instead, CertiK transferred nearly $3 million into their Kraken accounts.
In a subsequent X post after returning the funds, CertiK addressed key questions surrounding the incident. They justified the large sum, stating, “We sought to stress-test Kraken’s defenses and risk controls. Despite extensive testing over multiple days and nearly $3 million in crypto, no alerts were triggered, and we have yet to identify the limit.”
CertiK emphasized they had no intention of claiming a bounty, which Kraken had initially mentioned. “We never solicited a bounty,” CertiK clarified. “Kraken first mentioned it to us; our focus was solely on ensuring the vulnerability was fixed.”
CertiK asserted that their actions did not harm any Kraken users, as the funds were essentially “created out of thin air.”
Despite CertiK’s explanations, the incident has sparked discussions on the ethics of hacking, communication protocols, and the appropriate response to vulnerability disclosures.
Follow Us on Google News