Kraken and CertiK Clash Over $3M White Hat Operation Funds
A dispute between CertiK and Kraken has highlighted significant issues surrounding a security bug exploit that led to the unauthorized withdrawal of approximately $3 million from Kraken’s treasury by a CertiK research team.
Both parties have presented conflicting accounts, raising important questions about the ethics of hacking, communication protocols, and the proper handling of vulnerabilities.
The Dispute’s Origin
Kraken recently suffered a $3 million loss due to a bug exploit by a security research team that initially reported the bug. Nicholas Percoco, Kraken’s Chief Security Officer, accused the team of extortion, alleging that they demanded a reward for the stolen funds and refused to return them unless Kraken agreed to pay a speculative amount for potential damages.
According to Percoco, the bug, first reported on June 9, allowed the research team to withdraw over $3 million from Kraken’s treasury. Despite alerting Kraken to the critical security flaw, the team still exploited the bug.
Kraken confirmed that the stolen assets came from their treasury and assured users that their funds were secure. The exchange is also working with law enforcement to recover the stolen funds.
Percoco further revealed that one of the accounts involved in the exploit completed Know Your Customer (KYC) verification. The suspected research team initially demonstrated the bug with a $4 crypto transfer, sufficient to claim a bounty from Kraken. However, the subsequent withdrawal of nearly $3 million raised ethical concerns.
CertiK later identified themselves as the team involved and claimed that Kraken had threatened their employees. Percoco expressed disappointment, noting that Kraken’s request to return the funds was met with accusations of unprofessionalism.
Dispute Over CertiK-Kraken White Hat Operations
The recent controversy between CertiK and Kraken has raised several critical questions regarding the actions taken by both parties. CertiK has come forward to provide clarification.
CertiK maintains that their research activities did not involve any real assets belonging to Kraken users, as the cryptos were created out of thin air. Despite the allegations, CertiK consistently assured Kraken that they would return the funds, which they have done.
However, the total amount returned does not align with Kraken’s request. CertiK returned 734.19215 ETH, 29,001 USDT, and 1021.1 XMR, while Kraken had requested 155818.4468 MATIC, 907400.1803 USDT, 475.5557871 ETH, and 1089.794737 XMR.
CertiK explained that they conducted multiple large-scale tests to assess the limits of Kraken’s protection and risk controls. They noted that despite testing nearly $3 million worth of crypto over several days, no alerts were triggered.
The security team claims to have promptly disclosed all vulnerability details to Kraken, who fixed the issue within 47 minutes based on their report. They also stated that they did not participate in Kraken’s bounty program and had no intention of seeking a reward. Their priority was ensuring the issue was resolved.
Although they did not provide a complete transaction list to Kraken, they shared large deposit addresses from Day 1, enabling Kraken to identify all transactions and lock related accounts. CertiK has also made all deposit transactions public.
Community Reaction
The CertiK controversy has sparked strong reactions within the crypto community. Prominent figures such as Adam Cochran and Erik Voorhees have shared their opinions. Cochran pointed out that CertiK’s security auditors used sanctioned tools like Tornado Cash and ChangeNOW, a pattern associated with hacking groups like Lazarus. He further alleged that “Lazarus has hacked more CertiK audited protocols than any others.”
Amidst the discussions, some reminded CertiK that Tornado Cash is a tool sanctioned by the Office of Foreign Assets Control (OFAC) and warned of potential legal trouble. As an American firm, using a US-sanctioned tool could have serious legal implications for CertiK.
Erik Voorhees questioned the relevance of sanctions if CertiK is not based in the U.S. Cochran responded by highlighting that CertiK’s cofounders are U.S. professors and the company’s headquarters are in the U.S.
Community members expressed concerns about the severity of the situation. Twitter user @ToroTheDog emphasized the seriousness of violating OFAC regulations and suggested that CertiK needs immediate legal counsel. Questions also arose about the firm’s intentions to return the funds and the reasoning behind sending them to Tornado Cash.
Meanwhile, Kraken reassured its users that their funds were never at risk and is determined to recover the stolen assets. The exchange remains steadfast in its stance against CertiK, accusing the firm of unethical practices and urging the return of all exploited funds.
