- Crypto exchange Kraken is locked in a tussle with cybersecurity firm CertiK.
- CertiK has come under scrutiny for allegedly extorting the exchange.
- The security firm is facing backlash from the crypto community.
Security has become a watchword for the crypto industry, as the financial characteristics of the asset class often make it attractive to malicious actors seeking to exploit it for selfish gain. This has led to the rise of blockchain security-focused firms that implement bolstered safety practices to protect the industry from threat players.
But what happens when a security firm itself is investigated for allegedly engaging in the very acts it should protect the industry from? Such is the case with CertiK, which has been scrutinized for allegedly extorting crypto exchange Kraken.
What Happened to Kraken and CertiK?
The past couple of hours have been nothing short of eventful for the crypto industry, marked by an ongoing tussle between Kraken and CertiK, over the alleged extortion of the exchange’s treasury in the excuse of a “White-hat hack.” On Wednesday, June 19, 2024, Kraken Chief Security Officer Nicholas Percoco revealed that “a research team” exploited a vulnerability on its platform, unauthorizedly withdrawing approximately $3 million.
Sponsored
Percoco emphasized that the security researcher initially contacted Kraken on June 9, claiming to have discovered an “extremely critical” bug that allowed them to artificially inflate their balance on the exchange. In response, the exchange deployed a security team to address the risk, only to discover that the anonymous researcher had already leveraged the system flaw.
The alleged exploit began with a fabricated $4 deposit, which then escalated to larger sums, totaling $3 million in assets. The CSO added that the detailed transaction report was omitted from the bounty report, prompting the exchange to contact the team for additional information and the refund of the withdrawn funds.
However, the situation became more complicated when the research team expressed reluctance and reportedly demanded a ransom for its discovery. While Kraken withheld the name of the researcher, CertiK, in response, took to social media platform X to reveal its identity and defense.
CertiK Merely “Testing” Kraken?
Defending its actions, the security firm argued that the vulnerability identified in Kraken’s deposit system could potentially lead to severe losses due to its failure to differentiate between different internal transfer statuses, necessitating a thorough investigation.
Sponsored
The firm added that the audit and subsequent withdrawals were aimed at “testing” the proficiency of Kraken’s security levels, including its protection limits and risk controls, most of which the exchange allegedly failed.
“The Kraken exchange failed all these tests, indicating that Kraken’s defense-in-depth system is compromised on multiple fronts,” stated CertiK, adding that, “Worse yet, no alerts were triggered during the multi-day testing period.”
Addressing the issue of the funds and the refusal to refund, CertiK emphasized that Kraken “threatened” its employees to refund a “mismatched amount of crypto in an unreasonable time.” The firm stated that while it repaid the funds, the amount returned to Kraken was significantly lower than demanded but matched its records.
CertiK further clarified that it never requested a bounty from the exchange. Despite its response and defense, the firm’s actions have raised questions across the community.
Who’s at Fault?
While the security firm asserted that the funds in question were “minted out of thin air” and did not impact Kraken’s users, critics argued that these actions targeted the exchange’s treasury, jeopardizing user safety by risking the exchange’s solvency.
Several community members also asserted that the firm could have maintained a minimal test transaction to verify its findings, without pulling the hefty amount. However, Certik doubled down on its claims of Kraken’s weak security measures, faulting the exchange for having the bug in the first place.
CertiK also reportedly moved the withdrawn Kraken funds through the sanctioned crypto mixer Tornado Cash, an anonymity tool used to obscure asset trail, to changeNOW, further raising questions about the genuineness of its intentions to refund.
Weighing in on the incident, Cinneamhain Ventures partner Adam Cochran questioned CertiK’s integrity as a security firm, asserting that its pattern parallels the notorious hacker group Lazarus.
Cochran added that several CertiK-audited protocols have also been hacked by Lazarus, raising concerns about whether the security research team has long been compromised.
On the Flipside
- Several community members have described CertiK’s actions as ‘outright theft.’
- In April 2024, CertiK raised an alarm over a vulnerability on Telegram. However, Telegram swiftly debunked the security firm’s claims.
- Certik also reportedly tested the vulnerability on other exchanges, including Coinbase.
Why This Matters
Hacks and scams have created a sore spot in the crypto industry, making actions echoing their patterns highly sensitive within the community. Despite CertiK’s assertions that it was merely testing Kraken’s security levels, the inconsistencies in its actions raise serious questions about its true intentions.
Read more about CertiK’s concerns about the Telegram security vulnerability earlier this year:
CertiK Doubles Down on Finding Telegram Exploit
The US arm of Binance is still facing regulatory heat in the country, read this article to find out more:
Binance.US Loses Another License as North Dakota Joins Trend
