Kraken, CertiK Sling Mud in Wild Tale of Exploits and Extortion

The exchange and security firm are pointing fingers over a multi-million-dollar exploit on the platform.

Angry purple octopus floating around in space.
Created by Gabor Kovacs from DailyCoin
  • Crypto exchange Kraken is locked in a tussle with cybersecurity firm CertiK.
  • CertiK has come under scrutiny for allegedly extorting the exchange.
  • The security firm is facing backlash from the crypto community.

Security has become a watchword for the crypto industry, as the financial characteristics of the asset class often make it attractive to malicious actors seeking to exploit it for selfish gain. This has led to the rise of blockchain security-focused firms that implement bolstered safety practices to protect the industry from threat players.

But what happens when a security firm itself is investigated for allegedly engaging in the very acts it should protect the industry from? Such is the case with CertiK, which has been scrutinized for allegedly extorting crypto exchange Kraken.

What Happened to Kraken and CertiK?

The past couple of hours have been nothing short of eventful for the crypto industry, marked by an ongoing tussle between Kraken and CertiK, over the alleged extortion of the exchangeโ€™s treasury in the excuse of a โ€œWhite-hat hack.โ€ On Wednesday, June 19, 2024, Kraken Chief Security Officer Nicholas Percoco revealed that โ€œa research teamโ€ exploited a vulnerability on its platform, unauthorizedly withdrawing approximately $3 million.

Sponsored

Percoco emphasized that the security researcher initially contacted Kraken on June 9, claiming to have discovered an โ€œextremely criticalโ€ bug that allowed them to artificially inflate their balance on the exchange. In response, the exchange deployed a security team to address the risk, only to discover that the anonymous researcher had already leveraged the system flaw.

The alleged exploit began with a fabricated $4 deposit, which then escalated to larger sums, totaling $3 million in assets. The CSO added that the detailed transaction report was omitted from the bounty report, prompting the exchange to contact the team for additional information and the refund of the withdrawn funds.

However, the situation became more complicated when the research team expressed reluctance and reportedly demanded a ransom for its discovery. While Kraken withheld the name of the researcher, CertiK, in response, took to social media platform X to reveal its identity and defense.

CertiK Merely โ€œTestingโ€ Kraken?

Defending its actions, the security firm argued that the vulnerability identified in Krakenโ€™s deposit system could potentially lead to severe losses due to its failure to differentiate between different internal transfer statuses, necessitating a thorough investigation.

The firm added that the audit and subsequent withdrawals were aimed at โ€œtestingโ€ the proficiency of Krakenโ€™s security levels, including its protection limits and risk controls, most of which the exchange allegedly failed.

โ€œThe Kraken exchange failed all these tests, indicating that Krakenโ€™s defense-in-depth system is compromised on multiple fronts,โ€ stated CertiK, adding that, โ€œWorse yet, no alerts were triggered during the multi-day testing period.โ€

Addressing the issue of the funds and the refusal to refund, CertiK emphasized that Kraken โ€œthreatenedโ€ its employees to refund a โ€œmismatched amount of crypto in an unreasonable time.โ€ The firm stated that while it repaid the funds, the amount returned to Kraken was significantly lower than demanded but matched its records.

CertiK further clarified that it never requested a bounty from the exchange. Despite its response and defense, the firmโ€™s actions have raised questions across the community.

Whoโ€™s at Fault?

While the security firm asserted that the funds in question were “minted out of thin air” and did not impact Krakenโ€™s users, critics argued that these actions targeted the exchangeโ€™s treasury, jeopardizing user safety by risking the exchangeโ€™s solvency.

Several community members also asserted that the firm could have maintained a minimal test transaction to verify its findings, without pulling the hefty amount. However, Certik doubled down on its claims of Krakenโ€™s weak security measures, faulting the exchange for having the bug in the first place.

CertiK also reportedly moved the withdrawn Kraken funds through the sanctioned crypto mixer Tornado Cash, an anonymity tool used to obscure asset trail, to changeNOW, further raising questions about the genuineness of its intentions to refund.

Weighing in on the incident, Cinneamhain Ventures partner Adam Cochran questioned CertiKโ€™s integrity as a security firm, asserting that its pattern parallels the notorious hacker group Lazarus

Cochran added that several CertiK-audited protocols have also been hacked by Lazarus, raising concerns about whether the security research team has long been compromised.

On the Flipside

  • Several community members have described CertiK’s actions as โ€˜outright theft.โ€™
  • In April 2024, CertiK raised an alarm over a vulnerability on Telegram. However, Telegram swiftly debunked the security firmโ€™s claims.
  • Certik also reportedly tested the vulnerability on other exchanges, including Coinbase.

Why This Matters

Hacks and scams have created a sore spot in the crypto industry, making actions echoing their patterns highly sensitive within the community. Despite CertiKโ€™s assertions that it was merely testing Krakenโ€™s security levels, the inconsistencies in its actions raise serious questions about its true intentions.

Read more about CertiKโ€™s concerns about the Telegram security vulnerability earlier this year:
CertiK Doubles Down on Finding Telegram Exploit

The US arm of Binance is still facing regulatory heat in the country, read this article to find out more:
Binance.US Loses Another License as North Dakota Joins Trend

This article is for information purposes only and should not be considered trading or investment advice. Nothing herein shall be construed as financial, legal, or tax advice. Trading forex, cryptocurrencies, and CFDs pose a considerable risk of loss.

Author
Grace Abidemi

Grace is a crypto reporter for DailyCoin, covering a diverse range of market updates. Grace has minor holdings in Bitcoin & Solana, and moderate holdings in Rune & XRP.

Read more