- CertiK cracked Kraken’s vault for over $3 million in a dubious white-hat hack.
- The security firm and popular American exchange point fingers at each other.
- CertiK returns $3M and nags about Kraken’s deceptive & aggressive communication.
The popular American cryptocurrency exchange Kraken and blockchain security audit company CertiK were entangled in an extortion scandal over millions of missing digital funds. On June 9, 2024, Kraken’s crypto exchange received a bug bounty program alert from a security researcher.
Just a Regular Bounty Hunt Gone Rogue?
According to Kraken’s Chief Security Officer Nick Percoco, the email didn’t disclose many details about the security breach. Still, it was worded as “extremely critical” due to the bug allowing the white-hat hackers to inflate their balances on Kraken artificially.
Percoco explained that the isolated bug was found minutes after the communication from CertiK. According to Percoco, the bug allowed hackers to “initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.”
$3 Million in Question: Two Sides of the Story
Moments after Kraken’s elaborate thread on X about malicious hackers who found a loophole in the platform’s code, CertiK confessed to having performed the white-hat hack. However, the well-known blockchain security company denied any malicious intentions.
CertiK claims to have received threats from Kraken’s staff members, including a demand to return unreasonably large amounts of digital assets. In response to Kraken’s allegations that $3 million was stolen intentionally, CertiK released a timeline of events, starting with June 5, 2024.
CertiK’s executive team also constructed a Q&A summary of the events to clarify what happened, asserting: “Cryptos were minted out of air, and no real Kraken user’s assets were directly involved in our research activities.”
CertiK ultimately returned the $3 million in digital assets to Kraken.
However, it remains an open question of who’s in the right in this ambiguous situation. While Kraken’s CSO claimed that the $3 million withdrawal by CertiK was over the top, CertiK begs to differ. According to their statement, CertiK was bound to test the limits of such an exploit before it tackled investor’s money.
“After multiple tests across multiple days and close to $3 million worth of crypto, no alerts were triggered, and we still haven’t figured out the limit,” states the blockchain security audit company on X.
On the Flipside
- According to Kraken’s Chief Security Officer, CertiK intentionally left some information out of the initial bug report and refused to return funds unless Kraken provided an estimated amount that the bug could have caused.
- The security audit company in question has disclosed the bug to “two other individuals who they work with,” who successfully assisted CertiK in draining $3 million from Kraken’s reserves.
Why This Matters
Due to rising hacks and scams in the digital realm, identifying and solving security issues on popular crypto platforms is a top priority.
Discover DailyCoin’s top crypto news:
Did Do Kwon Plan Montenegro Escape Before Terra-Luna Crash?
Vitalik on Crypto’s “Idealist Hippies”: “We’re Still Here!”