Kraken and CertiK are currently embroiled in a dispute over $3 million that was withdrawn from Kraken’s treasury by a research team from CertiK. The conflict has raised important questions about ethical hacking, communication protocols, and the appropriate handling of vulnerabilities.
The dispute began when Kraken experienced a loss of approximately $3 million due to a bug exploit that was initially reported by the CertiK research team. Kraken’s Chief Security Officer, Nicholas Percoco, accused the team of extortion, alleging that they demanded a reward for the stolen funds and refused to return them unless Kraken agreed to pay a speculative amount for potential damages.
According to Percoco, the bug was first reported on June 9 and allowed the CertiK team to withdraw over $3 million from Kraken’s treasury. Despite alerting Kraken to the security flaw, the team still exploited the bug. Kraken confirmed that the stolen assets came from their treasury but assured users that their funds were safe. The exchange is also working with law enforcement to recover the stolen funds.
Percoco revealed that one of the accounts involved in the exploit had completed Know Your Customer (KYC) verification. The CertiK team initially demonstrated the bug with a $4 crypto transfer, which would have qualified them for a bounty from Kraken. However, the subsequent withdrawal of nearly $3 million raised ethical concerns.
CertiK later identified themselves as the team involved and claimed that Kraken had threatened their employees. Percoco expressed disappointment and noted that Kraken’s request to return the funds was met with accusations of unprofessionalism.
The dispute between CertiK and Kraken has raised several critical questions about their white hat operations and the actions taken by both parties. CertiK has come forward to provide clarification. They state that no real Kraken users’ assets were involved in their research activities, as the cryptocurrencies were created out of thin air. Despite allegations, CertiK consistently assured Kraken that they would return the funds, which they have done.
However, the total amount returned by CertiK does not match Kraken’s request. CertiK returned a certain amount of ETH, USDT, and XMR, while Kraken had requested different amounts of MATIC, USDT, ETH, and XMR. CertiK explained that they conducted multiple large-scale tests to assess the limits of Kraken’s protection and risk controls. They promptly disclosed all vulnerability details to Kraken, who fixed the issue within 47 minutes. CertiK did not participate in Kraken’s bounty program and their priority was ensuring that the issue was fixed.
The controversy surrounding CertiK has sparked strong reactions within the crypto community. Prominent figures like Adam Cochran and Erik Voorhees have weighed in on the situation. Cochran pointed out certain actions by CertiK’s security auditors that resemble patterns associated with hacking groups. He also warned that using a US-sanctioned tool could lead to legal issues for CertiK. Voorhees questioned the relevance of sanctions if CertiK is not based in the US, but Cochran highlighted that CertiK’s cofounders are US professors and the company’s headquarters are in the US.
Community members expressed concerns about the severity of the situation, particularly regarding the violation of OFAC regulations and the intentions behind using Tornado Cash. Meanwhile, Kraken reassured its users that their funds were never at risk and stated its firm stance against CertiK, accusing the firm of unethical practices and demanding the return of all exploited funds.