Security company turns into "hacker", restoring the cause of Kraken vs. CertiK
On June 20, the focus of today's topic is the cryptocurrency exchange Kraken VS blockchain security company CertiK. A crypto public opinion dispute is unfolding. CertiK was denounced as a blackmail hacker by many industry celebrities and KOLs on X. What happened?
For a long time, the US crypto exchange Kraken has established a bug bounty program to reward people who provide security vulnerability information.
Kraken Chief Security Officer c7five
said on X that a security researcher had previously reported a serious security vulnerability to the company through the bug bounty program.
This vulnerability allows malicious attackers to generate assets in their Kraken accounts without completing deposits. After learning the information, the Kraken team immediately fixed the vulnerability.
But after reviewing it afterwards, it was found that it was not right, and the person who came was not friendly.
The security researcher who submitted the report increased his account balance by $4. At the same time, the security researcher shared the vulnerability with two other people, causing them to withdraw nearly $3 million from the Kraken account.
Kraken then tried to work with the security researcher to return the funds, but was rejected. Instead, Kraken was asked to communicate with their company's BD team (sales representative) and not agree to return any funds until Kraken provided a hypothetical possible loss amount. This is not white hat hacking, but extortion!
The Kraken security team was furious. They believed that these actions were not white hat hacking, but extortion, and decided to treat this as a criminal case and coordinate with law enforcement agencies.
And who is the company that refused to return the funds?
Yes, another protagonist of this article-security company CertiK
CertiK responded to the accusation, which is roughly as follows:
CertiK found a serious security vulnerability in the Kraken exchange that could result in hundreds of millions of dollars in losses. Through testing, they found three major problems, and more seriously, no alarms were triggered during the multi-day testing period.
After fixing the vulnerability, Kraken's security operations team threatened CertiK employees to repay the unmatched amount of cryptocurrency in an unreasonable time, and did not even provide a repayment address.
