The quarrels in the crypto industry are really exciting. The quarrel between the crypto security unicorn CertiK and the US super exchange Kraken has made me a rat in the melon field.

The story goes something like this: CertiK discovered a serious vulnerability during its security testing process, involving the possibility of artificially increasing the balance of a crypto trading account on the Kraken platform, and hoped to reach Kraken's alarm threshold through testing. However, Kraken said that CertiK's behavior went beyond the scope of general security research and was suspected of exploiting the vulnerability for profit, so it accused CertiK of extortion.

According to CertiK, their testing revealed multiple security vulnerabilities in Kraken's system, which, if not fixed, could lead to hundreds of millions of dollars in losses. CertiK emphasized that their actions were to strengthen network security and protect the interests of all users, and disclosed the complete testing timeline and related deposit addresses to prove their transparency and integrity.

Kraken and its CSO Nick Percoco emphasized through social media and public statements that their bug bounty program has clear rules and requires all researchers who discover vulnerabilities to abide by these rules. Kraken also stated that CertiK's actions have posed a direct threat to the security of its platform and that it has reported the incident to law enforcement agencies.

This confrontation not only involves technical and security issues, but also touches on the boundaries of law and ethics, especially the boundaries and responsibilities of white hat hacker activities. This provides a rich background and discussion basis for Attorney Mankiw to further explore the legal standards of white hat hackers.

Are white hat hackers' actions legal?

From a strict behavioral perspective, the behavior of white hat hackers is very similar to illegal intrusion into computer systems. However, in most cases, white hat hackers will not be legally evaluated as illegal or criminal. This is because the purpose and behavior of white hat hackers make them essentially different from illegal or criminal behavior.

White hat hackers on the chain help enterprises and organizations build a more secure network environment by discovering and patching vulnerabilities, thereby enhancing the reliability and credibility of the network and making positive contributions to the security and stability of the entire chain.

Does the act of collecting compensation affect the evaluation of white hat hackers? As an effective incentive mechanism, compensation can attract more talents to invest in the field of network security, thereby improving the security of the entire industry. For enterprises and organizations, it is also a cost-effective way to fix vulnerabilities. At the same time, it can also establish the image of enterprises that attach importance to network security. Therefore, it is generally a convention in the industry for white hat hackers to charge reasonable fees.

Is CertiK a white hat hacker this time?

One of the core issues in the dispute between CertiK and Kraken is the boundary of CertiK’s behavior. CertiK’s behavior, especially the motivation and legality of transferring $3 million to an external wallet, has become the focus of the dispute.

Behavior is not transparent

CertiK is a security company that Kraken cooperates with, and knowing that Kraken has a bounty program for security vulnerabilities, it can ensure that it has obtained full authorization before starting testing. At the same time, according to the community and Kraken, when CertiK reported the vulnerability, it did not mention the specific amount of transfer, but after Kraken issued a "refund of $3M", it disclosed its "full test address" to prove that it did not transfer the amount accused by Kraken.

The transfer of funds is a fact

According to Kraken and on-chain detective @0xBoboShanti, CertiK security researchers conducted detection and testing as early as May 27, which contradicts CertiK's timeline of events. At the same time, in subsequent vulnerability tests, although CertiK claimed that the operation was to test whether Kraken's alarm system could be triggered in time, in actual operation, this test did not only stop at discovering vulnerabilities, but CertiK also transferred the amount to an independent wallet address. This behavior goes beyond the scope of conventional security testing. It was disclosed that CertiK had previously performed the same operation on multiple exchanges, and had also used Tornado Cash to transfer assets and ChangeNOW for selling.

The above two situations have most likely exceeded the behavioral boundaries of white hat hackers.

Legal definition is key

From a legal perspective, the actions of white hat hackers are generally considered legal, but only if they meet certain norms and conditions.

In the United States, the laws closely related to white hat hacker activities mainly include the Computer Fraud and Abuse Act (CFAA). According to the CFAA, any unauthorized access or access to a protected computer beyond the scope of authorization may constitute a crime. For white hat hackers, their actions usually need to be carried out within the scope of explicit authorization, otherwise even for the purpose of security testing, they may violate the CFAA. In addition, with the development of technology, some regions have gradually formed more specific regulations to guide and protect the behavior of white hat hackers.

In China, the Cybersecurity Law also specifies the overall requirements for enhancing cybersecurity protection and strengthening cyberspace management. This means that network intrusions, even for the purpose of security testing, may be considered illegal; at the same time, the security law emphasizes the protection of personal data and privacy. Any operation involving personal data in network testing must ensure that the data is secure and the privacy is not violated; when security vulnerabilities are discovered, there is a responsibility to promptly report them to the cybersecurity management agency and the affected network operators. This reporting mechanism is designed to patch vulnerabilities in a timely manner and prevent them from being abused.

However, in the Web3.0 industry, some white hat hackers' tests also involve transferring funds, but usually with the tacit consent of the project (for example, the project has relevant grants), or transferring the encrypted funds to a specific independent wallet for storage (no further operation), and then reporting the vulnerability and obtaining rewards from the project party. This is also a customary behavior in the industry.

However, in the case of CertiK, the actual transfer of funds, especially the subsequent operations, raises complex legal issues. On the one hand, whether CertiK transferred funds for self-interest; on the other hand, CertiK did not comply with Kraken’s clear requirements for white hat hackers, but instead proved the same vulnerability again by transferring funds; on the other hand, its subsequent operations on the transferred funds may be regarded as illegal profit. In addition, CertiK’s post-action handling, including communication and coordination with Kraken, will also affect the legal evaluation of its actions.

Conclusion and reflection

Although the dispute between Kraken and CertiK is entirely a US legal issue, it is not easy for Attorney Mankiw to express his views under US law. However, if it happened under Chinese law, CertiK's actions would probably not escape the charges of extortion and illegal intrusion into computer systems.

Indeed, white hat hackers can also "go black" in certain situations. Even if the original intention is to enhance the security of a system, if they conduct testing without proper authorization or exploit discovered vulnerabilities for private gain, these actions have deviated from the legal and ethical standards of white hat hackers. As the CertiK and Kraken incidents show, if unauthorized fund transfers are carried out, especially when large amounts of money are involved, even for testing purposes, they may be considered black hat behavior.