Written by: TechFlow

On June 20, the focus of today's topic is the cryptocurrency exchange Kraken VS the blockchain security company CertiK. A crypto public opinion dispute is unfolding. CertiK was denounced as a blackmail hacker by many industry celebrities and KOLs on X. What exactly happened?

The US crypto exchange Kraken has long had a bug bounty program to reward people who provide information about security vulnerabilities.

Kraken’s chief security officer said on X that a security researcher had reported a serious security vulnerability to the company through its bug bounty program.

The vulnerability allowed malicious attackers to generate assets in their Kraken accounts without completing deposits. After learning of the information, the Kraken team immediately fixed the vulnerability.

But after reviewing the situation, I found that it was not right and the person who came had bad intentions.

The security researcher who submitted the report increased his account balance by $4. At the same time, the security researcher shared the vulnerability with two other people, which led to them withdrawing nearly $3 million from their Kraken accounts.

Kraken then tried to work with the security researcher to return the funds, but was rejected. Instead, Kraken was asked to communicate with their company's BD team (sales representative) and not agree to return any funds until Kraken provided a hypothetical possible loss amount. This is not white hat hacking, but extortion!

The Kraken security team was furious. They believed that these actions were not white hat hacking but extortion, and decided to treat this matter as a criminal case and coordinate with law enforcement agencies.

And who do you think is this company that refuses to return the funds?

That’s right, the other protagonist of this article is the security company CertiK.

CertiK responded to the allegation to the effect that:

CertiK has discovered a serious security vulnerability in the Kraken exchange that could lead to hundreds of millions of dollars in losses. Through testing, they found three major issues, and what’s more serious is that no alarms were triggered during the multi-day testing period.

After fixing the vulnerability, Kraken’s security operations team threatened CertiK employees to repay the unmatched amount of cryptocurrency within an unreasonable period of time, without even providing a repayment address.

CertiK also added a timeline of events, showing that the issue was first discovered on June 5.

As the incident came to light, more information was uncovered.

@0xBoboShanti discovered that an address posted on Twitter by a Certik security researcher was conducting detection and testing as early as May 27, which contradicts Certik's timeline of events.

In addition, Coinbase Executive Director @jconorgrogan discovered that Certik interacted with Tornado, a mixer specifically used to launder assets, and said in the Certik comment area, "Do you know that Tornadocash is sanctioned by OFAC (Office of Foreign Assets Control)? And your place of registration is in the United States, right?"

Opening the relevant discussion on X, there is a lot of criticism, and many people question whether CertiK has changed from a security agency to a blackmail hacker.

Hype, founder of Hype Investments, said:

“CertiK stole $3 million from Kraken, demanded a bounty from them and refused to return the cash, they confirmed this in a tweet, and are now moving all funds to Tornado.cash to prevent them from being seized by authorities.”

“Certik just admitted to being the security company that stole data from Kraken and tried to extort more money from them,” said crypto KOLAdam Cochran, who has 210,000 followers. “Considering that Certik audits are frequently hacked, and now this is happening again. It’s incredible that Certik still exists. It’s simply a criminal.”

A commenter @cryptopsychdoc gave an interesting analogy:

Certik is like that girlfriend you caught cheating on you: when you confront her, she throws the problem back at you and demands to know why you were looking through her phone.

Paradigm CTO retweeted Certik’s previous financing news and joked, “My best wishes to the investment partners who must explain why their portfolio companies hacked into a US exchange, stole $3 million, and laundered money through a protocol blocked by OFAC.”

According to previous news, in April 2022, CertiK announced the completion of a $88 million Series B3 financing round, which was jointly led by Insight Partners, Tiger Global, and Advent International, and followed by new and old shareholders such as Goldman Sachs, Sequoia Capital, and Lightspeed. CertiK has completed four rounds of financing in the past nine months, with a total financing amount of $230 million and a valuation of $2 billion.

We tried to find more direct responses from Certik, such as: When will the assets be returned? Why not return the assets? If the amount does not match, how much should the assets actually be? Why interact with Tornadocash?

But the latest response we have seen is that Certik repeatedly emphasized that "the real question should be why Kraken's in-depth defense system failed to detect so many test transactions. Continuous large withdrawals from different test accounts are part of our testing."

It seems like a mockery - just because you are so bad!

Looking at the whole incident, when the security company that claims to be a white hat turns into a "hacker", the black and white in the barbaric world of Web3 no longer seems to be so clear-cut.

What is even more ironic is that the name Certik itself comes from the English word "Certification". When the "certifier" itself needs to be morally certified, the impression of a makeshift team becomes even more obvious.

Don't Trust, Just Verify。