Cryptocurrency exchange Kraken confirmed on June 20 the recovery of nearly $3M in digital assets from blockchain security firm CertiK following extortion allegations that had overshadowed their white-hat hack.
Krakenâs Chief Security Officer Nick Percoco took to X to announce the return of the funds, minus the amount spent on transaction fees.
Update: We can now confirm the funds have been returned (minus a small amount lost to fees). https://t.co/cHkjPt3m2A
â Nick Percoco (@c7five) June 20, 2024
Krakenâs CSO first reported the $3 million in missing funds on June 19, stating that a âsecurity researcherâ had maliciously withdrawn them from the treasury after discovering and disclosing an existing bug.
Kraken alleged that the security researcher had extorted them, refusing to return the funds and demanding a reward along with a call with the exchangeâs business development team.
CertiK Clears Up the Allegations
Shortly after Krakenâs post about the missing funds, blockchain security firm CertiK publicly identified itself as the âsecurity researcherâ that Kraken claimed stole $3 million of digital assets.
This came in an effort to challenge the allegations and dispel any notions of malicious intent.
In a June 19 X post, CertiK said it had informed Kraken of an exploit that allowed it to remove millions of dollars from the exchangeâs accounts. CertiK also claimed to have been threatened by the exchangeâs team.
âAfter initial successful conversions on identifying and fixing the vulnerability, Krakenâs security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses,â CertiK stated.
To clarify their side of the story, CertiK also released a timeline of events, covering the entire discourse, starting with identifying the exploit on June 5.
Timeline of Events
Â
Why Did They Withdraw $3M?
Krakenâs CSO initially stated that the first malicious transfer, worth just $4, would have been sufficient to prove the bug and earn âsizable rewardsâ from Krakenâs bounty program.
The security researcher, later revealed to be CertiK, had instead minted nearly $3 million into their Kraken accounts.
In an X post following the return of the $3 million, CertiK answered many prominent questions surrounding the situation. Most importantly, they explained their justification for the big sum.
âWe want to test the limit of Krakenâs protection and risk controls,â CertiK stated. âAfter multiple tests across multiple days and close to $3 million worth of crypto, no alerts were triggered and we still havenât figured out the limit.â
Q&A to recent CertiK-Kraken whitehat operations:
1. Did any real user lose fundïŒNo. Cryptos were minted out of air, and no real Kraken userâs assets were directly involved in our research activities.
2. Have we refused to return the funds?No. In our communication withâŠ
â CertiK (@CertiK) June 20, 2024
Additionally, CertiK claims that they had no intentions of bringing a bounty into the picture; it was something mentioned in the exchange.
âWe never mentioned any bounty request,â CertiK said. âIt was Kraken who first mentioned their bounty to us, while we responded that the bounty was not the priority topic and we wanted to make sure the issue was fixed.â
CertiK highlighted that their efforts were not at the expense of any Kraken users. The funds were âminted out of air.â
Despite their claimed innocence, the situation has sparked debate about the nature of ethical hacking, proper communication protocols, and the appropriate handling of discovered vulnerabilities.