Crypto exchange Kraken claims that CertiK’s Web3 security researchers embezzled $3 million by exploiting a vulnerability they discovered. CertiK reps claim they conducted a security audit of the crypto exchange, and Kraken employees are threatening them and unwilling to pay a Bug Bounty.
Nicholas Percoco, Chief Security Officer at Kraken, said that on June 9, an anonymous white hat hacker found a critical vulnerability and reported it to the exchange. However, after conducting the investigation, the exchange’s devs discovered that the bug was used to withdraw more than $3 million worth of digital assets from the exchange’s accounts.
According to Percoco’s report, after the withdrawal, the white hat hacker demanded a reward payment to recover the stolen funds. Nicholas said this was extortion, as the hacker refused to return the funds until Kraken agreed to “provide a speculated $ amount that this bug could have caused if they had not disclosed it.”
It later turned out that behind the white hat hacker was a team of Web3 security researchers called CertiK, whose representatives publicly stated their involvement in the incident. According to CertiK, the team discovered several critical vulnerabilities while conducting an anonymous security audit of Kraken.
In response to accusations of $3 million in theft made against their white hat hackers, the CertiK team said that the funds were withdrawn due to testing Kraken’s security system, which was compromised on several fronts. In particular, CertiK’s white hat hackers managed to withdraw funds from Kraken accounts for several days, while the cryptocurrency exchange’s security system didn’t react in any way to what was happening. The CertiK team claimed that the funds weren’t withdrawn in small amounts to avoid attracting attention but rather in large transactions.
The CertiK team also said that Kraken’s security service reacted and blocked the test accounts only a few days after they received an official notification about the incident and vulnerability. Instead of agreeing on a Bug Bounty payment and a procedure for returning the withdrawn assets, Kraken’s security operation team began threatening individual CertiK employees and demanding the return of funds that didn’t match the amount withdrawn due to the testing. Moreover, the Kraken team didn’t even provide addresses for the refunds in their demands.
“We are going public to protect all users’ security. We urge Kraken to cease any threats against white hat hackers,” CertiK claimed in a statement. The assets were withdrawn as a result of the security testing, and the white hat hacking team already transferred access to an account, which will be transferred to Kraken.
Kraken representatives claim to contact law enforcement to recover the assets. Also, Percoco assures that the vulnerability was identified and wholly eliminated, and the withdrawn assets were taken from the exchange’s treasury; that is, users’ funds weren’t affected.
The crypto community took Kraken’s side, characterizing CertiK’s actions as inconsistent with the behavior of white hat hackers. Attorney Adam Cochran even proposed a theory that Lazarus hackers are hiding behind the CertiK team. Other crypto community members supported Cochran’s opinion, arguing that white hackers don’t hold funds hostage and conduct audits that aren’t reported until five days later. Still, some users supported the CertiK team, calling the incident an exemplary audit.
At the beginning of this year, a non-profit organization called the Security Alliance was launched in the United States. This organization aims to unite and support white hackers in countering cybercrime.
UPD: On June 20, Nicholas Percoco confirmed that white hackers at CertiK returned the amount withdrawn from Kraken accounts, specifying that it was slightly less than the original amount due to commission costs. According to the CertiK team, the amount of the returned funds doesn’t correspond to Kraken’s original requirements. The white hackers returned 734 ETH, 29,000 USDT, and 1,021 XMR, while the exchange claimed the loss of 155,818 MATIC, 907,400 USDT, 475 ETH, and 1,090 XMR. The CertiK team also says they didn’t demand a reward from the crypto exchange, as getting a Bug Bounty isn’t a priority for the team’s work.