Blockchain security firm CertiK has identified itself as the security researcher Kraken is claiming stole nearly $3 million worth of digital assets.
Kraken suffered a bug attack less than two weeks ago, losing nearly $3 million. At the time, the cryptocurrency exchange stated it was treating the incident as a criminal case and would coordinate with law enforcement agencies.
The Kraken Attack
On June 9, cryptocurrency exchange Kraken revealed it had suffered an exploit that saw the platform lose $3 million worth of assets. According to a report shared by Kraken’s Chief Security Officer, Nicholas Percoco, the platform received a bug bounty program alert from a security researcher claiming to have found an extremely critical bug that allowed them to inflate their balance on Kraken artificially.
“On June 9, 2024, we received a bug bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.”
Percoco stated that upon further investigation, they discovered an isolated bug that gave the bad actor significant privileges, allowing them to initiate a deposit on Kraken and receive funds in their account even without completing their deposit. The vulnerability, originating after a recent UX change on Kraken, allowed the attacker to “print assets” in their Kraken account. Kraken stated that the flaw was patched, and no client funds were compromised. Kraken claimed that a further investigation revealed that the security researcher had shared the bug with two colleagues, who had used it to gain significant funds fraudulently.
CertiK Identifies Itself As Security Researcher
Now, blockchain security firm CertiK has identified itself as the security researcher Kraken claims stole $3 million worth of digital assets. In a post on X, CertiK stated it had informed Kraken about an exploit that allowed it to remove millions from the exchange’s accounts.
“CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange, which could potentially lead to hundreds of millions of dollars in losses. Upon discovery, we informed Kraken, whose security team classified it as Critical: the most serious classification level at Kraken.”
The blockchain security firm claimed Kraken’s security operations team threatened CertiK employees.
“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses. In the spirit of transparency and our commitment to the Web3 community, we are going public to protect all users’ security. We urge [Kraken] to cease any threats against white hat hackers.”
CertiK also posted a timeline of events, beginning with identifying the exploit on June 5 and ending with Kraken threatening CertiK employees on June 18. The security firm added that it would also transfer the funds to an account that Kraken would be able to access.
Crypto Community Supporting Kraken
Reactions from many in the crypto community seemed to favor Kraken, claiming that CertiK’s actions did not align with how white hat hackers would have conducted themselves. However, it is unclear if Kraken plans to pursue legal action or has grounds to do so.
“Certik just admitted to being the security firm that stole from Kraken and is trying to extort them for more of a payment. Given how often Certik audits get hacked and now this, it’s wild that they still exist. Downright criminal.”
CertiK has previously identified significant vulnerabilities in the Wormhole Bridge and the Telegram app. The firm had reported that around $1 billion in digital assets were lost to illegal activities in 2023.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.