The ongoing Kraken-CertiK saga has taken a new twist. CertiK, a security firm, has claimed to have conducted a white hat operation on specific Kraken accounts that did not belong to customers, resulting in the draining of nearly $3 million, as reported by Kraken. However, Kraken states that the full exploited amount was not returned, while CertiK insists that all funds were returned according to their records.
In an update on June 20, CertiK announced that they had returned 734 Ether (ETH), 29,001 Tether (USDT) tokens, and 1,021 Monero (XMR) coins. On the other hand, Kraken requested 155,818 Polygon (MATIC) tokens, 907,400 USDT, 475.5 ETH, and 1,089.8 XMR.
The saga began on June 9, when Kraken received an alert from an alleged security researcher regarding a bug in their system that allowed users to manipulate their account balances. Upon discovering that $3 million had been stolen from the exchange due to this bug, Kraken found that one of the accounts involved was Know Your Customer (KYC) verified and had used the bug to add $4 to their account.
Kraken’s chief security officer, Nick Percoco, explained that while the initial $4 could have been sufficient to demonstrate the bug and claim the bounty, the account allegedly shared the flaw with two others, resulting in a total of $3 million being taken from Kraken.
The alleged “security researcher” refused to return the funds to Kraken, insisting on receiving the bounty first. Although the security firm behind the white hat exploit was not initially disclosed by Kraken, CertiK later revealed that they were responsible for the operation.
CertiK claimed that their employee who discovered the bug was threatened to return the stolen funds but was not provided with a wallet address to send the funds back to. Ronghui Gu, co-founder of CertiK, stated to Cointelegraph that the stolen funds were sent to Tornado Cash, a crypto mixing service, to prevent them from being frozen by exchanges.
This move by CertiK drew criticism from the crypto community, with questions raised about their motives and the legality of using Tornado Cash, an OFAC-sanctioned tool. Many in the community sided with Kraken, accusing CertiK of unethical behavior, stealing, and blackmailing the exchange for the bounty.
Kraken has informed Cointelegraph that they are working with law enforcement agencies regarding the ongoing situation. This article will be updated with further comments from Kraken and CertiK.
Magazine: Crypto audits and bug bounties are broken: Here’s how to fix them.