Kraken, a cryptocurrency exchange, has successfully recovered missing funds that were part of a high-profile bug bounty exploit incident. The stolen digital assets, valued at nearly $3 million, have been returned, bringing an end to the Kraken-CertiK saga that began on June 9.
Nicholas Percoco, the chief security officer of Kraken, confirmed the recovery of the funds, minus transaction fees, in a post on June 20. The initial announcement of the missing funds was made by Kraken’s CSO on June 19, stating that a security researcher had maliciously withdrawn the funds from the treasury after discovering a bug and sharing it.
Kraken alleged that the security researcher extorted them by refusing to return the funds unless a reward and a meeting with the exchange’s business development team were provided. Following Kraken’s disclosure of the incident, CertiK, a blockchain security firm, publicly identified themselves as the security researcher responsible for the exploit.
CertiK claimed to have informed Kraken about the exploit that allowed them to remove millions of dollars from the exchange’s accounts. They also stated that they were threatened by Kraken’s team. CertiK provided a timeline of events, from identifying the exploit on June 5 to the alleged threats from Kraken on June 18. They mentioned their intention to transfer the funds to an account accessible by Kraken.
The reason for CertiK withdrawing nearly $3 million was explained in a post following the return of the funds. They stated that the substantial sum was necessary to test the limits of the exchange. CertiK clarified that they did not initially request a bounty, but it was brought up by the exchange. They reassured that no Kraken user funds were at risk, as the exploited funds were generated out of thin air.