Kraken Alleges Extortion and Theft of $3 Million by CertiK’s White Hat Hackers

Crypto exchange Kraken alleges that CertiK’s Web3 security researchers misappropriated $3 million by taking advantage of a vulnerability they identified. Representatives from CertiK assert that they performed a security audit for the crypto exchange, while Kraken staff are reportedly threatening them and are reluctant to offer a Bug Bounty.

Nicholas Percoco, Chief Security Officer at Kraken, stated that on June 9, an anonymous white hat hacker discovered a significant vulnerability and reported it to the exchange. However, upon further investigation, the exchange’s developers found that the bug had been exploited to withdraw over $3 million worth of digital assets from the exchange’s accounts.

According to Percoco’s account, following the withdrawal, the white hat hacker requested a reward payment to recover the stolen assets. Nicholas described this as extortion, as the hacker insisted on receiving a “speculated $ amount that this bug could have caused if they had not disclosed it” before returning the funds.

It was later revealed that the white hat hacker was part of a team of Web3 security researchers known as CertiK, whose representatives publicly acknowledged their role in the incident. CertiK stated that their team identified multiple critical vulnerabilities while performing an anonymous security audit of Kraken.

In response to the allegations of $3 million in theft directed at their white hat hackers, the CertiK team explained that the funds were withdrawn as part of testing Kraken’s security system, which had vulnerabilities on several levels. Specifically, CertiK’s white hat hackers were able to withdraw funds from Kraken accounts for several days without any response from the cryptocurrency exchange’s security system. The CertiK team asserted that the funds were not withdrawn in small increments to avoid drawing attention but rather in larger transactions.

The CertiK team also noted that Kraken’s security service only reacted and blocked the test accounts a few days after they received an official notification regarding the incident and the vulnerability. Instead of negotiating a Bug Bounty payment and a process for returning the withdrawn assets, Kraken’s security operations team began threatening individual CertiK employees and demanded the return of funds that did not correspond to the amount withdrawn during the testing. Furthermore, the Kraken team did not provide addresses for the refunds in their requests.

“We are going public to safeguard all users’ security. We urge Kraken to stop any threats against white hat hackers,” CertiK stated in a release. The assets were withdrawn as a result of the security testing, and the white hat hacking team has already transferred access to an account, which will be handed over to Kraken.

Kraken representatives claim they are reaching out to law enforcement to recover the assets. Additionally, Percoco assures that the vulnerability has been identified and completely resolved, and the withdrawn assets were taken from the exchange’s treasury, meaning that users’ funds were not impacted.

The crypto community has largely sided with Kraken, describing CertiK’s actions as inconsistent with the conduct expected from white hat hackers. Attorney Adam Cochran even suggested a theory that Lazarus hackers might be operating behind the CertiK team. Other members of the crypto community echoed Cochran’s view, contending that white hat hackers do not hold funds hostage and conduct audits that are not reported until five days later. Nonetheless, some users expressed support for the CertiK team, labeling the incident as an exemplary audit.

Earlier this year, a non-profit organization named the Security Alliance was established in the United States. This organization aims to unite and support white hat hackers in the fight against cybercrime.

Сообщение Kraken Accuses CertiK’s White Hackers of Extortion and Stealing $3M появились сначала на CoinsPaid Media.