Major US crypto exchange Kraken claims to have been extorted by unnamed security researchers who exploited a bug in the platform to withdraw millions of dollars. While Kraken is treating the event as a criminal case, smart contract auditing firm Certik has a different story.
Nick Percoco, chief security officer at Kraken, disclosed in a post on X that the exchange was notified of a “critical bug” on June 9 by a team of security researchers. After looking into the issue, Kraken’s security team identified a bug that would allow a malicious actor to print assets into their Kraken account without completing a deposit.
Percoco said the team had patched the issue within an hour of identifying it, but their investigation led them to discover that three accounts had leveraged the system flaw within a few days of each other. As it turns out, one of these accounts was traced back to the security researcher who flagged the vulnerability to Kraken.
After crediting their account with $4 in crypto, which Percoco noted would have been sufficient to file a bug bounty report and collect a reward, the security researcher then supposedly notified two other individuals who generated a sum of nearly $3 million and withdrew these assets from Kraken’s treasuries, according to Percoco.
When the Kraken team asked for a full account of their activities and to arrange for the return of funds, the security researchers reportedly refused.
“Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it,” Percoco said on X.
“This is not white-hat hacking, it is extortion!”
Kraken did not disclose the name of the research company, and is treating the firm’s actions as a criminal case and coordinating with law enforcement.
Shortly after Percoco’s public comments, smart contract audit firm Certik posted its own account of its dealings with Kraken on social media.
“Starting from a finding in Kraken’s deposit system where it may fail to differentiate between different internal transfer statuses, we conducted a thorough investigation with three key questions,” said Certik on X.
Certik said it had found flaws in Kraken’s defense system, which would allow a malicious actor to fabricate a deposit transaction to a Kraken account and withdraw those funds, all without triggering any alerts.
“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses,” said Certik.
Certik’s description of the events suggest that they were the unnamed firm in question that Kraken’s Percoco was referring to in his post. Several industry watchers called out Certik for acting in bad faith, including MetaMask product manager Taylor Monahan who questioned the need for more than two test transactions in a situation like this one.
A timeline from Certik shows that the firm withdrew 590,200 MATIC tokens ($348,660) from Kraken between June 5 and June 8, but also mentions “a few more large deposits/withdrawals” without providing those withdrawal figures. Blockchain data shared by pseudonymous blockchain sleuth Spreek indicates that Certik deposited some of these MATIC tokens into coin mixer Tornado Cash — an activity that’s particularly surprising given Certik’s claims of carrying out a white hack operation and the fact the firm’s official headquarters is in the US, where Tornado Cash has been sanctioned by the Office of Foreign Assets Controls (OFAC).
Certik and Kraken did not immediately respond to Unchained’s requests for comments.