19 June 2024
Cryptocurrency exchange Kraken has announced that it has fallen victim to a major security flaw that has resulted in the theft of $3 million worth of digital assets. However, in a surprising turn of events, the party responsible has been identified as CertiK. This blockchain security firm claims to have initially reported the bug through Kraken’s bug bounty program.
CertiK is now accused of exploiting additional vulnerabilities and extorting the exchange for more money, leading to calls for legal action and concerns among crypto investors.
Kraken Security Flaws Exposed
The incident unfolded when Kraken’s Chief Security Officer, Nick Percoco, revealed that the exchange had received a bug report on June 9 from a self-described security researcher. The researcher claimed to have discovered an “extremely critical” bug that allowed them to inflate their balance on the platform artificially.
Upon further investigation, CertiK, which admitted its involvement in the incident in its social media post, uncovered several critical vulnerabilities in Kraken’s systems that could potentially result in losses of hundreds of millions of dollars.
CertiK’s findings revealed shortcomings in Kraken’s deposit system, indicating a failure to differentiate between internal transfer statuses. Furthermore, CertiK’s testing revealed that Kraken failed all these tests, exposing the compromised state of Kraken’s defense-in-depth system.
According to CertiK, “millions of dollars” could be deposited into any Kraken account, and a substantial amount of fabricated cryptocurrency (worth over $1 million) could be withdrawn and converted into valid digital assets.
The security firm also claimed that no alerts were triggered during a “multi-day test period” and that Kraken only responded and blocked the test accounts days after the incident was officially reported.
Following the identification of the vulnerability, CertiK alleges that Kraken’s security operations team “threatened” individual CertiK employees, demanding the repayment of a “mismatched” amount of cryptocurrency within an “unreasonable time frame,” without providing repayment addresses.
However, Kraken’s Percoco countered that they had requested a full accounting of the then-unknown company’s activities and the return of the withdrawn funds. Percoco argued that CertiK’s refusal to comply with these requests violated the rules of ethical hacking and bordered on extortion.
Will CertiK Face Legal Repercussions?
The revelation of this incident has raised surprise and concerns within the cryptocurrency community, leading to calls for legal action against CertiK.
One user accused CertiK of stealing the $3 million funds from Kraken, holding it ransom for a bounty, refusing to return the funds, and now transferring the money to Tornado.cash to protect it from potential seizure by authorities.
Coinbase’s Director, Conor Grogan, pointed out that Tornado.cash is subject to the Office of Foreign Assets Control (OFAC) sanctions and highlighted CertiK’s US domicile, hinting at potential legal repercussions by US agencies.
Market expert Adam Cochran also weighed in, astonished at CertiK’s actions and highlighting the firm’s history of compromised audits. Cochran went further to describe the situation as “Down right criminal.”
The next steps taken by Kraken and potential consequences for CertiK are yet to be seen. However, the involvement of US agencies and potential legal actions loom over the security firm.
The unfolding developments in this case will undoubtedly shape the future of bug bounty programs and impact the relationship between cryptocurrency exchanges and security firms.
Featured image from Shutterstock, chart from TradingView.com