Blockchain security firm CertiK has publicly revealed that it is the “security researcher” Kraken accused of stealing $3 million in digital assets. On June 19, CertiK disclosed in a post on X that it had identified a vulnerability in Kraken’s system, allowing the removal of millions from the exchange’s accounts.
Kraken’s Chief Security Officer, Nicholas Percoco, had previously claimed an unnamed security team, now identified as CertiK, committed “extortion” by refusing to return the funds until Kraken paid a speculative amount that could have been lost if the bug went undisclosed.
CertiK countered by stating that Kraken’s security team threatened individual employees, demanding repayment of an unspecified amount of crypto within an unreasonable time frame, without providing repayment addresses. CertiK announced plans to transfer the funds to an account accessible by Kraken.
CertiK detailed the vulnerabilities in Kraken’s system, which could have led to significant losses. Their investigation found that Kraken’s deposit system could fail to differentiate between different internal transfer statuses, allowing malicious actors to fabricate deposit transactions, withdraw fabricated funds, and convert them into valid cryptos without triggering any alerts.
CertiK stated, “After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.”
They noted that Kraken’s defense systems were compromised on multiple fronts, with the exchange only responding days after the vulnerabilities were reported.
CertiK emphasized its commitment to transparency and the security of the Web3 community, urging Kraken to stop threatening white-hat hackers. They called for collaboration to address security risks and safeguard the future of Web3.
Initial reactions from the crypto community seemed to support Kraken, viewing CertiK’s actions as not in line with typical white-hat hacker behavior.
Also Read: XLink Partners Fireblocks, Ancilia After $10M Hack
