Kraken vs. CertiK: $3M Bug Bounty Dispute Unfolds

In partnership with

TL;DR

Kraken and CertiK are embroiled in a dispute involving a $3 million exploit. CertiK claims they responsibly reported critical vulnerabilities, while Kraken accuses them of extortion. The controversy involves alleged threats, mishandling of funds, and potential legal implications, impacting both platform security and the broader crypto community.

Make Sure This Hack Doesn’t Happen To You 🫵

Subscribe to Blockbasis and get access to our premium scanner to check whether your the funds in your wallet is safeguarded from hacks 🔐

For a limited period only, you can get a 7 day FREE trial!

All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇

Kraken Accuses Security Researchers of Extortion After $3M Bug Bounty Exploit

A cybersecurity firm's disclosure of a critical vulnerability in Kraken's systems has led to serious allegations of extortion and threats between the parties involved.

Kraken's Chief Security Officer, Nick Percoco, revealed that the company received a bug bounty program alert from a security researcher in early June.

The cybersecurity firm that discovered the bug claimed that Kraken responded with threats and unreasonable demands instead of collaborating to fix the issue.

The conflicting accounts have turned into a public dispute, with each side accusing the other of questionable behavior.

In this strange and unsettling situation, the reliability of those entrusted with safeguarding our digital assets is called into question.

Subscribe to Newsletter Bitcoin

Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.

Initially, the report was somewhat unclear but claimed to identify an "extremely critical" bug capable of inflating account balances on the cryptocurrency exchange.

Nick Percoco explained that Kraken's security team acted promptly, investigating and pinpointing an isolated bug. This bug could allow a malicious actor, under specific conditions, to start a deposit on Kraken's platform and receive funds in their account without completing the deposit process.

Kraken swiftly addressed the issue, deploying a fix within one hour and 47 minutes.

CertiK alleges that their investigation uncovered more serious vulnerabilities in Kraken's systems beyond the initial bug report.

According to CertiK, their testing confirmed the ability to create fake deposits into any Kraken account and withdraw substantial amounts of fabricated cryptocurrency, exceeding $1 million, without triggering any alerts for multiple days.

CertiK asserts that after reporting these critical findings responsibly, which Kraken itself classified as the most severe, the exchange then allegedly threatened CertiK employees. The threats included demands for a repayment of a "misallocated amount" of cryptocurrency within an "unreasonable timeframe," without providing wallet addresses.

According to the security firm, Kraken's threats occurred after CertiK had already assisted in identifying and resolving the vulnerabilities successfully.

CertiK has chosen to go public to safeguard users and urges Kraken to stop threatening ethical security researchers who act in good faith.

This stands in contrast to Kraken's depiction of the initial $3 million incident as straightforward extortion by malicious actors.

CertiK maintains they adhered to responsible practices for disclosing vulnerabilities, working initially in collaboration with Kraken.

Upon deeper investigation, it was discovered that the bug had already been exploited in the days prior, affecting three accounts linked to colleagues of the original researcher.

One account, under the researcher's control, made a small $4 deposit, seemingly to test the vulnerability.

Ultimately, exploiting this vulnerability in Kraken's systems allowed over $3 million to be withdrawn from Kraken's corporate wallets over a five-day period, taking advantage of the same weakness.

CertiK maintains that the transactions were conducted solely for testing purposes, with millions withdrawn from the system as part of their research.

They emphasize that the crypto funds generated were entirely synthetic, not involving any actual assets belonging to Kraken users.

Furthermore, CertiK highlights that despite numerous synthetic tokens being created and traded for valid cryptocurrencies over several days, Kraken did not implement any risk controls or preventive measures until CertiK disclosed the issue.

When Kraken requested the return of the unlawfully obtained funds in accordance with its bug bounty policy, the researchers declined. Instead, they demanded a speculative ransom payment based on projected maximum losses.

This $3 million exploit was cited by Kraken as evidence of extortion by malicious actors.

CertiK, however, claims this demand was provoked by Kraken's threats following CertiK's report of even more serious vulnerabilities.

It's worth noting that according to Kraken’s Bug Bounty page, the maximum payout for a Critical severity issue is limited to $1.5 million.

Interestingly, the same address involved in these "tests" made three deposits to Tornado Cash almost two weeks ago.

Tornado Cash Deposit

Tornado Cash Deposit

Tornado Cash Deposit

Should it be confirmed that CertiK routed funds through Tornado Cash, a virtual currency mixer under scrutiny, the potential legal consequences could be significant.

The unfolding events will ultimately determine where fault lies; evidently, serious mistakes have been made.

Are we entering a territory where the distinction between ethical conduct and exploitation becomes unclear, resembling a journey into the mysterious realm of the Twilight Zone?

Subscribe to WAGMI

Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter

Amid allegations of extortion and threats from both sides, the situation has descended into a contentious dispute of conflicting claims.

Kraken asserts it acted appropriately to safeguard its interests after ethical lines were allegedly breached.

CertiK argues it adhered to established industry standards for disclosing vulnerabilities and coordinating responsibly.

In the midst of this public conflict, the users and the wider cryptocurrency community find themselves caught in the middle.

As accusations fly back and forth, the truth of the matter may eventually come to light.

Whose version of events will ultimately be validated?

What if there's another untold perspective, perhaps involving a rogue actor?

Given the potential implications for platform security and user safety in the cryptocurrency realm, one might question whether ethical practices and cooperation will prevail over accusations of wrongdoing.

In light of this significant event, it's crucial to contemplate its potential impact on security researchers who may hesitate to disclose findings, wary of being embroiled in similar controversies.

Moreover, should we completely discount the possibility of a rogue actor within CertiK contributing to the alleged exploitation? This scenario further complicates the narrative, prompting reflections on trust and accountability within the security research community.

Instantly calculate the time you can save by automating compliance

Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Instantly calculate how much time you can save with Vanta.

[Calculate now]