The ongoing dispute between cryptocurrency exchange Kraken and security firm CertiK has taken another twist as Kraken plans legal action, alleging that CertiK did not return all the funds from a supposed “white hat” operation. CertiK claims they have returned the funds in full, but Kraken disputes this.
Initial Discovery and Alleged Exploit
The saga began on June 9, when Kraken received a bug bounty alert from a self-proclaimed security researcher. The alert identified a bug in Kraken’s system that allowed users to inflate their account balances. In response, Kraken patched the bug and discovered three accounts had exploited it, withdrawing a total of $3 million from the exchange.
Kraken’s Investigation
Kraken’s chief security officer, Nick Percoco, revealed that one of the exploited accounts was Know Your Customer (KYC) verified. The account initially used the bug to credit $4 but soon shared the flaw with two other accounts, resulting in the $3 million exploit. Kraken asked the alleged “security researcher” to return the funds and claim the bounty, but the individual demanded the bounty first and refused to comply with Kraken’s requests.
CertiK’s Involvement and Controversy
CertiK later identified itself as the security firm behind the operation. They claimed that an employee who discovered the vulnerability was threatened to return the funds without a specified wallet address. CertiK asserted that they returned 734.19215 Ether, approximately $1.37 million, but Kraken maintains that the total amount was not returned.
CertiK also admitted to sending the stolen funds to Tornado Cash, a crypto mixing service, to prevent them from being frozen by exchanges. This action sparked criticism from the crypto community, who questioned CertiK’s motives and methods, especially since Tornado Cash is sanctioned by the Office of Foreign Assets Control (OFAC).
Community Backlash
The crypto community largely sided with Kraken, criticizing CertiK for their handling of the situation. Many pointed out that a single transaction could have proven the vulnerability, and questioned the necessity of moving millions of dollars through an OFAC-sanctioned mixer. Concerns were raised about CertiK’s intentions and the legality of their actions.
Also Read: Kraken Faces Extortion Threat Over Bug Bounty Report
CertiK’s Response
CertiK responded to the allegations by stating that the verbal agreement reached during a meeting with Kraken was not confirmed afterward. They expressed dismay at being publicly accused of theft and facing threats against their employees, calling these actions “completely unacceptable.”
Ongoing Dispute and Legal Action
As the dispute continues, Kraken plans to pursue legal action against CertiK, seeking to recover the missing funds. The case highlights the complex nature of cybersecurity and ethical hacking within the crypto industry, and the potential for legal and ethical dilemmas.
The Kraken-CertiK saga underscores the importance of clear communication and trust in cybersecurity operations. As both parties prepare for potential legal battles, the crypto community watches closely, hoping for a resolution that ensures the security and integrity of digital assets.