Cryptocurrency exchange Kraken has announced that it has fallen victim to a major security flaw that led to the theft of $3 million in digital assets. However, in a surprising turn of events, CertiK became the responsible party. The blockchain security company says it initially reported the bug through Kraken’s bug bounty program.
CertiK is now accused of exploiting additional security vulnerabilities and extorting more money from the exchange, leading to calls for legal action and concerns among cryptocurrency investors.
Kraken security vulnerabilities revealed
The incident occurred when Kraken’s chief security officer, Nick Percoco, revealed that on June 9, the exchange received a bug report from a self-proclaimed security researcher. The researcher claimed to have discovered an “extremely critical” bug that allowed him to artificially inflate the balance on the platform.
After further investigation, CertiK, which admitted its involvement in the incident, in its post on social mediadiscovered several critical vulnerabilities in Kraken’s systems that could potentially result in hundreds of millions of dollars in losses.
CertiK’s findings revealed weaknesses in Kraken’s deposit system, pointing to a lack of distinction between internal transfer statuses. Furthermore, CertiK testing revealed that the Kraken failed all of these tests, revealing the compromised state of the Kraken’s deep defense system.
According to CertiK, “millions of dollars” can be deposited into any Kraken account, and a significant amount can be fabricated cryptocurrency (worth over $1 million) can be withdrawn and converted into valid digital assets.
The security company also claimed that no alerts were triggered during the “multi-day test period” and that Kraken only responded and blocked test accounts several days after the incident was officially reported.
After identifying the vulnerability, CertiK claims that Kraken’s security operations team “threatened” individual CertiK employees by demanding the return of an “unmatched” amount of cryptocurrency within an “unreasonable time frame,” without providing assurance repayment addresses.
However, Kraken’s Percoco responded by demanding a full accounting of the then unknown company’s activities and a refund of the funds paid. Percoco argued that CertiK’s refusal to comply with these demands violated ethical hacking principles and bordered on extortion.
Will CertiK face legal consequences?
The disclosure of this incident raised eyebrows and concerns in the cryptocurrency community, leading to calls for legal action against CertiK.
One user accused CertiK stole $3 million worth of funds from Kraken, held them as ransom in exchange for a reward, refused to return the funds, and now transferred the money to Tornado.cash to protect it from potential seizure by the authorities.
Coinbase CEO Conor Grogan indicated that Tornado.cash is sanctioned by the Office of Foreign Assets Control (OFAC) and highlighted CertiK’s US headquarters, pointing to potential legal ramifications from US agencies.
Market expert Adam Cochran also commented: surprised on CertiK’s activities and highlighting the company’s history of compromised audits. Cochran went further and described the situation as “almost criminal.”
It is not yet known what Kraken’s next steps will be and the potential consequences for CertiK. However, the involvement of American agencies and capabilities Legal Actions look into the security company.
Developments in this case will undoubtedly shape the future of bug bounty programs and impact the relationship between cryptocurrency exchanges and security companies.
Featured image from Shutterstock, chart from TradingView.com