In a stunning revelation, blockchain security firm CertiK has admitted to identifying vulnerabilities in Kraken’s exchange, leading to the unauthorized withdrawal of $3 million worth of digital assets. This admission, disclosed in a June 19 thread on X, has ignited controversy and raised questions about the ethical boundaries of security research in the blockchain industry. Nick Percoco, Kraken’s chief security officer has since informed, “We can now confirm the funds have been returned (minus a small amount lost to fees).”
CertiK, headquartered in New York, stated that the bug was first identified on June 5 and was related to Kraken’s deposit system, which failed to distinguish between different internal transfer statuses. This flaw allowed fabricated deposits to be credited and subsequently withdrawn without triggering any alerts. The firm’s testing reportedly revealed that Kraken’s in-depth defense system was compromised on multiple fronts.
“A huge amount of fabricated crypto (worth more than $1M USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident,” CertiK noted in their statement.
Upon discovering the flaw, CertiK claimed to have informed Kraken, whose security team classified the issue as “critical.” However, the situation escalated when Kraken allegedly threatened CertiK employees, demanding repayment of the withdrawn funds without providing repayment addresses. CertiK urged Kraken to “cease any threats against whitehat hackers” and emphasized its commitment to transparency within the Web3 community.
This incident has sparked significant backlash within the blockchain community, with several experts and industry leaders criticizing CertiK’s actions. Meir Dolev, Cyvers’ CTO, highlighted discrepancies in CertiK’s timeline, noting that suspicious activity associated with CertiK’s addresses began weeks before the Kraken incident was reported.
Furthermore, Coinbase Director Conor Grogan pointed out that addresses linked to CertiK sent part of the withdrawn funds to Tornado Cash, a mixing service sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) for its role in facilitating crypto laundering. Reports also indicate that CertiK-associated addresses moved funds through ChangeNOW, a non-custodial crypto exchange.
Critics argue that CertiK’s extensive testing and subsequent actions went beyond the scope of ethical hacking. Uttam, a developer at Flare, summarized the controversy, stating, “Certik found a critical bug in Kraken – Waited 5 days to disclose the vulnerability – There was no reason to run so many test txs but they did & withdraw 3M – Usually, one or two PoCs are enough. – So basically stole $3m for ‘testing purposes’ – In Certik’s defense they were trying to test Kraken’s in-depth defense system which failed to detect so many test transactions. – After 5 DAYS they disclosed the vulnerability without disclosing how much they had already taken.”
Adding to the skepticism, some have drawn parallels between CertiK’s behavior and the tactics of notorious hacking groups. Adam Cochran, founder of venture capital firm Cinneamhain Ventures, noted that CertiK’s actions, including using Tornado Cash and ChangeNOW, resemble patterns seen in hacks by the Lazarus Group, a North Korean cybercrime organization. He had doubts about the integrity of CertiK’s security research team and wondered if they had been compromised.
A user following the story closely, who goes by the X handle @tayvano_, pointed out the gravity of CertiK’s actions, stating, “Multiple Certik employees intentionally and knowingly exploited a vulnerability in Kraken’s systems to withdraw over $3 million dollars over the course of 5 days. You should be hiding in shame and thanking Kraken for not pursuing you criminally and civilly.”
As both Kraken and CertiK navigate the fallout, the broader crypto community is left grappling with the implications for trust and security in the blockchain space.
The Shib Daily has reached out to Kraken and CertiK for comments, but has not received a response yet.