Key takeaways:
- The crypto exchange Kraken has made up for lost money in a well-publicized bug bounty exploit incident.
- Nick Percoco, Kraken’s CSO, initially reported the $3 million in missing assets on June 19.
The crypto exchange Kraken has made up for lost money in a well-publicized bug bounty exploit incident.
The Kraken-CertiK dispute came to a conclusion when Kraken verified the repatriation of approximately $3 million worth of stolen digital assets.
In a June 20 X post, Nicholas Percoco, Chief Security Officer of Kraken, verified the recovery of the cash, less transaction fees:
“Update: We can now confirm the funds have been returned (minus a small amount lost to fees).”
Nick Percoco, Kraken’s CSO, initially reported the $3 million in missing assets on June 19. He stated that the cash was taken from the treasury by a “security researcher” who had found and shared an existing issue.
Kraken said that the security researcher had extorted them, seeking a payoff and a call from the exchange’s business development team in exchange for not returning the funds. In a post on June 19 on X, Percoco wrote:
“Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it. This is not white-hat hacking, it is extortion!”
Blockchain security company CertiK publicly identified itself as the “security researcher” that Kraken claimed stole $3 million in digital assets shortly after the latter posted about the lost funds.
CertiK said in an X post on June 19 that it had notified Kraken of an issue that enabled it to take millions of dollars out of the exchange’s users’ accounts. Additionally, CertiK asserted that the exchange’s staff had intimidated her:
“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.”
When the flaw was first discovered, Kraken’s Percoco said that the $4 initial malicious transfer would have been enough to demonstrate the problem and qualify for “sizable rewards” from the company’s bounty program.
However, the security researcher, whose identity was subsequently revealed as CertiK, had deposited close to $3 million into their Kraken accounts.
After the $3 million was returned, CertiK stated in a post that the large amount was required to test the exchange’s limits:
“We want to test the limit of Kraken’s protection and risk controls. After multiple tests across multiple days and close to $3 million worth of crypto, no alerts were triggered and we still haven’t figured out the limit.”
Furthermore, CertiK asserts that although the exchange brought up the topic, it did not submit a bounty request at first. Since the exploited funds were “minted out of air,” CertiK also said that no Kraken user funds were at risk.
