CertiK says it's behind Kraken's $3 million bug exploitation
|- Kraken Exchange revealed that its platform suffered a bug-related incident.
- Two other research accounts involved in locating the bug are in possession of $3 million of the exchange's treasury funds.
- Certik claims to be behind the extraction, stating that Kraken's defenses were "compromised on several fronts."
Kraken's Chief Security Officer disclosed on Wednesday that the exchange lost at least $3 million in treasury funds due to a now-solved bug. CertiK claimed that its employees were behind the bug discovery, but Kraken is being "unreasonable" about the resolution.
Kraken suffers $3 million ‘white hack’ from CertiK employees
Kraken, one of the oldest crypto exchanges in the world, recently revealed that its platform was subject to a hack that exploited a bug related to funds in its treasury.
Nick Percoco, Kraken's Chief Security Officer, said in an X post on Wednesday that the company received the bug bounty program alert on June 9. The alert followed a report from a security researcher who claimed they had found an extremely crucial bug that "allowed them to artificially inflate their balance" on the platform.
Also read: North Korean hackers leveraged Tornado Cash to launder $147.5 million in stolen crypto funds
However, Kraken's security team quickly investigated the issue, and within a few hours, the bug was fixed without affecting user funds.
According to Percoco, the flaw stemmed from a new UX change that credited clients before their assets cleared. He claimed that the researcher who identified this flaw did not mention that two other accounts had been involved and had altogether extracted nearly $3 million from the platform to prove the security lapse.
Kraken claimed that the hackers refused to return the funds in exchange for the bug bounty, so it opted to involve law enforcement agencies in the case.
Read more: Solana kicks out validators extracting value from users through sandwich attacks
However, in response to Kraken's actions, CertiK, a blockchain auditing firm, claimed in an X post that its employees were responsible for the breach on Kraken.
The firm claims to have tested the exchange's defense system and found faults on several key fronts. The hallmark of CertiK's stance is that the bug was a test to see if Kraken's defenses would sense a breach in its protocol, and after several tests, no alerts were triggered.
"After initial successful conversions on identifying and fixing the vulnerability, Kraken's security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses," CertiK wrote in an X post.
Also read: US Department of Justice charges brothers for alleged 12-second MEV fraud
CertiK was the subject of criticism from several crypto community members after the reveal, with many claiming it planned to steal the funds. However, CertiK responded:
"The real question should be why Kraken's in-depth defense system failed to detect so many test transactions. Continuous large withdrawals from different testing accounts were a part of our testing."
This adds to a series of hacks and stolen funds from crypto firms in 2024. In the first quarter of 2024, nearly $550 million was stolen by hackers, leading to a total of $19.1 billion of stolen crypto funds over the last 13 years.
Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. FXStreet does not in any way guarantee that this information is free from mistakes, errors, or material misstatements. It also does not guarantee that this information is of a timely nature. Investing in Open Markets involves a great deal of risk, including the loss of all or a portion of your investment, as well as emotional distress. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of FXStreet nor its advertisers.