Is Certik Extorting Kraken for Millions? Here's What's Going On

The blockchain security firm CertiK stepped forward Wednesday as the entity behind a white-hat hack that the cryptocurrency exchange Kraken has slammed as “extortion.”

Kraken CSO Nick Percoco signaled the exchange was treating a nearly $3 million loss as a “criminal case” earlier in the day, coordinating efforts with law enforcement to recover funds after a group of tech-savvy researchers had exploited an “isolated bug.”

CertiK defended its actions on Twitter (aka X), claiming that Kraken had threatened employees at the firm. CertiK also asserted that the total value of funds that Kraken had demanded back was “mismatched” compared to the crypto it had taken.

In addition, CertiK argued that it had been given too little time to return the allegedly stolen funds.

The previously unnamed researchers were able to steal millions of dollars of crypto from Kraken by withdrawing funds credited to their account before deposits were completed, according to Percoco. The attackers “could effectively print assets,” he wrote.

Kraken Lost Almost $3 Million After Bug Allowed Users to Print Money

Kraken recently patched a bug that allowed platform users to conjure up free money in their accounts for months on end, the company revealed on Wednesday. In a post to Twitter, Chief Security Officer Nick Peroco said his team discovered an “isolated bug” earlier this month that let customers “artificially inflate their balance.” The team only discovered it after receiving a bug bounty program alert from a security researcher on June 9, claiming they had found an “extremely critical bug” in their...

CertiK stated that it had leveraged the bug multiple times as part of an investigation while trying to assess the scope of Kraken’s security vulnerability. Though the exchange purportedly failed to provide an address for the return of the funds, CertiK said it was sending the cryptocurrency to a digital wallet that its records show Kraken could access.

White-hat hacking is often described as an ethical form of technical tampering, done with the goal of identifying vulnerabilities within a given system. A bug bounty submitted in relation to the exploit, however, only disclosed $4 of stolen crypto, Percoco wrote.

On top of that, Percoco claimed that the malicious actor would not agree to return any funds until a dollar amount estimating the exploit’s potential costs was provided. 

“Millions [of] dollars of crypto were minted out of [thin] air, and no real Kraken user’s assets were directly involved in our research activities,” CertiK wrote in its defense, echoing Percoco’s assurance that funds had only been lost from Kraken’s treasury.

Kraken Decries ‘Expansive New Theory’ Behind SEC Lawsuit, Calls for Dismissal

Crypto exchange Kraken filed a motion in federal district court late Thursday, asking that the court dismiss the SEC’s case filed in November. "The law is clear," a Kraken spokesperson told Decrypt. “None of the assets in the SEC’s complaint constitute ‘investment contracts,’ and Kraken is not a securities exchange." The motion, filed in Northern California District Court, picks apart the SEC's most recent claims—which came nine months after the agency and Kraken reached a settlement over prior...

Taylor Monahan—the former CEO and founder of Ethereum wallet manager MyCrypto, which was acquired by Consensys in 2022 to fold into MetaMask—wrote on Twitter that CertiK should be scared of Kraken’s lawyers, damage to its reputation, and how the brouhaha could impact CertiK’s internal culture.

She also pointed out that, because several crypto projects audited by CertiK have fallen victim to exploits in the past, new speculation was spreading online about the possibility of previous inside jobs.

“The real question should be why Kraken’s in-depth defense system failed to detect so many test transactions,” CertiK stated in response to Monahan. “This is indeed what we were testing.”

Edited by Ryan Ozawa.