The blockchain security firm CertiK stepped forward Wednesday as the entity behind a white-hat hack that the cryptocurrency exchange Kraken has slammed as “extortion.”

Kraken CSO Nick Percoco signaled the exchange was treating a nearly $3 million loss as a “criminal case” earlier in the day, coordinating efforts with law enforcement to recover funds after a group of tech-savvy researchers had exploited an “isolated bug.”

CertiK defended its actions on Twitter (aka X), claiming that Kraken had threatened employees at the firm. CertiK also asserted that the total value of funds that Kraken had demanded back was “mismatched” compared to the crypto it had taken.

In addition, CertiK argued that it had been given too little time to return the allegedly stolen funds.

The previously unnamed researchers were able to steal millions of dollars of crypto from Kraken by withdrawing funds credited to their account before deposits were completed, according to Percoco. The attackers “could effectively print assets,” he wrote.

CertiK stated that it had leveraged the bug multiple times as part of an investigation while trying to assess the scope of Kraken’s security vulnerability. Though the exchange purportedly failed to provide an address for the return of the funds, CertiK said it was sending the cryptocurrency to a digital wallet that its records show Kraken could access.

White-hat hacking is often described as an ethical form of technical tampering, done with the goal of identifying vulnerabilities within a given system. A bug bounty submitted in relation to the exploit, however, only disclosed $4 of stolen crypto, Percoco wrote.

On top of that, Percoco claimed that the malicious actor would not agree to return any funds until a dollar amount estimating the exploit’s potential costs was provided. 

“Millions [of] dollars of crypto were minted out of [thin] air, and no real Kraken user’s assets were directly involved in our research activities,” CertiK wrote in its defense, echoing Percoco’s assurance that funds had only been lost from Kraken’s treasury.

Taylor Monahan—the former CEO and founder of Ethereum wallet manager MyCrypto, which was acquired by Consensys in 2022 to fold into MetaMask—wrote on Twitter that CertiK should be scared of Kraken’s lawyers, damage to its reputation, and how the brouhaha could impact CertiK’s internal culture.

She also pointed out that, because several crypto projects audited by CertiK have fallen victim to exploits in the past, new speculation was spreading online about the possibility of previous inside jobs.

“The real question should be why Kraken’s in-depth defense system failed to detect so many test transactions,” CertiK stated in response to Monahan. “This is indeed what we were testing.”

Edited by Ryan Ozawa.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.