CertiK Issues Public Apology to Kraken Over $3M Bug Bounty Incident
The cybersecurity firm CertiK has publicly confirmed its involvement in the incident with the cryptocurrency exchange Kraken, which had earlier accused an unnamed “whitehat research” of stealing $3 million in cryptocurrency.
On June 19th, CertiK stated that it had informed Kraken of a vulnerability that allowed millions of dollars to be withdrawn from the exchange’s accounts. A Kraken representative subsequently claimed that the unnamed security team (which later turned out to be CertiK) was allegedly engaged in “extortion,” demanding compensation for resolving the vulnerability.
Following this, CertiK noted that Kraken representatives began threatening the company’s employees, demanding the return of the funds within an unreasonably short timeframe without providing an address for the transfer. CertiK decided to go public with the incident, emphasizing its commitment to user security in the Web3 ecosystem.
The company also published a timeline of events: from the discovery of the vulnerability on June 5th to the threats directed at one of its employees on June 18th. CertiK stated that it is prepared to transfer the funds to an account accessible to Kraken.
The cryptocurrency community’s reaction to the incident was mixed. Many users sided with Kraken, asserting that CertiK’s actions did not align with the behavior of “white hat” hackers, whose work is focused on identifying and fixing security vulnerabilities. At the same time, it remains unclear whether Kraken has grounds to file a lawsuit against CertiK.
In June, the popular cryptocurrency exchange Kraken reported the theft of $3 million due to a critical zero-day vulnerability, which was discovered and quietly exploited by an unnamed security researcher. Nick Percoco, Chief Security Officer at Kraken, revealed that the vulnerability allowed the unethical researcher to artificially inflate their balance on the platform.
