Certik/Kraken - Rekt

Kraken accuses security researchers of extortion after $3M bug bounty exploit.

A cybersecurity firm's disclosure of a critical vulnerability in Kraken's systems has escalated into accusations of extortion and threats between the parties.

Chief Security Officer Nick Percoco disclosed that Kraken received a bug bounty program alert from a security researcher in early June.

Security research firm Certik revealed that they discovered the bug.

However, rather than cooperating to address the issue, Kraken allegedly responded by threatening CertiK employees and making unreasonable demands, as claimed by CertiK.

The conflicting claims have devolved into a public he-said-she-said dispute, with each party accusing the other of questionable behavior.

In this strange and unsettling situation, can we truly trust the guardians of our digital fortresses?

Credit: Nick Percoco, Certik, Tayvano, Immutable Lawyer

While initially vague, the report claimed to have found an "extremely critical" bug that allowed inflating account balances on the cryptocurrency exchange.

Nick Percoco stated that Kraken's security team promptly investigated the matter and discovered an isolated bug that allowed a malicious attacker, under the right circumstances, to initiate a deposit onto our platform and receive funds in their account without fully completing the deposit.

Within an hour and 47 minutes, Kraken had deployed a fix to resolve the issue.

CertiK alleges their investigation uncovered more alarming vulnerabilities in Kraken's systems beyond the initial bug report.

According to CertiK, their testing confirmed the ability to fabricate deposits into any Kraken account, withdraw large sums of fabricated crypto exceeding $1 million, all without triggering any alerts for multiple days.

CertiK claims that after responsibly reporting these critical findings, which Kraken itself classified at the highest severity level, the exchange then threatened CertiK employees with demands to repay a "mismatched amount" of crypto within an "unreasonable time" without even providing wallet addresses.

The security firm alleges Kraken's threats came after CertiK had already assisted in successfully identifying and remediating the vulnerabilities.

CertiK states they have gone public to protect users and urge Kraken to cease making threats against ethical security researchers acting in good faith.

This contradicts Kraken's portrayal of the initial $3 million incident as clear extortion by bad actors.

CertiK asserts they followed responsible vulnerability disclosure practices in coordination with Kraken initially.

Further analysis revealed that the bug had already been actively exploited in the preceding days across three accounts associated with the original researcher's colleagues.

One account controlled by the researcher had deposited a mere $4, seemingly to validate the vulnerability.

Ultimately, the exploitation of a vulnerability in Kraken's systems enabled the withdrawal of over $3 million dollars from Kraken's corporate wallets over a five-day period by abusing the same flaw.

CertiK claims that the transactions were merely testing deposit transactions, with millions being withdrawn from the system for testing purposes.

Certik asserted that millions of dollars of crypto were minted out of air, and no real Kraken user’s assets were directly involved in our research activities.

Notably, they underlined that despite numerous fabricated tokens being generated and exchanged for valid cryptocurrencies over several days, no risk control or prevention measures were enacted until CertiK brought the issue to light.

When Kraken requested that the illegally obtained funds be returned per its bug bounty policy, the researchers refused and instead demanded a speculative ransom payment based on hypothetical maximum losses.

This $3 million exploit formed the basis of Kraken's claim of extortion by bad actors.

However, CertiK alleges this demand was in response to Kraken's own threats after CertiK reported even more severe vulnerabilities.

It should be worthy to note, according to Kraken’s Bug Bounty page, the max pay out for a Critical severity is capped at $1.5 million.

Strangely, 3 transactions made by the same address conducting these “tests” made 3 deposits to Tornado Cash almost 2 weeks ago.

Tornado Cash Deposit

Tornado Cash Deposit

Tornado Cash Deposit

If it turns out that Certik was routing funds through a Tornado Cash, a sanctioned virtual currency mixer, the legal implications could be massive.

Time will tell who was in the wrong here, clearly someone really screwed up.

Are we venturing into a realm where the lines between ethical behavior and exploitation blur, akin to crossing over into the enigmatic realm of the Twilight Zone?

With both parties trading accusations of extortion and threats, the matter has devolved into a heated he-said-she-said quagmire.

Kraken insists it took reasonable actions to protect itself after ethical boundaries were crossed.

CertiK maintains it followed industry best practices for vulnerability disclosures and responsible coordination.

Caught in the crossfire of this public spat are the users and broader crypto community.

As fingers get pointed in both directions, maybe the truth about what actually transpired will be established.

Whose narrative will prove credible?

What if there is another version of the story that has yet to be uncovered, such as a rogue actor?

As the outcome may significantly impact platform security and user safety in the crypto world, one wonders if ethics and collaboration will triumph over assertions of misconduct.

In light of this significant occurrence, it's important to consider the possible impact on security researchers who may be more cautious about sharing their discoveries, fearing potential involvement in similar disputes.

Additionally, can we fully dismiss the possibility that a rogue actor within CertiK might have played a role in the alleged exploitation, further complicating the narrative and raising questions about trust and accountability in the security research community?

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C


REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.