CertiK says it's behind Kraken's $3 million bug exploitation

Kraken's Chief Security Officer disclosed on Wednesday that the exchange lost at least $3 million in treasury funds due to a now-solved bug. CertiK claimed that its employees were behind the bug discovery, but Kraken is being "unreasonable" about the resolution.

Kraken suffers $3 million ‘white hack’ from CertiK employees

Kraken, one of the oldest crypto exchanges in the world, recently revealed that its platform was subject to a hack that exploited a bug related to funds in its treasury.

Nick Percoco, Kraken's Chief Security Officer, said in an X post on Wednesday that the company received the bug bounty program alert on June 9. The alert followed a report from a security researcher who claimed they had found an extremely crucial bug that "allowed them to artificially inflate their balance" on the platform.

Also read: North Korean hackers leveraged Tornado Cash to launder $147.5 million in stolen crypto funds

However, Kraken's security team quickly investigated the issue, and within a few hours, the bug was fixed without affecting user funds.

According to Percoco, the flaw stemmed from a new UX change that credited clients before their assets cleared. He claimed that the researcher who identified this flaw did not mention that two other accounts had been involved and had altogether extracted nearly $3 million from the platform to prove the security lapse.

Kraken claimed that the hackers refused to return the funds in exchange for the bug bounty, so it opted to involve law enforcement agencies in the case.

Read more: Solana kicks out validators extracting value from users through sandwich attacks

However, in response to Kraken's actions, CertiK, a blockchain auditing firm, claimed in an X post that its employees were responsible for the breach on Kraken.

The firm claims to have tested the exchange's defense system and found faults on several key fronts. The hallmark of CertiK's stance is that the bug was a test to see if Kraken's defenses would sense a breach in its protocol, and after several tests, no alerts were triggered.

"After initial successful conversions on identifying and fixing the vulnerability, Kraken's security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses," CertiK wrote in an X post.

Also read: US Department of Justice charges brothers for alleged 12-second MEV fraud

CertiK was the subject of criticism from several crypto community members after the reveal, with many claiming it planned to steal the funds. However, CertiK responded:

"The real question should be why Kraken's in-depth defense system failed to detect so many test transactions. Continuous large withdrawals from different testing accounts were a part of our testing."

This adds to a series of hacks and stolen funds from crypto firms in 2024. In the first quarter of 2024, nearly $550 million was stolen by hackers, leading to a total of $19.1 billion of stolen crypto funds over the last 13 years.