A major cryptocurrency exchange, Kraken, is locked in a bitter dispute with blockchain security firm CertiK. Kraken accuses CertiK researchers of exploiting a critical bug to steal $3 million and then demanding a ransom for its return.
The exploit allowed users to inflate their Kraken account balance without completing a deposit. Kraken blames a recent user experience (UX) change that credited accounts before assets cleared.
Kraken claims the researchers failed to follow proper bug bounty protocol. They allege the researchers didn’t provide details in their report, shared the exploit with colleagues who stole $3 million (Kraken treasury funds, not user assets), refused to explain their actions or return the funds, and demanded a meeting with Kraken’s business development team and an unspecified ransom. Kraken considers this extortion and is working with law enforcement.
CertiK refutes the extortion claims. They say communication was initially positive until the bug was fixed. Kraken security threatened CertiK employees with repaying an unreasonable amount in an unreasonable timeframe. CertiK offered to return the funds and never withheld them.
The crypto community isn’t convinced by CertiK’s defense. They point to CertiK wallets allegedly using sanctioned cryptocurrency mixing services, inconsistencies between CertiK’s statements and public blockchain records, and discrepancies in the reported stolen amount. CertiK hasn’t responded to requests for clarification.
This incident highlights the murky world of cryptocurrency security and the challenges of ethical hacking practices.
