The US cryptocurrency exchange Kraken recently disclosed that a hacker claiming to be a security researcher exploited a severe vulnerability on its platform, stealing digital assets worth $3 million and engaging in extortion. The researcher reported the vulnerability on June 9th but instead of protecting the funds, they used the loophole to withdraw funds from Kraken’s treasury.
Kraken’s Chief Security Officer, Nick Percoco, revealed that the researcher and their two associated accounts used the loophole to withdraw over $3 million. After exploiting the vulnerability, the researcher demanded a reward for the stolen funds before agreeing to return them. Percoco stated in a June 19th post on X that this behavior is not that of a white-hat hacker but rather extortion.
Kraken emphasized that the stolen cryptocurrencies came from its exchange treasury and that no user funds were affected.
In response to these events, the security audit company CertiK directly admitted on the X platform that the security researcher mentioned by Kraken is one of its white-hat hackers. CertiK argued that after successfully identifying and fixing the vulnerability, Kraken’s security team threatened CertiK’s individual employees to repay mismatched amounts of cryptocurrencies without providing a refund address.
However, as the community delved deeper into the incident, it was discovered that after stealing funds from Kraken, the attacker actually deposited a portion of the funds into a mixer, which is not typical behavior for a clean white-hat hacker.
Furthermore, blockchain investigator 0xBoboShanti pointed out that an address previously publicly disclosed by a CertiK security researcher had been probed and tested as early as May 27th, contradicting CertiK’s timeline of events.
The conclusion of this incident is still pending, but considering all the information, the overall sentiment appears to be unfavorable towards CertiK.
