The cryptocurrency exchange Kraken has made up for lost money in a well-publicized bug bounty exploit incident. The June 9 Kraken-Certik saga came to a conclusion when Kraken verified the repatriation of the almost $3 million worth of stolen digital assets. In a June 20 X post, Nicholas Percoco, Chief Security Officer of Kraken, verified the recovery of the cash, less transaction fees.
“Update: We can now confirm the funds have been returned (minus a small amount lost to fees).”
On June 19, Kraken’s CSO made the initial announcement of the $3 million missing cash. He stated that the monies were wrongfully removed from the treasury by a “security researcher” who had found and shared an existing issue. According to Kraken, the security researcher who was withholding the money and threatening to phone the exchange’s business development team in exchange for a reward was extorting them.
Blockchain security company CertiK publicly identified itself as the “security researcher” that Kraken claimed stole $3 million in digital assets shortly after the latter posted about the lost monies. CertiK said in an X post on June 19 that it had notified Kraken of an issue that enabled it to take millions of dollars out of the exchange’s users’ accounts. Certik further asserted that the exchange’s crew had threatened him.
“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.”
The security company released a timeline of events that began on June 5 with the discovery of the exploit and concluded on June 18 with allegations that Kraken had intimidated a CertiK employee. CertiK claimed in a statement to Cointelegraph that the money would be moved “to an account that Kraken will be able to access.”
Initially, Kraken’s CSO claimed that the $4 initial malicious transfer would have been enough to demonstrate the flaw and qualify for “sizable rewards” from Karken’s bounty program. But the security researcher, whose identity was subsequently revealed as CertiK, had deposited close to $3 million into their Kraken accounts. After the $3 million was returned, CertiK stated in a post that the large amount was required to test the exchange’s limits.
“We want to test the limit of Kraken’s protection and risk controls. After multiple tests across multiple days and close to $3 million worth of crypto, no alerts were triggered and we still haven’t figured out the limit.”
Moreover, CertiK claims that it didn’t initially request a bounty, but it was something mentioned by the exchange.
“We never mentioned any bounty request. It was Kraken who first mentioned their bounty to us, while we responded that the bounty was not the priority topic and we wanted to make sure the issue was fixed.”
CertiK added that no Kraken user funds were endangered since the exploited funds were “minted out of air.”