Kraken Crypto Exchange Hit by Exploitation and Extortion from Security Firm CertiK
Brook.X
In a shocking revelation, the prominent cryptocurrency exchange Kraken (often referred to as the "Kraken") disclosed a serious security incident last night. Fortunately, no customer funds were lost. However, the exchange unveiled that the security firm CertiK exploited a vulnerability to carry out asset theft and extortion.
The incident began when Kraken received a notification from a security researcher about a critical vulnerability within the exchange. This flaw could potentially allow attackers to manipulate account balances for withdrawals, stemming from a design flaw in Kraken's deposit process.
Upon receiving the notification, Kraken spent 47 minutes to confirm and rectify the vulnerability. Subsequent investigations revealed three accounts exploiting this flaw, one of which was linked to the notifying researcher, supposedly for testing purposes.
The researcher demonstrated the bug's validity by creating a fake balance of $4 in their account, a move acknowledged by Kraken. According to their bug bounty program, this researcher was eligible for a substantial reward.
Typically, this would conclude the interaction between a white-hat hacker and the platform, with the next steps involving the issuance of the bug bounty. However, Kraken's situation took a turn for the worse.
Unethical Extortion by a Security Firm:
Kraken discovered two other accounts that had not only exploited the vulnerability to create fake balances but also withdrew cryptocurrency worth up to $3 million. This action diluted the exchange's funds, forcing Kraken to replenish the lost assets.
Upon further investigation, Kraken found that these activities were linked to the same group of researchers from CertiK. Despite the potential for a straightforward resolution—returning the withdrawn assets and discussing the bug bounty—CertiK allegedly refused to refund the stolen amount and instead requested negotiations with Kraken's business department.
CertiK suggested that Kraken estimate the potential financial damage caused by the vulnerability, hinting at a desire to calculate the bug bounty based on hypothetical losses rather than the established program guidelines. Such demands are clearly extortionate and unacceptable to Kraken.
Kraken has since reached out to law enforcement agencies and publicly disclosed these events, seeking to combat CertiK's extortion tactics and expose their actions.
Illicit Activities and Legal Concerns:
Further investigations revealed that the withdrawn assets were laundered through the Tornado mixer, a platform sanctioned by the U.S. government, making any transactions with it illegal for American citizens and companies.
Despite the backlash, CertiK responded without addressing their misconduct, emphasizing the critical vulnerability they had uncovered at Kraken.
To date, CertiK has returned some funds but not in full, including 734 Ethereum, 29,000 USDT, and 1,021 Monero coins. Kraken's requested return included significantly more, raising questions about potential losses through CertiK's transfer and mixing operations.
The discrepancy in returned funds remains unresolved, leaving the crypto community awaiting further developments between Kraken, CertiK, and law enforcement agencies.
