The Kraken-CertiK saga has taken another twist. Security firm CertiK claims it conducted a white hat operation on specific Kraken accounts, draining nearly $3 million, according to Kraken.
However, Kraken contends that the total exploited amount was not returned, while CertiK asserts it has returned all funds according to their records.
On June 20, CertiK provided an update on X, stating it had returned 734 Ether, 29,001 Tether tokens, and 1,021 Monero coins.
In contrast, Kraken requested 155,818 Polygon tokens, 907,400 USDT, 475.5 ETH, and 1,089.8 XMR.
The saga began on June 9, when Kraken reported receiving a bug bounty alert from an alleged security researcher.
The alert highlighted a bug in Kraken’s system allowing users to inflate their account balances. While patching the bug, Kraken discovered three accounts exploiting the flaw, stealing $3 million.
Kraken found that one of these accounts was KYC-verified and used the bug to credit $4 to their account.
Kraken chief security officer Nick Percoco noted, “This would have been enough to prove the bug and claim the bounty,” but the account allegedly shared the flaw with two others, resulting in the $3 million theft.
READ MORE: Mark Cuban Warns Gary Gensler’s SEC Actions Could Cost Joe Biden the 2024 Election
When Kraken requested the alleged “security researcher” return the funds and collect the bounty after providing the required onchain proofs, the white hat hacker allegedly refused and demanded the bounty first.
Although Kraken did not disclose the security firm behind the exploit, CertiK revealed its involvement.
CertiK claimed its employee, who found the vulnerability, was threatened to return the stolen funds but did not receive a wallet address.
CertiK co-founder Ronghui Gu told Cointelegraph:
“The verbal consensus reached during our meeting was not confirmed afterward.
“Ultimately, they [Kraken] publicly accused us of theft and even directly threatened our employees, which is completely unacceptable.”
CertiK reportedly sent the stolen funds to Tornado Cash, a crypto mixing service, to avoid them being frozen by exchanges.
This move drew heavy criticism, with many questioning CertiK’s motives behind the white hat operation.
The crypto community largely sided with Kraken, accusing CertiK of theft and blackmail.
Kraken informed Cointelegraph it is in contact with law enforcement agencies regarding the matter.
To submit a crypto press release (PR), send an email to sales@cryptointelligence.co.uk.