US cryptocurrency exchange Kraken recently revealed that a self-proclaimed security researcher exploited a severe vulnerability on its platform, stealing digital assets worth $3 million and engaging in extortion. The researcher reported this vulnerability on June 9th, but instead of protecting the funds, they used the loophole to extract funds from Kraken’s finances.
Kraken’s Chief Security Officer, Nick Percoco, disclosed that the researcher and their two associated accounts used this loophole to extract over $3 million. After exploiting the vulnerability, the researcher requested a reward for the stolen funds before agreeing to return them. Percoco stated in a post on June 19th that this behavior is not that of a white hat hacker, but instead extortion.
In response to these incidents, Kraken emphasized that the stolen cryptocurrencies came from its exchange treasury, and no user funds were affected.
CertiK, a security auditing company, directly acknowledged on the X platform that the security researcher mentioned by Kraken is one of their white hat hackers. CertiK argued that after successfully identifying and fixing the vulnerability, Kraken’s security team threatened individual CertiK employees with unreasonable repayment of unmatched amounts of cryptocurrencies, even without providing a repayment address.
However, as the community delved deeper into the incident, it was discovered that after the attacker stole funds from Kraken, they actually deposited a portion of the funds into a mixer, which is not a normal behavior for a clean white hat hacker.
Furthermore, blockchain detective 0xBoboShanti pointed out that an address previously publicly released by a CertiK security researcher had been probed and tested as early as May 27th, contradicting CertiK’s timeline of events.
This incident has not yet reached a conclusion, but considering all the information, the overall sentiment is unfavorable towards CertiK.