CertiK returns funds on its own terms after hacking Kraken for $3M

Notorious crypto audit firm CertiK’s security ‘researchers’ spent five days gaming Kraken’s systems before alerting the exchange, according to public statements from both companies

Facing significant backlash from the crypto security community, CertiK claims to have returned the funds, despite apparently not having been provided with a repayment address.

Although both companies have provided detailed statements on their own versions of events, some questions remain on both sides.

Kraken’s chief security officer Nick Percoco took to X (formerly Twitter) to describe the highly irregular nature of the disclosure. The initial communication reported having generated a $4 discrepancy, which Percoco says would have been sufficient to qualify for Kraken’s bug bounty program.

Kraken Security Update:

On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.

— Nick Percoco (@c7five) June 19, 2024

Read more: Crypto security firms more concerned with social media clout than the details

On further inspection, however, it soon became clear that almost $3 million had been withdrawn via the vulnerability. Shockingly, when asked to disclose further details and organize the return of funds, Percoco says CertiK refused, insisting on negotiating via its business development team.

Percoco ends his thread by stating that Kraken is treating the incident as a criminal case, though he neglects to name the company so as not to credit it with the discovery.

Some three hours later, CertiK took responsibility. The sequence of events it describes mirrors the ‘hack first, negotiate a bounty later’ approach that has become a standard practice for ‘blackhats’ in decentralized finance (DeFi).

CertiK has argued that its investigation aimed to explore Kraken’s internal security alert system, which it says wasn’t triggered by even the larger transactions. However, it remains unclear why this work wasn’t conducted in collaboration with Kraken’s team.

It also claims that Kraken demanded “a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.”

After facing criticism, ridicule, and disbelief in describing its actions as ‘whitehat operations,’ CertiK clarified that “all funds that we held have been returned, but the total amount differs from what Kraken commanded. We based the return on our records.” The firm goes on to claim that it was never interested in securing a bounty payment.

Full disclosure?

While CertiK’s version of events has the ‘research’ beginning on June 5, on-chain investigators have identified related transactions from the disclosed addresses beginning over a week earlier, on May 27.

An address previously tweeted by a Certik security researcher was probing and testing as early as May 27th. This already contradicts Certik's timeline of events.

One of the Certik tornado txs funded a wallet that has been interacting with the same contract as recently as TODAY -… https://t.co/rSbQLkyfZv pic.twitter.com/TBSfPtjp5l

— 0xBoboShanti (@0xBoboShanti) June 19, 2024

Metamask’s Taylor Monahan identified a suspicious pattern amongst the ‘research’ transactions of withdrawing USDT, swapping for ETH and sending to ChangeNOW.

This is a common set of steps used by hackers who know that centralized stablecoins such as USDT can be frozen by their issuers. ChangeNOW is a crypto exchange that doesn’t require users to pass know-your-customer (KYC) checks, often used by ‘blackhats’ to cash out stolen funds.

Withdraws a fucklot ✅

Dumps USDT hard af ✅

Multiple max value swaps via ChangeNOW ✅

I see this pattern a lot. In fact, it's one way I sus apart victim addresses vs hacker addresses when investigating messy key compromises lmaoooooo pic.twitter.com/COIJHCKqlG

— Tay 💖 (@tayvano_) June 19, 2024

Read more: Hackers switching to centralized exchanges to fund crypto attacks 

Concerns were also raised over the transaction history of the addresses involved, at least one of which had previously deposited funds into sanctioned crypto mixer Tornado Cash. However, it was later clarified that these transactions didn’t include funds withdrawn from Kraken, and were likely meant to test the exchange’s identification of suspicious addresses, which seemingly weren’t flagged.

In addition, Percoco’s statement that “no client’s assets were ever at risk” raises its own questions. Claiming that only treasury funds were affected, while funds were withdrawn through addresses servicing customer deposits and withdrawals would imply commingling of funds. 

Burned reputation

CertiK has long been the butt of jokes in the crypto security sector. Multiple projects have been hacked after passing security checks by the firm, and its own X account was compromised to spread a phishing scam earlier this year.

Read more: X account of crypto auditing firm CertiK hacked 

Some have even registered their surprise that CertiK was able to pull off such a feat while casting suspicions over previous incidents.

Assessing the fallout from this latest gaffe, which may well land CertiK in legal trouble, it would seem its already-tarnished reputation couldn’t get any worse.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.