Kraken exchange’s $3 million theft leaves CertiK feeling ‘threatened’ – Why?

  • Kraken’s bug led to a $3 million theft, sparking controversy over security practices.
  • CertiK criticized Kraken’s repayment demands post-vulnerability, adding to the exchange’s uncertainties.

As an experienced analyst, I find Kraken’s recent incident involving a $3 million theft due to a bug in their system quite alarming. The situation has sparked controversy and uncertainty within the cryptocurrency community, especially with CertiK’s public announcement identifying themselves as the “security researcher” behind the issue.


As a cryptocurrency market analyst, I was taken aback when Kraken, a prominent digital asset trading platform, disclosed on the 19th of June that they had identified a technical glitch enabling users to unintentionally add funds to their accounts over an extended period.

A security vulnerability, deemed “extremely critical,” was brought to Kraken’s attention by a researcher.

Kraken exchange scrambles?

As a security analyst, I’ve come across situations where software glitches have resulted in significant financial losses. In this particular case, an unfortunate bug caused over $3 million in digital assets to be withdrawn, generating widespread attention. In response to this incident, Nicholas Percoco, the chief security officer at Kraken, took to X (previously known as Twitter), to share his perspective on the matter.

After this occurrence, our company maintained that no client’s assets had been endangered whatsoever. According to Percoco, users could add funds to their Kraken accounts by starting the deposit process but not necessarily finalizing it. He clarified this point by stating:

A malicious actor could fraudulently transfer assets into their Kraken account during a specific duration.

As a security researcher, I discovered a vulnerability that allowed me to add a mere $4 worth of cryptocurrency to my account. With this small yet significant finding, I was able to responsibly disclose the issue and collect my reward.

Instead of disclosing the issue, the researcher confided in two colleagues who withdrew approximately $3 million from Kraken.

Addressing user worries around the issue, Kraken claimed, 

“This was from Kraken’s treasuries, not other client assets.” 

Unexpected response from the researchers

As a crypto investor, I can tell you that when Kraken requested the researchers to give back the funds and disclose the details of the discovered vulnerability, which is a typical procedure for bug bounty schemes, they declined to comply.

To this, Percoco responded, 

Expressing his frustration on the same, Kraken’s CSO said, 

“It’s astonishing that we’re being criticized for asking ‘ethical hackers’ to give back what they allegedly took from us.”

CertiK: The security researcher

Yet, matters took a turn for the worse once blockchain security company CertiK made its announcement as the entity responsible for raising security concerns. They declared,

“Following initial victories in locating and addressing vulnerabilities, Kraken’s security team has reportedly demanded that specific CertiK employees reimburse a DISPROPORTIONATE quantity of cryptocurrency within an IMPractical timeframe, without supplying any repayment instructions.”

At first, this received unfavorable feedback, according to Lefteris Karapetsas, the Founder of Rotkiapp, who pointed this out.

Although CertiK has a strong history of finding vulnerabilities, the final results for the exchange are still unpredictable.

Read More

2024-06-20 16:07