Kraken Recovers $3 Million from Certik Following Bounty Fiasco

Nick Percoco, Kraken’s chief security officer, reported that the crypto exchange had regained the $3 million stolen from its account after a bug vulnerability was exploited. On June 20, Percoco declared on X (previously Twitter) that the exchange had obtained this money. The reference did not mention the source, although earlier reports referred to the company as the potential connection in question.

What Happened?

Released on X on June 19, a statement was issued by Certik, saying that their personnel informed Kraken about a critical software flaw had been discovered in the exchange’s network account system. This loophole was dangerous because it might have allowed scammers to make millions in digital earnings out of Kraken.

CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.

Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD
— CertiK (@CertiK) June 19, 2024

They surprisingly did so and withdrew $3 million out of the account at Kraken using the said bug. They then requested for the bug bounty to be provided by the exchange for their enviable talent and told the Binance founder about it.

They have been given some time to send back the funds but the employees of the firms did not return the money, according to Kraken and Certik’s statements. The security research firm that is accused of blackmailing the operators instead of being white ship hackers answered by calling Kraken’s operation team the executioners that had coerced several employees to pay all the crypto back in a short time or find themselves working at other companies, which moreover did not provide them with repayment addresses.

Certik Offered to Return Funds

In a follow-up statement on X, Certik expressed willingness to transfer the stolen money to a wallet that Kraken could use. They said:

“As Kraken has not disclosed the refund addresses and the amount they asked for was wrong, we are going to send the funds according to our list to an account that later will be able to be retrieved by Kraken.”

Since Kraken has not provided repayment addresses and the requested amount was mismatched, we are transferring the funds based on our records to an account that Kraken will be able to access.
— CertiK (@CertiK) June 19, 2024

The exchange is confirmed on Thursday that Kraken regained the fund, but only a little money was lost to fees. Kraken reassured its customers that there were no lost user funds during the bug embarrassment.

The occurrence shows the unceasing problems and intricacies of the cryptocurrency industry and the challenges arising in finding and managing weaknesses in security of exchanges and tokens.