Security company CertiK turned hacker and was revealed to have stolen $3 million from the Kraken exchange

On June 19, local time in the United States, the cryptocurrency exchange Kraken and the blockchain security company CertiK had a public confrontation on social media over a series of serious security vulnerabilities.
The incident stemmed from a vulnerability discovered by CertiK in Kraken: Kraken chief security officer Nick Percoco disclosed on Twitter that he had received an "extremely serious" vulnerability report in its bug bounty program, which claimed to have discovered a Vulnerabilities that may be exploited by humans to increase account balances. CertiK described it as a security test for the Kraken exchange, and Kraken believed that CertiK profited from the vulnerability in the middle.

What happened

CertiK: After reporting a security breach to Kraken, CertiK employees were threatened by its security operations team

According to CertiK’s investigation, Kraken’s deposit system cannot effectively distinguish between different internal transfer statuses, and there is a risk that malicious actors can forge deposit transactions and withdraw fake funds. During the test, millions of dollars in fake funds could be deposited into Kraken accounts and more than $1 million in fake cryptocurrency withdrawn into valid assets without any alerts being triggered on the Kraken system. After CertiK notified Kraken, Kraken classified the vulnerability as "critical" and initially fixed the issue. However, CertiK pointed out that the Kraken security team then threatened CertiK employees and demanded repayment of the mismatched cryptocurrency within an unreasonable time without providing a repayment address.

Kraken Chief Security Officer: Funds withdrawn due to previous vulnerabilities have been returned

Nick Percoco, chief security officer of Kraken Exchange, posted an update on the social platform saying that it can now be confirmed that the funds withdrawn due to the previous vulnerability have been refunded (minus a small fee loss).

CertiK: All funds held have been returned, but the total amount is different from Kraken’s request

CertiK announced a series of questions and answers on the CertiK-Kraken white hat incident on the X platform. CertiK stated that no real Kraken users’ assets were directly involved in research activities. In its communications with Kraken (via email and video conferencing), CertiK has always assured them that the funds will be returned. All funds currently held have been returned, but the total amount differs from Kraken’s request. CertiK makes refunds based on its own records.
CertiK disclosed the vulnerability details to Kraken and it was fixed within 47 minutes. After the test, CertiK promptly notified Kraken through multiple methods and sent a detailed report. CertiK is not involved in Kraken's bounty program and has not mentioned any bounty requests. The focus is on ensuring the issue is resolved.
Additionally, CertiK disclosed the full timeline and deposit addresses.

Kraken Treats CertiK White Hat Hacker's "Stealing" of Millions of Dollars in Crypto Assets as a "Criminal Case"

Nick Percoco, Kraken’s chief strategy officer, said the trading platform views the recent loss of nearly $3 million as a “criminal case” and is coordinating with law enforcement to recover the funds. According to Nick Percoco, the unnamed researchers stole millions of dollars in cryptocurrency from Kraken by withdrawing funds that had been deposited into their accounts before the deposits were completed.

CertiK previously tested OKX and Coinbase for the same security vulnerability

In response to the dispute over security vulnerability reports between Kraken and CertiK, on-chain detective @0xBoboShanti claimed that an address previously published by a Certik security researcher was probed and tested as early as May 27, which is consistent with Certik’s timeline of events A conflict occurred. Further, the test address funds originated from a Tornado transaction from Certik, and the wallet had recently been interacting with the same contract, a discovery that tied the incident to the original security researchers. The security researcher further noted that the Certik report for the transaction revealed Kraken’s deposit address 0xa172342297f6e6d6e7fe5df752cbde0aa655e61c (MATIC). On the Ethereum network, this same address is used for withdrawal operations. The specific withdrawal addresses include: 0x3c6a231b1ffe2ac29ad9c7e392c8302955a97bb3, 0xdc6af6b6fd88075d55ff3c4f2984630c0ea776bc and 0xc603d23fcb3c1a7d 1f27861aa5091ffa56d3a599. These withdrawal addresses withdraw large amounts of funds and then dump UDDT and use ChangeNOW to perform multiple maximum value exchanges.

It is suspected that this contract (0x45…CeA9) deployed on Base has also done the same test on OKX and Coinbase to determine whether these two exchanges have the same vulnerability as Kraken.

CertiK and Kraken incident: What is the appropriate standard for white hat hackers?

Judging from the background information, the reward amount of Kraken's bug bounty program is indeed considerable.

The reward for the highest security incident level similar to this incident is between 1 million and 1.5 million US dollars, which is in line with the amount of 3 million US dollars claimed by Kraken. The difference is not small.
This has also led to public controversy over this incident. Some people said in the comment area, "I don't think the hacker should return it." Others replied, "Do you want to take the one million bounty or three million?" Go to jail for your illegal gains?”
This controversial incident also revealed the hidden risks in the white hat hacking industry.

When security companies that are supposed to protect customers from vulnerability attacks proactively attack customers, the security of customers is in vain. This is undoubtedly something that the cryptocurrency industry needs to pay attention to. A big problem.
The behavior of white hat hackers must be legal and compliant and maintain appropriate standards to avoid legal and ethical disputes.