The cybersecurity firm made a suspiciously large number of transactions to “test” a vulnerability in the crypto exchange.
Crypto exchange Kraken’s Chief Security Officer Nick Percoco revealed today that a blockchain cybersecurity company recently found a vulnerability in its platform and proceeded to drain and keep $3 million worth of crypto from the exchange.
Certik has confirmed that it is the cybersecurity firm in question and is pushing back, saying that Kraken is now threatening its employees.
According to Percoco, a Bug Bounty report filed on June 9 showed how malicious actors could initiate a deposit onto Kraken’s platform and receive funds in their account without fully completing the deposit – enabling an attacker to “effectively print” assets on the exchange.
Kraken claims that people identified as security researchers managed to maliciously credit their account with $4, and then shared the vulnerability with two other individuals who proceeded to generate and withdraw $3 million from the exchange.
Percoco alleges that the security researchers have not agreed to return any of the funds until Kraken provides a “speculated $ amount” that the vulnerability could have caused in losses had it not been discovered.
“This is not whitehat hacking,” exclaimed Percoco, “this is extortion.”
Certik Defends Employees
Certik countered the claims, alleging that Kraken is now threatening their employees.
“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED an individual CertiK employee to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses,” wrote Certik on X.
Certik explained that the decision to go public is “in the spirit of transparency and our commitment to the Web3 community” and to protect all users’ security. The firm urged Kraken to stop any attacks against whitehat hackers.
Crypto Community Calls It Extortion
After Certik disclosed the plethora of test transactions against Kraken, members of the crypto community are calling foul play.
“It is irresponsible for any security auditor to repeat tests like this so many times,” posted Michael Perklin, former CISO of Shapeshift. “I’d never hire a security company that did this. Extortion is a bad look.”
Lead Product Manager for MetaMask, Taylor Monahan, agreed and went a step further.
“HAHAHHA YOU F@#KING CLOWNS, there is absolutely NO universe where this is “whitehat security research,” she wrote. According to Monahan, Kraken is being “incredibly patient” for not outright calling this what it very clearly is: “a multimillion-dollar theft with a side of extortion.”