cryptocurrency widget, price, heatmap
Burger icon
cryptocurrency widget, price, heatmap
News/Kraken Reclaims $3 Million from CertiK in Bug Bounty Dispucitation

Kraken Reclaims $3 Million from CertiK in Bug Bounty Dispucitation

Van Thanh Le

Jun 20 2024

4 weeks ago3 minutes read
Cubic robot patches cracked crypto coin amid chaotic binary swirl

$3 Million Kraken Bug Bounty Turns Into Extortion Nightmare

Kraken, a prominent US-based cryptocurrency exchange, uncovered a critical bug on June 9, 2024, that had allowed users to artificially inflate their account balances. The vulnerability was traced back to a user experience change made in January 2024, which prematurely credited accounts, enabling real-time trading before asset clearance. The issue was first reported by a security researcher and patched within hours, but not before $3 million was fraudulently withdrawn from Kraken’s reserves.

The exploit allowed attackers to deposit and receive funds without completing the full deposit process, effectively "printing money" within their Kraken accounts. The security researcher who identified the flaw demonstrated it with a $4 transaction, then shared the exploit with two associates, leading to the significant theft. Although one of the involved accounts had completed KYC verification, the identities of the other parties remain undisclosed.

Nick Percoco, Kraken’s Chief Security Officer, stated that the researchers demanded a reward for their discovery and subsequent actions, which Kraken interpreted as extortion. The researchers withheld the stolen funds until Kraken provided an estimate of potential losses had the bug not been reported. Kraken is treating the incident as a criminal case and is working with law enforcement agencies to address the situation.

CertiK, a blockchain security firm, has been accused of extortion by Kraken after exploiting a bug in the exchange's system. CertiK claimed their actions were part of a white-hat hack, conducted to assess the scope of the vulnerability. 

Kraken, however, claimed CertiK leveraged the bug multiple times, resulting in a nearly $3 million loss. The dispute centers around the return of funds, with CertiK arguing they were given insufficient time and that Kraken's demanded amount was mismatched. Kraken considers the incident a criminal case and is working with law enforcement to recover the funds. 

Taylor Monahan, former CEO of MyCrypto, expressed concerns about CertiK's reputation and potential internal turmoil following Kraken's legal action. Monahan highlights the possibility of CertiK facing legal repercussions, reputational damage, and internal culture disruption. She also points out that CertiK's past audits of projects that have been exploited have fueled speculation about potential inside jobs. 

Later, Kraken successfully recovered nearly $3 million in dig assets stolen during a bug bounty program with CertiK, bringing an end to the saga. The recovery, minus transaction fees, was confirmed by Kraken's Chief Security Officer, Nicholas Percoco, in a June 20 X post. 

This incident is part of a growing trend of crypto hacks and exploits, with $542.7 million stolen in digital assets in the first quarter of 2024, a 42% increase from the same period in 2023. While private key leaks remain the leading cause, smart contract-related losses have significantly decreased. Kraken continues to enhance its bug bounty program, emphasizing the importance of ethical behavior in security research and aiming to recover the stolen assets while preventing future incidents.

In other news, Kraken Ventures is launching a $100 million second fund, focused 80% on equity and 20% on tokens. This follows a predicted rebound in cryptocurrency and Web3 startup valuations after recent declines. The fund is expected to launch later this year and will focus on ventures with the largest potential, leveraging strategic partnerships to drive growth and innovation. 


As the cryptocurrency industry grapples with escalating security threats, the Kraken exploit serves as a stark reminder of the importance of rigorous testing, responsible disclosure practices, and fostering a culture of ethical collaboration between security researchers and companies to safeguard digital assets and maintain user trust.


1: How did the Kraken bug enable the $3 million theft? 

It allowed users to receive funds without completing the full deposit process, artificially inflating account balances. The flaw was introduced in a January 2024 user experience change.

2: Who was behind the Kraken exploit? 

A security researcher discovered the bug, demonstrated it with a $4 transaction, and shared it with two associates who then stole the $3 million.

3: What was Kraken's response to the exploit? 

Kraken interpreted the researchers' demand for a reward as extortion, treated it as a criminal case, and is working with law enforcement while enhancing its bug bounty program.

4: What is CertiK's role in the Kraken incident? 

CertiK, a blockchain security firm, claims it discovered the vulnerability first and alleges Kraken delayed responding to their disclosure and later accused CertiK of theft.

This article has been refined and enhanced by ChatGPT.

cryptocurrency widget, price, heatmap
v 5.6.31
© 2017 - 2024 All Rights Reserved.