Connect with us
Active Currencies 14907
Market Cap $2,506,409,202,721.20
Bitcoin Share 51.21%
24h Market Cap Change $0.38

Kraken exchange’s $3 million theft leaves CertiK feeling ‘threatened’ – Why?

2min Read

CertiK expresses disapproval as Kraken tries to manage the after-effects of the discovery.

Kraken exchange's $3 million theft leaves CertiK feeling 'threatened' - Why?

Share this article

  • Kraken’s bug led to a $3 million theft, sparking controversy over security practices.
  • CertiK criticized Kraken’s repayment demands post-vulnerability, adding to the exchange’s uncertainties.

In an unexpected turn of events, Kraken, a leading cryptocurrency exchange, revealed on the 19th of June that it had been dealing with a bug allowing users to generate free money in their accounts for months.

The issue came to light after a security researcher alerted Kraken of an “extremely critical bug” in their system.

Kraken exchange scrambles?

This bug led to the withdrawal of at least $3 million in digital assets, making headlines. Commenting on the situation, Nicholas Percoco, Kraken’s chief security officer, took to X (formerly Twitter) and noted,

Nick Percoco

Source: Nick Percoco/X

Despite this incident, the firm asserted that “no client’s assets were ever at risk”.  Percoco further explained that users could credit funds to their Kraken accounts by initiating deposits without actually completing the deposit process. He said, 

“A malicious attacker could effectively print assets in their Kraken account for a period of time.” 

The “security researcher” used the bug to credit their account with $4 in cryptocurrency, which would have been enough to report the flaw and claim a reward.

But instead of reporting the flaw, the researcher shared it with two associates, who withdrew nearly $3 million from Kraken.

Addressing user worries around the issue, Kraken claimed, 

“This was from Kraken’s treasuries, not other client assets.” 

Unexpected response from the researchers

Needless to say, when Kraken asked the researchers to return the money and provide details, which is a standard practice for bug bounty programs, they refused to cooperate.

To this, Percoco responded, 

Nick Percoco

Source: Nick Percoco/X

Expressing his frustration on the same, Kraken’s CSO said, 

“We are being accused of being unreasonable and unprofessional for requesting that ‘white-hat hackers’ return what they stole from us. Unbelievable.” 

Nick Percoco

Source: Nick Percoco/X

CertiK: The security researcher

However, things actually escalated when blockchain security firm CertiK went public, identifying itself as the “security researcher”. They said, 

“After initial successful conversions on identifying and fixing the vulnerability, Kraken’s security operation team has THREATENED individual CertiK employees to repay a MISMATCHED amount of crypto in an UNREASONABLE time even WITHOUT providing repayment addresses.” 

This was met with initial criticism, as highlighted by Lefteris Karapetsas, Founder of Rotkiapp, who said, 

Lefteris Karapetsas

Source: Lefteris Karapetsas/X

But with CertiK’s track record in vulnerability identification, outcomes for the exchange remains uncertain.  


Ishika is a graduate of Political Science from the University of Delhi. From writing content as a hobby to now pursuing it as a professional career, she has been living and breathing content all her life. Her interests lie in making sure articles are very digestible to a common reader, despite all its technicalities and jargons.
Read the best crypto stories of the day in less than 5 minutes
Subscribe to get it daily in your inbox.
Please check the format of your first name and/or email address.

Thank you for subscribing to Unhashed.