Kraken has accused an unnamed security research firm of stealing $3 million from its treasury and attempting to extort more money. Nick Percoco said so-called white hat hackers failed to fully disclose the bug transaction details and have not made arrangements to return the stolen funds.
Kraken Calls Security Research Firm’s Demands ‘Criminal’; Certik Slams Threats Against Its Employees
This article was published more than a year ago. Some information may no longer be current.
WRITTEN BY
SHARE
White Hat Hackers Refuse to Abide by Rules
The U.S. cryptocurrency exchange Kraken has accused an unnamed security research firm of illegally siphoning $3 million from its treasury and attempting to extort more money. Nick Percoco, Kraken’s chief security officer, revealed in a post on X (formerly Twitter) that these actions by the white hat hackers deviate from normal practice.
Kraken said in the ten years it has run a bug bounty program it has never encountered security researchers who refused to follow its rules. According to Percoco, participants in the program are required to promptly return any extracted funds when identifying bugs. Additionally, they must provide a proof of concept and avoid excessive exploitation of the bug.
White Hat Hackers Accused of Lacking Professionalism
However, according to Percoco, the white hat hackers failed to fully disclose the bug transaction details and have not made arrangements to return the stolen funds. Instead of returning the money, the research firm has accused Kraken of being “unreasonable” and “unprofessional.”
“As a security researcher, your license to ‘hack’ a company is enabled by following the simple rules of the bug bounty program you are participating in. Ignoring those rules and extorting the company revokes your ‘license to hack.’ It makes you, and your company, criminals,” Percoco stated.
He added that while Kraken has contacted law enforcement agencies, the bug bounty program continues to serve as a vital shield for the crypto exchange. Percoco, however, did not disclose the name of the research firm because it does not deserve recognition for its actions.
Certik Slams Kraken’s Threats
Meanwhile, a few hours after Kraken made extortion claims, the blockchain security firm Certik revealed that it was the security research firm involved. However, Certik accused Kraken of threatening its employees by demanding the return of a “mismatched amount of crypto” within an unreasonable timeframe.
Notably, Kraken allegedly made this demand without providing repayment addresses, the security firm claimed. Certik emphasized that Kraken should cease issuing threats and pledged to transfer the mismatched crypto to an account accessible by the crypto exchange.
“Since Kraken has not provided repayment addresses and the requested amount was mismatched, we are transferring the funds based on our records to an account that Kraken will be able to access,” Certik said.
In later updates, Certik appeared to respond to concerns raised about the number of tests it conducted by asking why Kraken’s vaunted defense system failed to detect so many test transactions. Certik claimed that the continuous large withdrawals from different testing accounts were, in fact, a part of our testing.
What are your thoughts on this story? Share your opinions in the comments section below.
