Kraken Recovers $3M from CertiK, Closes Bug Bounty Saga
3 min read
Kraken Recovers $3M from CertiK, Closes Bug Bounty Saga
Cryptocurrency exchange Kraken has successfully recovered almost $3 million worth of digital assets that went missing due to a security breach. This marks the conclusion of a dramatic episode involving Kraken and the blockchain security firm, CertiK, which began on June 9. Nicholas Percoco, Kraken’s Chief Security Officer (CSO), confirmed the return of the funds in a social media update on June 20, mentioning that a small portion was lost due to transaction fees.
The ordeal began on June 19 when Percoco announced that approximately $3 million had been illegitimately withdrawn from Kraken’s treasury by a “security researcher.” According to Percoco, the funds were taken after the researcher discovered and reported an existing bug. The situation escalated when Kraken alleged that the researcher was attempting to extort the company by refusing to return the stolen funds, demanding a reward and a discussion with Kraken’s business development team.
CertiK, a blockchain security firm, identified itself as the “security researcher” implicated in the incident. CertiK publicly stated on June 19 that it had notified Kraken of an exploit, which allowed it to extract millions from Kraken’s accounts. CertiK further accused Kraken of threatening its employees following the discovery of the bug, stating that Kraken’s security team demanded the return of an incorrect amount of crypto within an unreasonable timeframe, even without providing repayment addresses.
CertiK provided a detailed timeline of events, beginning with the identification of the bug on June 5 and culminating in claims that Kraken threatened a CertiK employee on June 18. In a communication with , CertiK disclosed its intention to transfer the funds to an account accessible by Kraken.
The big question lingering was why CertiK withdrew nearly $3 million. Percoco initially pointed out that a minor transfer of just $4 would have sufficed to demonstrate the bug and earn a reward from Kraken’s bounty program. CertiK took nearly $3 million, arguing that this substantial amount was necessary to thoroughly test Kraken’s security systems and protective measures. They revealed that despite multiple tests over several days and close to $3 million worth of transactions, no alerts were triggered, leaving them unable to determine the breach’s limit.
Adding to the controversy, CertiK stated it did not initially request a bounty; instead, Kraken brought up the bounty after CertiK reported the exploit. CertiK clarified that their primary focus was on ensuring the issue was fixed, not on receiving a reward.
CertiK assured that the funds used in the exploit were not actual user funds from Kraken. They were, in CertiK’s words, “minted out of air,” meaning no user assets were at risk during the testing period. This clarification was likely intended to alleviate concerns from Kraken users about the safety of their assets.
The return of the funds and the explanations provided by both parties bring a complex and contentious chapter to a close. It underscores the ongoing challenges within the cryptocurrency sector related to security, ethical hacking, and the limits of bug bounty programs. The incident serves as a critical case study for both crypto exchanges and security firms on how to handle vulnerabilities and disputes professionally and transparently.
Too much drama for just returning the funds. Let’s be clear: a $4 transfer would’ve done the job just fine. Suspicious .
Props to Kraken on their quick recovery and to CertiK for highlighting the vulnerability! What a collaboration!
Great to hear Kraken managed to recover the missing assets. Love the transparency and dedication shown! 💬✨
Why do these ‘security researchers’ always seem to think its okay to walk off with millions? Just report the bug and get rewarded fairly .
Three cheers for Kraken and CertiK! Fantastic job recovering the funds and maintaining trust. 🥳🔐
Kraken’s and CertiK’s handling of this incident is a perfect example of how NOT to manage security and ethical concerns in crypto .
The fact that CertiK had to extract nearly $3M to ‘test the security’ just seems ridiculously excessive. Not buying it .
So much drama and finger-pointing. Just shows how immature the whole crypto space still is .
A small portion lost to transaction fees? Thats not the takeaway here. The whole incident is a security fiasco .
Security issues happen but it’s how you handle them. Kraken showed true professionalism and resilience!
Impressed by how Kraken handled the breach. Kudos to CertiK too! Much respect for both teams.
What a rollercoaster ride! Happy to see a positive end to this chapter for Kraken and CertiK. 🎢👍
Great news! Kraken turning a potential nightmare into a big win for security protocols. 🙌💥
Incredible resilience shown by Kraken and CertiK in recovering the funds. Lessons learned for sure!
Big shoutout to Kraken and CertiK for swiftly resolving the issue and ensuring no user funds were at risk!
What a journey! Happy to see the funds safely back. Krakens handling of this situation is commendable!
Glad to see Kraken bouncing back from this challenge stronger than ever! Here’s to more secure exchanges. 🚀🔒
Props to Kraken for their transparency and teamwork with CertiK! Security first!
Relieved to hear everything’s sorted. Kraken has my full support!
Does anyone feel safe leaving their assets in Kraken after this debacle? Well, I sure dont .
CertiK’s explanation doesn’t sit right with me. Steal first, then ask questions later? Sounds like a terrible tactic 🤯.
The transparency from Kraken during this operation has been top-notch! Way to go team!
Reading this gives me confidence in the crypto exchange space. Kudos to Kraken and CertiK!
Reading this feels like watching a thriller! Glad it had a happy ending. Excellent work Kraken and CertiK!
Amazing news! Kraken recovered almost $3M. Huge shoutout to their CSO Nicholas Percoco and CertiK for their efforts!
CertiK claims they didn’t put user assets at risk, but honestly, this whole action feels super reckless and irresponsible .
So Kraken gets hacked, and then the ‘researcher’ tries to justify stealing a huge amount? This sounds shady as heck .
Krakens treasury gets compromised and all they lost is some transaction fees? That’s not the point. Where are the repercussions?
This entire ordeal sounds like a poorly written thriller novel. Transparency? Hah, more like confused blames 👎.
Excellent teamwork and quick resolution! Kraken and CertiK set a great example for the crypto world. 🌍💪
Kudos to Kraken and CertiK for resolving this issue. Great teamwork under pressure! 👏👏
Kraken threatening CertiK employees? This drama cannot get any more unprofessional. Grow up, people .
This whole incident is embarrassing for both Kraken and CertiK. Makes me lose trust in crypto security .