Security Firm CertiK Exploits Kraken Bug for $3 Million

Blockchain security firm CertiK publicly identified itself as the "security researcher" accused by Kraken of stealing $3 million worth of digital assets.

Kraken recently lost about $3 million because of a bug exploit by a research team who first reported the bug. The exchange's Chief Security Officer, Nicholas Percoco, calls the team's demand for a reward extortion rather than ethical hacking. The security firm CertiK identified itself as the team involved and now claims Kraken threatened its employees. Meanwhile, Gabriel Shipton, the brother of WikiLeaks founder Julian Assange, recently denied claims by SlowMist and RescuETH that AssangeDAO was involved in a "soft rugging" scam.

Kraken Loses $3M to Bug Exploit

Kraken crypto exchange revealed that a research team exploited a recently discovered security bug to withdraw more than $3 million worth of digital assets from the exchange's treasury. The bug was first reported on Jun. 9 by an anonymous person claiming to be a security researcher. Despite alerting Kraken to the critical security flaw, the person and their team took advantage of the bug to siphon off the funds.

Nicholas Percoco, Kraken's Chief Security Officer, revealed that the researcher is now demanding a reward for the stolen funds and is refusing to return them unless Kraken agrees to provide a speculative amount that the bug could have caused in potential damages. Percoco labeled this behavior as extortion rather than ethical hacking.

Kraken confirmed that the stolen assets came directly from their treasury and assured its users that none of their funds were at risk. The exchange is working with law enforcement to recover the stolen funds.

One of the three accounts that was involved in the exploit completed Know Your Customer (KYC) verification. The person initially demonstrated the bug with a $4 crypto transfer, which Kraken acknowledged would have been more than sufficient to claim a big reward from their bounty program. However, the disclosure led to the very questionable withdrawal of almost $3 million.

Percoco is extremely disappointed over the situation and shared that Kraken's request for the return of the stolen funds was met with accusations of unprofessionalism. 

Kraken and CertiK at Odds

Kraken did not have to guess who its extortionist was for too long as CertiK, a blockchain security firm, publicly identified itself as the "security researcher" accused by Kraken of stealing $3 million worth of digital assets. In a Jun. 19 post, CertiK revealed it informed Kraken of a security bug that allowed the removal of millions from the exchange's accounts.

Percoco previously accused the unnamed security team, now known to be CertiK, of extortion for refusing to return the funds until Kraken provided a speculative damage amount.

However, CertiK responded by claiming that Kraken's security team threatened individual employees to repay an unreasonable amount of crypto without providing repayment addresses. The firm is now urging Kraken to stop threats against white hat hackers. 

CertiK also posted a timeline with some details about the events, starting with the identification of the exploit on Jun. 5 and concluding with Kraken's alleged threats on Jun. 18. CertiK stated that it plans to transfer the funds to an account Kraken can access.

So far, it seems like reactions from the crypto community mostly support Kraken. Many people believe that CertiK's actions did not align with typical white hat hacker behavior. Although CertiK has a history of identifying vulnerabilities in the Wormhole bridge on Aptos and the Telegram app, it is still uncertain whether Kraken will pursue legal action.

What is White Hat Hacking?

A white hat hacker is a person who uses their hacking skills to identify security vulnerabilities in hardware, software, or networks, but does so within the boundaries of the law. White hat hackers focus on legally permitted research, including open source software and systems they own or have authorization to investigate. As was the case with CertiK, they often participate in bug bounty programs that reward them for disclosing security flaws.

White hat hackers differ from black hat hackers, who exploit vulnerabilities for malicious purposes or sell them to the highest bidder. While white hat hackers fully disclose all vulnerabilities to the responsible parties, black hat hackers prioritize their own personal gain over ethical considerations.

Gray hat hackers exist in a moral gray area between white and black hat hackers. They often consider themselves to be acting for the greater good but operate more flexibly with regards to rules. For example, gray hat hackers might access systems without permission to fix vulnerabilities. While their actions may have positive outcomes, they do not stick to legal and ethical standards like white hat hackers.

2024 Crypto Hacks Expected to Outperform 2023

Crypto hackers and exploiters are expected to have a more successful year in 2024 compared to 2023. In the first quarter of 2024 alone, hackers stole $542.7 million in digital assets, which was a 42% increase from the same period in the previous year. 

A big shift in the nature of these exploits has also been observed. Now, private key leaks are emerging as the leading cause rather than smart contract-related vulnerabilities.

According to Merkle Science’s "2024 Crypto HackHub Report," the amount lost to smart contract vulnerabilities saw a very dramatic decrease of 92%, falling to $179 million in 2023 from $2.6 billion in 2022. More than 55% of the hacked digital assets in 2023 were due to private key leaks.

The cryptocurrency industry has dealt with about 785 reported hacks and exploits over the past 13 years, which resulted in nearly $19 billion in losses. This trend suggests that while certain vulnerabilities are being addressed, new types of exploits continue to pose risks.

AssangeDAO Denies Rug Pull Claims

CertiK’s team are not the only ones in trouble at the moment. Gabriel Shipton, brother of WikiLeaks founder Julian Assange, denied claims by blockchain security firms SlowMist and RescuETH that AssangeDAO was involved in a "soft rugging" scam

The firms' April report revealed some suspicious transactions and exit scam behavior in the decentralized autonomous organization (DAO). Shipton clarified on Telegram that SlowMist confused AssangeDAO with the Wau Holland Foundation. He explained that AssangeDAO no longer holds the 16,593 ETH (worth about $53 million) that was raised in 2022, as the funds were spent on a "Clock" NFT by artist Pak. The proceeds from the sale were donated to the Wau Holland Foundation to support Julian Assange's defense.

Shipton also assured people that the German charity is using the funds as intended and is compliant with local laws. Blockchain data confirms that the Clock NFT was bought on Feb. 9, 2022, and the proceeds were sent to the Censored: Clock deployer address, and are held by AssangeDAO.

Despite this, some AssangeDAO members are still unhappy, and claim the DAO lacks a proper token-based voting system. One anonymous JUSTICE token holder criticized the DAO for spending the entire $55 million without any community approval, which they argue completely violates the principles of a decentralized autonomous organization.

The controversy mainly stems from a report by SlowMist and RescuETH on Apr. 2, which warned investors of potential risks with AssangeDAO due to a suspicious 100 ETH transfer on Mar. 10, 2024. The firms linked this transfer to the Wau Holland Foundation, which then raised some concerns of a "Soft Rug Pull." 

AssangeDAO was created in early 2022, and aimed to pool funds to buy the Clock NFT and support Assange's legal defense. Despite the project's noble intentions, recent fund transfers have raised some questions about the ultimate destination of the funds. 

Some DAO members feel overruled by the multisignature wallet signers, who spent all the funds on the NFT without holding a formal vote. However, in the broader context, DAOs sometimes face disputes among its members. This situation is not an isolated incident either as it mirrors other controversies in the DAO space, like the HectorDAO hack and MangoDAO's internal conflicts.