Kraken recovers $3M from CertiK, ending contentious bug bounty incident

The security firm's actions raise questions about responsible disclosure practices in crypto.

a security researcher slash hacker returning funds to a deposit box

Share this article

Cryptocurrency exchange Kraken has reclaimed nearly $3 million from blockchain security firm CertiK, concluding a controversial bug bounty issue.

Kraken’s Chief Security Officer Nicholas Percoco confirmed the return of the funds, minus transaction fees. The incident began on June 9 when CertiK, identifying itself as a “security researcher,” withdrew the funds after discovering a vulnerability in Kraken’s system.

CertiK claimed it exploited the bug to test Kraken’s security limits, minting close to $3 million over multiple days without triggering alerts. The firm stated it never initially requested a bounty, contradicting Kraken’s assertion of extortion attempts.

Kraken’s CSO had initially reported the missing funds on June 19, accusing the then-unnamed researcher of malicious intent and refusing to return the assets. CertiK countered by alleging threats from Kraken’s security team to repay a mismatched amount within an unreasonable timeframe.

While both companies have provided detailed accounts of the incident, several questions remain unanswered on both sides.

The incident has also raised questions about responsible disclosure practices in the crypto security sector. CertiK’s actions, which included converting USDT to ETH and sending funds to ChangeNOW, a non-KYC exchange, have been scrutinized by industry experts.

This event has further damaged CertiK’s already controversial reputation in the crypto security community. The firm has faced criticism for previous security checks on projects that were later hacked, and its own social media account was compromised earlier this year.

Kraken, on the other hand, has been criticized by government entities such as the SEC for allegedly operating as an unregistered securities exchange. A hearing is scheduled today, June 20, with regards to Kraken’s motion to dismiss the SEC’s enforcement action.

Share this article