A critical security flaw in cryptocurrency exchange Kraken’s platform has sparked a bitter dispute with security firm CertiK. The incident involved a $3 million theft of digital assets and accusations of extortion, media reports said.
Kraken identified a critical vulnerability that allowed users to artificially inflate their account balances without completing deposits. This stemmed from a recent user interface change.
An anonymous security researcher, later revealed to be affiliated with CertiK, alerted Kraken about the bug. However, instead of following ethical hacking practices, the researcher exploited the flaw with two other accounts to steal $3 million.
Kraken emphasizes that no customer funds were affected. They claim the researcher could have earned a reward by responsibly reporting the bug. Instead, the researcher demanded additional compensation and refused to return the stolen funds, prompting Kraken to accuse them of extortion.
CertiK claims they discovered multiple vulnerabilities and dispute the extortion claim. They say they returned all stolen funds, but discrepancies exist between the reported amounts. Additionally, they criticize Kraken’s security measures for failing to detect the suspicious withdrawals.
CertiK reportedly sent the stolen funds through a crypto mixing service, raising concerns about their motives and potential legal issues with using a sanctioned tool.
The crypto community largely sided with Kraken, questioning CertiK’s actions and ethics.