CertiK admits Kraken’s $3m exploit, raises eyebrows for sending crypto to Tornado Cash

Blockchain security firm CertiK confirmed it was behind a bug exploit that resulted in an unauthorized withdrawal of $3 million worth of tokens from Kraken.

New York-headquartered blockchain security firm CertiK has admitted to being behind a bug exploit that resulted in an unauthorized withdrawal of $3 million worth of tokens from the Kraken crypto exchange.

In a Jun. 19 thread on X, CertiK revealed that it had identified a series of “critical vulnerabilities” in Kraken’s exchange that could “potentially lead to hundreds of millions of dollars in losses.”

CertiK recently identified a series of critical vulnerabilities in @krakenfx exchange which could potentially lead to hundreds of millions of dollars in losses.

Starting from a finding in @krakenfx's deposit system where it may fail to differentiate between different internal… pic.twitter.com/JZkMXj2ZCD

— CertiK (@CertiK) June 19, 2024

According to CertiK, the issue was first identified on Jun. 5, and Kraken failed multiple tests, indicating that the exchange’s defense-in-depth system was “compromised on multiple fronts.” The firm particularly noted that it managed to bypass the exchange’s withdrawal risk controls without triggering any alerts.

“A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident.”

CertiK

Upon discovering the flaws, CertiK claims it informed Kraken, whose security team classified the issue as “critical.” However, after the exploit was identified and fixed, CertiK alleges that Kraken’s security operations team “threatened” individual CertiK employees, demanding repayment of a “mismatched amount of crypto in an unreasonable time even without providing repayment addresses.”

CertiK urged Kraken to “cease any threats against whitehat hackers,” asserting its commitment to the web3 community “in the spirit of transparency.” However, the incident has sparked controversy and skepticism within the blockchain community as blockchain researchers have highlighted discrepancies in CertiK’s timeline and claims.

HAHAHHA YOU FUCKING CLOWNS

There is absolutely NO universe where this is "whitehat security research"

Kraken is being incredibly patient for not outright calling this what it very clearly is: a multimillion dollar theft with a side of extortion.

— Tay 💖 (@tayvano_) June 19, 2024

As noted Cyvers chief technology officer Meir Dolev on his X account, an address associated with CertiK began suspicious activity across multiple blockchain networks weeks before the Kraken incident was first reported, raising questions about the timeline provided by CertiK.

Following the @krakenfx Incident, similar activity started on base 26 days ago!! The same signature hash is also used on Polygon 14 days ago. So should we believe Cetik timeline that they found the vulnerability only on June 5th?@tayvano_ pic.twitter.com/cvAnVrTg67

— Meir Dolev (@Meir_Dv) June 19, 2024

In a follow-up post under CertiK’s thread, Coinbase director Conor Grogan pointed out that addresses associated with CertiK sent part of the withdrawn crypto to Tornado Cash, a mixing service sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) for facilitating approximately $7 billion in crypto laundering since 2019.

Reports also allege that CertiK-associated addresses sent parts of the withdrawn crypto to ChangeNOW, a non-custodial crypto exchange. As of press time, CertiK has made no public statements on why it interacted with Tornado Cash and ChangeNOW, though it claims to have returned all the withdrawn tokens to Kraken.