CertiK admits Kraken’s $3m exploit, raises eyebrows for sending crypto to Tornado Cash
Blockchain security firm CertiK confirmed it was behind a bug exploit that resulted in an unauthorized withdrawal of $3 million worth of tokens from Kraken.
New York-headquartered blockchain security firm CertiK has admitted to being behind a bug exploit that resulted in an unauthorized withdrawal of $3 million worth of tokens from the Kraken crypto exchange.
In a Jun. 19 thread on X, CertiK revealed that it had identified a series of “critical vulnerabilities” in Kraken’s exchange that could “potentially lead to hundreds of millions of dollars in losses.”
According to CertiK, the issue was first identified on Jun. 5, and Kraken failed multiple tests, indicating that the exchange’s defense-in-depth system was “compromised on multiple fronts.” The firm particularly noted that it managed to bypass the exchange’s withdrawal risk controls without triggering any alerts.
“A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident.”
CertiK
Upon discovering the flaws, CertiK claims it informed Kraken, whose security team classified the issue as “critical.” However, after the exploit was identified and fixed, CertiK alleges that Kraken’s security operations team “threatened” individual CertiK employees, demanding repayment of a “mismatched amount of crypto in an unreasonable time even without providing repayment addresses.”
CertiK urged Kraken to “cease any threats against whitehat hackers,” asserting its commitment to the web3 community “in the spirit of transparency.” However, the incident has sparked controversy and skepticism within the blockchain community as blockchain researchers have highlighted discrepancies in CertiK’s timeline and claims.
As noted Cyvers chief technology officer Meir Dolev on his X account, an address associated with CertiK began suspicious activity across multiple blockchain networks weeks before the Kraken incident was first reported, raising questions about the timeline provided by CertiK.
In a follow-up post under CertiK’s thread, Coinbase director Conor Grogan pointed out that addresses associated with CertiK sent part of the withdrawn crypto to Tornado Cash, a mixing service sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) for facilitating approximately $7 billion in crypto laundering since 2019.
Reports also allege that CertiK-associated addresses sent parts of the withdrawn crypto to ChangeNOW, a non-custodial crypto exchange. As of press time, CertiK has made no public statements on why it interacted with Tornado Cash and ChangeNOW, though it claims to have returned all the withdrawn tokens to Kraken.