CertiK Admits Krakens $3m Exploit, Raises Eyebrows For Sending Crypto To Tornado Cash
Blockchain security firm CertiK confirmed it was behind a bug exploit that resulted in an unauthorized withdrawal of $3 million worth of tokens from Kraken.
New York-headquartered blockchain security firm CertiK has admitted to being behind a bug exploit that resulted in an unauthorized withdrawal of $3 million worth of tokens from the Kraken crypto exchange.
In a Jun. 19 thread on X, CertiK revealed that it had identified a series of “critical vulnerabilities” in Kraken’s exchange that could “potentially lead to hundreds of millions of dollars in losses.”
According to CertiK, the issue was first identified on Jun. 5, and Kraken failed multiple tests, indicating that the exchange’s defense-in-depth system was “compromised on multiple fronts.” The firm particularly noted that it managed to bypass the exchange’s withdrawal risk controls without triggering any alerts.
“A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos. Worse yet, no alerts were triggered during the multi-day testing period. Kraken only responded and locked the test accounts days after we officially reported the incident.”
CertiK
Upon discovering the flaws, CertiK claims it informed Kraken, whose security team classified the issue as “critical.” However, after the exploit was identified and fixed, CertiK alleges that Kraken’s security operations team “threatened” individual CertiK employees, demanding repayment of a “mismatched amount of crypto in an unreasonable time even without providing repayment addresses.”
CertiK urged Kraken to “cease any threats against whitehat hackers,” asserting its commitment to the web3 community “in the spirit of transparency.” However, the incident has sparked controversy and skepticism within the blockchain community as blockchain researchers have highlighted discrepancies in CertiK’s timeline and claims.
As noted Cyvers chief technology officer Meir Dolev on his X account, an address associated with CertiK began suspicious activity across multiple blockchain networks weeks before the Kraken incident was first reported, raising questions about the timeline provided by CertiK.
In a follow-up post under CertiK’s thread, Coinbase director Conor Grogan pointed out that addresses associated with CertiK sent part of the withdrawn crypto to Tornado Cash, a mixing service sanctioned by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) for facilitating approximately $7 billion in crypto laundering since 2019.
Reports also allege that CertiK-associated addresses sent parts of the withdrawn crypto to ChangeNOW, a non-custodial crypto exchange. As of press time, CertiK has made no public statements on why it interacted with Tornado Cash and ChangeNOW, though it claims to have returned all the withdrawn tokens to Kraken.
Ether Surges 16% Amid Speculation Of US ETF Approval
New York, USA – Ether, the second-largest cryptocurrency by market capitalization, experienced a significant surge of ... Read more
BlackRock And The Institutional Embrace Of Bitcoin
BlackRock’s strategic shift towards becoming the world’s largest Bitcoin fund marks a pivotal moment in the financia... Read more
Robinhood Faces Regulatory Scrutiny: SEC Threatens Lawsuit Over Crypto Business
Robinhood, the prominent retail brokerage platform, finds itself in the regulatory spotlight as the Securities and Excha... Read more
Ethereum Lags Behind Bitcoin But Is Expected To Reach $14K, Boosting RCOF To New High
Ethereum struggles to keep up with Bitcoin, but experts predict a rise to $14K, driving RCOF to new highs with AI tools.... Read more
Ripple Mints Another $10.5M RLUSD, Launch This Month?
Ripple has made notable progress in the rollout of its stablecoin, RLUSD, with a recent minting of 10.5… Read more
Bitcoin Miner MARA Acquires Another $551M BTC, Whats Next?
Bitcoin mining firm Marathon Digital Holdings (MARA) has announced a significant milestone in its BTC acquisition strate... Read more