Kraken’s Chief Security Officer, Nick Percoco, has announced that the crypto exchange successfully recovered funds stolen from its account due to a bug vulnerability. Percoco shared the news on June 20 via a post on X, confirming that the funds were retrieved, although he did not specify the source of the recovery. Previous reports had implicated security research firm Certik in the incident.
The security breach came to light when Certik identified a critical bug in Kraken’s account system, which allowed exploiters to mint millions in digital assets. Certik employees, who discovered the vulnerability, withdrew $3 million from Kraken and demanded a bug bounty for their findings.
The situation escalated when Kraken accused Certik of extortion rather than ethical hacking. Despite initial communications to resolve the issue and secure the funds, Kraken claimed that Certik’s employees still needed to return the stolen assets upon request. Certik’s actions were framed as exploitative rather than protective, leading to a contentious standoff.
In response to Kraken’s allegations, Certik stated they would return the stolen funds to a Kraken-accessible wallet, citing the lack of repayment addresses and discrepancies in the requested amounts as reasons for the delay. Certik’s statement emphasized their intention to rectify the situation by transferring the funds back to Kraken.
On Thursday, Kraken confirmed the recovery of the stolen funds, with a minor portion lost to transaction fees. Kraken reassured its users that no customer funds were compromised during the security breach.
This incident underscores the delicate balance between ethical hacking and potential exploitation in the cybersecurity realm, highlighting the need for clear protocols and trust between entities involved in vulnerability disclosures.