Kraken will return all the funds taken during the recent “White Hat” attack
CertiK spent $3 million to expose the vulnerability before applying to Kraken. Kraken quickly patched up the error after Certike's warning. CertiK returned the money after some procedural issues.
Kraken has successfully recovered $3 million taken during a controversial “white hat” hack orchestrated by blockchain security firm CertiK. Nick Percoco, Kraken's chief security officer, confirmed that the money was returned, with only a small amount lost due to transaction fees.
The Whitehat hack highlighted critical issues in ethical hacking practices and protocols surrounding vulnerability disclosures.
How did the Kraken Whitehawk abduction unfold?
According to CertiK's chronology of events, the saga began when CertiK identified a major vulnerability in Kraken's system, causing technically-savvy individuals to artificially inflate their account balances.
Exploiting this flaw, SerTK withdrew $3 million from Kraken's treasury to justify the severity of its vulnerability. Although Certike reported the case in June, its actions after receiving the funds drew heavy criticism from Kraken and the wider crypto community.
Kraken quickly patched the vulnerability within hours of being notified, confirming that no customer assets were affected. Percoco emphasized that the security hole was repaired immediately, which is impossible to repeat.
Despite the quick resolution, the manner in which Certike went about its business — particularly the delay in returning the money — raised serious questions about whether it followed standard Whitehat bonus protocols.
Certike's unusual “white hat” hacking drew criticism.
Kraken's complaint stemmed from CertiK's failure to follow procedures set forth for whitehat activities.
Typically, whitehat hackers report vulnerabilities without spending excessive amounts of money, immediately returning the amount taken.
But CertiK withheld $3 million until Kraken provided an estimate of the potential risk, an act Kraken understood was unnecessary and uncooperative.
CertiK has defended its approach, saying the extensive withdrawal was critical to thoroughly testing Kraken's security measures and alert systems, which, according to CertiK, failed to trigger alarms even after heavy losses.
In addition, Certike has repeatedly stated that it intends to return the funds, accusing Kraken's security team of extorting employees with unrealistic payment demands and unrelated amounts of cryptocurrency.
In the end, the money was returned, albeit with a different amount of cryptocurrency than Kraken had disclosed.
Since Kraken did not provide a payment address and the requested amount did not match, we will transfer the funds to an account that Kraken can access based on our records.
— CertiK (@CertiK) June 19, 2024
CertiK announced that it did not seek any reward for its actions and was only focused on ensuring that the vulnerability was resolved.
