Kraken, a prominent U.S. cryptocurrency exchange, has leveled accusations against an unnamed security research firm, alleging the theft of $3 million from its treasury and attempts at extortion. Meanwhile, Certik, the blockchain security firm involved, has responded with counterclaims, accusing Kraken of threatening its employees.
Kraken’s Allegations Against the Security Research Firm
Nick Percoco, Kraken’s chief security officer, revealed on social media that the security research firm in question violated the rules of Kraken’s bug bounty program. According to Percoco, participants in the program are required to promptly return any funds extracted while identifying bugs and provide proof of concept, among other guidelines. However, the accused researchers allegedly failed to disclose transaction details and did not initiate the return of the stolen funds.
Kraken further accused the firm of lacking professionalism and stated that their actions were criminal in nature, prompting the exchange to involve law enforcement agencies. However, Kraken did not disclose the name of the research firm, citing a lack of recognition for its actions.
Certik’s Response to Kraken’s Claims
In a subsequent development, Certik confirmed that it was the security research firm mentioned by Kraken. However, Certik pushed back against Kraken’s allegations, claiming that the exchange had threatened its employees by demanding the return of a “mismatched amount of crypto” within an unreasonable timeframe and without providing repayment addresses.
Certik pledged to transfer the funds based on its records to an account accessible by Kraken, emphasizing that it was following proper protocols despite the alleged mismatched amount. The security firm also questioned why Kraken’s defense system did not detect the numerous test transactions, explaining that these transactions were part of Certik’s testing process.
The Conflict Continues
The dispute between Kraken and Certik underscores the complexities and challenges within the cybersecurity and cryptocurrency domains. Both parties have presented contrasting narratives, with accusations of theft and extortion on one side and claims of threats and mishandling on the other. The resolution of this conflict remains uncertain as the companies continue to exchange allegations and responses.
